According to an International Monetary Fund (IMF) modelling exercise, losses to financial institutions from cyberattacks could reach hundreds of billions of dollars per year.
Risk modelling for cybersecurity is still a developing field, as we’ve discussed before, particularly in relation to cyber insurance.
The relative lack of statistical data in the area makes it challenging to accurately predict the potential losses from a cyberattack, and the stakes are still changing – as customers and clients become more aware of cybersecurity, and as new regulations (and fines) are introduced, the cost of a successful attack could increase substantially.
IMF’s exercise used a data set covering recent losses due to cyberattacks in 50 countries, and techniques from actuarial science and operational risk measurement, to estimate aggregate losses from a cyberattack.
Its results show that on average, potential annual losses from cyberattacks could be around 9% of banks’ global net income – around $100 billion.
In “a severe scenario”, losses could be up to 3.5x as high, ranging from about $270 billion to $350 billion. In a worst-case scenario, modelled from the worst 5% of cases, IMF’s exercise found that losses could be as much as half of banks’ net income.
While that’s a considerable range, and it’s unlikely that the worst-case scenario would be frequently seen, even the more conservative $100 billion estimate considerably outweighs current cyberinsurance premiums.
Losses of this magnitude would be nothing to sniff at, even for a big-name bank, and the knock-on effects could cause even more damage and disruption in the financial sector and in the economy more generally.
The report closes with a recommendation that more complete and granular information be collected about the frequency and impact of cyberattacks. With more detailed information available, better risk modelling can be carried out, allowing organisations to prepare their defences and their response plans more effectively.
The IMF also suggests that in order to improve their cyber resilience, organisations – and financial institutions in particular – should focus on effective supervisory practices, realistic vulnerability and recovery testing, and contingency planning. Given the increasing difficulty of plugging every vulnerability in an organisation’s defences, a solid response plan that can mitigate the damage caused by a successful attack is crucial.