Cyber Risk Quantification – Challenges from a Risk Perspective

Yeah, so good morning everybody, and thank you very much for being here. Yeah. So I'm z Shiman from Comat Bank. I'm the division head as mentioned for cyber risk and non-financial risks and non-financial risks in, in this context means the operational risks and the, the internal control system. This is what is covered under non-financial risks at the moment at Com Bank. And yeah, on the cyber risk side, I'm covering the topics like pen testing and, and forensics. And yeah, today I would like to talk about the cyber risk quantification and the challenges we have at the moment with that. And I would like to start with a question to you. So how much is your cyber risk? So who of you has been asked this by your CEO or CIO?
Yeah, so I have been asked this as well around about three years ago, and we had com bank then decided to start a pilot on our cyber risk quantification and try to look for a methodology on, on that. And of course the cyber risk quantification does not end with a, yeah, let's say single figure of our risk. But of course several questions after that arise, especially for banks, if you're thinking about capital requirements, for example. And yeah, then you've got the question how the cyber exposure you have just quantified could be covered by, by capital. And I would like to take you with me on this journey we did in the past and where we are now and what are the yeah, still existing challenges on that, so, okay. Yeah, modeling cyber risk is, is, is hard. I think everybody knows about that. And the, the point is you've got just limited historical data. Yeah. So you do, do not have a proof for your, for your risk. So there's just little known white swans at the moment. And yeah, you can imagine the probability of occurrence of a cyber event is typically very low, but if the event occurs, then it's probably a huge loss. And so that means especially little knowledge about black swans
And the events normally are not statistically independent. They occur in clusters. So if an attacker has just gotten an, a company an objective where he's successful, then he normally sticks to this objective and stays as long as, yeah, there might be mitigation measures in place or maybe he runs out of, out of resources. And of course, yeah, supply chain risk, they are very, very difficult to identify because it's one step further. So you have to get in touch with your suppliers and of course you have to get and grab some information from them, which, which is of course more difficult than getting the information at your own company.
So yeah, everybody I think knows about those kind of, of heat maps. And I think most managers like to have this kind of heat maps because they are just a, a, a good picture to get to know from a traffic light logic where you've been, do you have a red light or a green light? But of course the questions still stays. So how can you empower your, your management to make informed decisions from those kind of heat maps? And so therefore you have to, you have to go the way to just quantify the risk and come to approach where you have, for example, a range of, of values for the risk or a most likely value of your risk. And this is what we wanted to have and what we wanted to do. And we decided for the fair methodology on, on our pilot. And I think there are two crucial things you have to do, or two crucial definitions you have to clarify before you start your quantification versus fair methodology. And that's what I'm just coming right now to. So the first definition is of course, what is risk? And yeah, it's nothing new to you. It's a likelihood times a loss, and then you've got the risk. And if you're in this cyber area, it's the probability or the frequency of occurrence of an, of an event.
And then the second very important definition is the one on the cyber risk scenarios. So you have to first define what is a cyber risk scenario. So yeah, it's the Analyst of the risk associated with the threat breaching the effect of an asset via a method. Yeah. And I would like to explain to you briefly what we define under those for topics and and what kind of Yeah. Threats and assets we put under those definitions to have a cyber risk scenario, which, which you can quantify. So it's I think common sense that we've got something like APT or organized crime groups or hackers on the threat
On the threat side, and they are using ransomware DDoS attacks, data breach or data leakage, things like that. And the effect, I think, yeah, this is common sense, it's the CIA confidentiality, integrity, availability. And I think the most important thing, and the one the mo most difficult to grab is of course the asset. Because you have to define what is your asset at your company in place where you can get the biggest loss. And yeah, for example, you can have people there, you can have processes there, you can have technologies there, and you have to really make a good definition on that to start your quantification.
So I don't wanna bother you with the, the model itself. So maybe some of you already know about the fair methodology, but I would like to let you know what the fair methodology does as a result and how you can come to, to a conclusion or to to first results. So the fair methodology is considering individual scenarios, and I think this is one most important thing on, on this methodology, and that's why you have to have your definitions first on, on this one. And for each and every single scenario, you have to make sure that you've got the, the, the correct assumptions in place, otherwise you are not able to, to make estimations for, for those scenarios. And yeah, the methodology is, as I told you before, in the definition of risk, it's based on the definition of risk, risk and this is the loss event frequency on the one hand side and the loss magnitude on the other hand side. And for both yeah, ways on this tree you have to make estimations and you, you can come along in in this model with some more detailed questions if you do not know the loss, for example, for a asset. But you can have several questions to, to rise to this, to this result.
And the result of, of those two types is the risk and it's done via a loss estimation curve. So this is the result you get when you're going to, to estimate with your subject matter experts, for example, the minimum value and the maximum value, and as well the most likely value for your, for your questions on the loss loss side and on the frequency side. And one more very important thing is that fair follows the motto what is probable, but not what is possible. Yeah. So you do not have any kind of doomsday scenarios in place, but you, you have to make sure that you, you think about things that are probable.
So
Yeah, how, how to come to first results now. So at Commerce Bank we decided on, on the asset side, and I thought you before, this is the most crucial thing, we decided to take over our processes of the bank, the most important processes of the bank, and we defined them as our crown jewels. And that's our asset side. We have to, we had, we had made the estimations on for, for the losses of our cyber risk. And afterwards we defined the scenarios for every and each process we would like to model. And as well on the asset side, we have the, the, the attacker and the method on the other hand side. And that's where the frequency comes in, into, into play. And yeah, we, I think the most important thing in this stage is to be sure that you have a good, a good definition of your scenario and that you have got a good preparation on the workshops you're going to do with your subject matter experts who will do the estimations on the asset side and on the frequency side.
Yeah. And then you go to the workshops, you ask several questions to the, to the experts, you explain how you would like to define your scenarios, and you're have to make sure that they're going to answer the questions on Yeah, the, the loss and, and and the frequency side. And you can imagine it's not that easy because if you're going to ask somebody what is the loss when a ransom where maybe part of your organization and your have to, to, to estimate what loss is on your, on your process, you can ask several experts and they will give you a few answers. So you have to make sure that those workshops are really good prepared and yeah. That you come to a conclusion which gives you results on the calculations, which is done by a Monte Carlo simulation. But the input, this is the most crucial thing on this. Yeah. So what is the possible, the possible use?
So yeah, we can, we can say we've got first indications on our, on our cyber risk, but I think it's still a long way, especially for the questions which still be in the room, for example, on the, on the capital requirements. So I think one key takeaway is this is just a scenario approach. And I say just because you cannot derive the cyber risk for your company with this approach, there's no aggregation possible between those scenarios. So if you imagine that, for example, you've got two, two scenarios and one is going to be materialized, then maybe you've got some mitigation measures in place when you've been attacked. And then the other scenario, for example, changes in in in the risk. Yeah. So this is one example where you're not able to, to aggregate, to aggregate those scenarios. And another example could be when you're thinking about customer churn, for example, then you have of course integrated it into several scenarios, but the customer churn just only happens once.
So you're not able to, to aggregate and add up the scenarios to the cyber risk of your company. So you've got limited historical data as I mentioned before, and you've got dependencies on your subject matter experts. So they have, they have to be, yeah, they have to be really, they have to stick to their processes and they have to be good experts on the, for, for the estimations. And yeah, they have to be, so you have to be prepared on this, on this workshops to get results where you can work with on, so there's no blanket statement about the correlation of scenarios, as I've mentioned already. And there's one thing of course, so the mitigation costs, they can be set against lost potential when you're thinking about your, your scenario results and for example, yeah, the, the highest scenario or the highest result of your scenario, which we have, which you have in place.
So now coming to, to a possible use, yeah, the steering of the risk appetite or the cyber risk in total, as I mentioned before, this may be possible for, for single scenarios, but not as a whole. For, for the company, that would be just as, as a challenge where you have to include more, more data, for example. So as mentioned, the possible level of loss, this should be a thing which can be possible to derive because you can compare, for example, your, your results from your highest scenario to what you really wanna do. And you can try to mitigate some things when you're going to talk about those, those scenarios. And I think this is one of the most important things, the steering of, of the capital requirements. And yeah, I think this is the biggest challenge, and this still exists after our, our journey to the quantification because you've got several options how you would like to, to steer your capital requirements.
So with this methodology, you do not have the possibility to come to a real cyber risk model because as mentioned, you do not have historical data. And historical data are crucial for a cyber risk model. And you can try to integrate your results from your quantification, for example, to your opera risk model. And this is what we are thinking about or what what we've been thinking about. And of course you can try to integrate your views on your scenarios to the existing model, and this is what we already did, but it's just a, a small part, which adds up to, to our operas methodology, and it's probably not possible to, to integrate all the results because although cyber risk and up risk are yeah, let's say similar to each other, you do not have the possibility to add them because, for example, the reputational risk, which are not covered by the risk in, in, in, in the cyber risk area, a, a big driver.
And so you, you, you, you have to change your methodology first to, to add this. And so yeah, the, the, the third option is just to have, to make a, yeah. A guess or estimation and just, yeah, try to think about a buffer, which could be possible, possibly covered by your, by your capital. Yeah. I think one, one more thing which we can derive our results for is the value of a cyber insurance. So of course you've got some more insights when you've done the all those analysis and you can try to find out which could be helpful to be part of your, of, of a cyber insurance with which could be, which should be covered by, by an insurance. Yeah. So just to, to sum it up, I think it's a good starting point to, to try to use this methodology, but of course the journey is not at it's end at the moment because I think the most important thing, and this as a, the historical data are still missing. And I think it's, it's just a journey. So for, yeah, several years until we've got a pool of data available where we can put our estimations as a basis on.