Illustration: Rohnit Phore

In 1988, the first known cyberattack was launched by Robert Tappan Morris, then a student of Cornell University and alumnus of Harvard, who later became a tenured professor at the MIT. By the start of the current millennium, such events began causing damages in billions of dollars. In the last ten years, cyberattacks have started assuming ginormous proportions. Prankster hackers in their teens and 20s gave way to corporate-type crime syndicates on the “dark web” with deep pockets, “domain experts”, active underground networks for cooperation, information exchange and the synchronised execution of attacks, often with state patronage. It is not surprising that, today, CEOs of a large number of Fortune 500 companies identify cyber risk as one of the biggest systemic risks they are faced with. Loss of reputation is perceived to be the biggest threat, followed by fines and penalties, business discontinuity, loss of income/assets, ransom demands, etc. In order to formulate appropriate strategies to deal with cyberthreats, any corporate body needs to gauge the monetary equivalent of the overall damage that the company may suffer in the event of a major attack.

Measuring cyber risk is particularly relevant for banks as, being the repositories of money, they are prime targets of cyberattackers. Banks also maintain large databases containing private client information, which can be monetised by cyberattackers. Gaining unauthorised entry into banks’ information networks is often relatively easy as banks undertake a vast array of interconnected cyber operations involving a vast number of customers, counter-parties, third-party vendors and outsourced agencies with less-than-perfect real-time communication. These make banks simultaneously a natural prey and an easy target for cybercriminals.

In the last ten years, a large number of banks, including Bank of America, Citi, JP Morgan Chase, PNC, USB and Wells Fargo, have been hit by cyber breaches, some of them multiple times. With progressive strengthening of cyber-risk management by banks in OECD countries, cyberattackers are increasingly focusing on banks in emerging-market countries including India. Recently, nearly Rs 100 crore was siphoned off from Cosmos Bank. The SWIFT system of at least four banks has been penetrated by cybercriminals in the last three years. In 2016, a breach at an ATM server compromised 32 lakh debit cards of 19 banks in India. The need for a major revamp of the cyber-risk-management system of Indian banks, therefore, can hardly be overemphasised. This brings us back to the question regarding how Indian banks should estimate their cyber-risk exposure.

Risk assessment-based actions form the core of the banking business. Daily, banks use sophisticated models to measure credit and market risk. The results of most such value-at-risk (VaR) type models, however, are useful within narrow ranges and not under extreme conditions. Contrastingly, major cyber incidents are high-impact, low-frequency events. A variant of the VaR model, known as the tail-value-at-risk (TVaR) model, is sometimes used to assess the impact of extreme events. Factor Analysis of Information Risk (FAIR), a method used mainly to measure data-loss events in an IT environment, has also been used to measure cyber risk. Other models, including behavioural and parametric ones, baseline-protection models and Delphi—a structured interactive expert forecasting method—have also been used to measure cyber risk.

The enormous amount of data required of many such models are often difficult to meet. Moreover, some of these models fail to capture the dynamics of the financial market and details of banks’ operating procedures. In response, business-indicator-based risk measurement is gaining prominence. This approach uses financial statements and operating parameters of banks to incorporate the size and complexities of operations. A similar approach can be utilised for cyber-risk measurement using three relatively simple steps.

First, various components of banks’ cyber-risk exposure need to be identified. These include direct siphoning off of money, database breach, reputation loss, cost of revamping of IT and information security (IS) after a breach, regulatory fines and penalties, third-party claims, etc. The value/cost of each of these also need to be calculated using relevant proxies. For example, the replacement cost of a bank’s database is the maximum risk exposure a bank faces solely on account of database compromise. Similarly, the total value of digital transactions conducted by a bank can be used as proxy for the maximum exposure that can arise from a direct siphoning off of funds.

Next, one needs to estimate the cyber maturity of a bank. This relates to the bank’s capacity to identify its cyber vulnerabilities, protect against cyberattacks, detect any cyber breach, take steps to mitigate the impact of any breach, and initiate measures to shield against the recurrence of such events. The measure of cyber maturity depends upon, inter alia, the digital set-up (for example, the number of hardware systems connected to a network, type of network connections, hosting of system-critical servers, etc), practices (access control, policies on use of software patches) and other related issues (employee cyber-hygiene, management commitment to cyber-risk management, etc). One can use the matrix of spending by the bank on IT, IS, cybersecurity and related areas relative to its size (assets, revenue, operating expenses, market capitalisation, etc) as proxy for cyber maturity.

Lastly, one needs to assign a ratio for the extent of fructification of a particular type of risk exposure during a cyber breach. Such ratios can be derived from past experiences. For example, globally, past cyber incidents suggest that during a cyberattack, on an average, 3% of the database is compromised. This can be taken as the relevant ratio for database risk exposure during an average cyberattack. There are, however, instances where an attack compromises a substantially higher proportion of the database. For example, during the JP Morgan Chase attack in 2014, nearly 8.3 crore client accounts were compromised. To incorporate the impact of a severe cyberattack, higher values need be considered.

Combining the three steps mentioned above, one can derive the monetary value of the cyber risk a bank is faced with. The method is indicative and the estimate of cyber risk is sensitive to the proxies utilised for various types of cyber-risk exposures and cyber maturity, as also the assumptions about the ratio for risk fructification. Yet, by calibrating the proxies and assumptions, a bank can obtain a fair idea of cyber-risk exposure under various scenarios. This allows banks to take informed and nuanced views about a risk-management strategy.

Calculations based on the model described above suggest that even under very conservative contexts, the cyber risk of the

Indian banking system falls within the range of Rs 10-17,000 crore. The three largest exposures are due to database compromise, reputation loss and revamping IT/IS systems after a breach. These three together account for nearly 70% of overall exposure. The cost of the cyberattacks cited above, at 0.2% of the outstanding loans of commercial banks, appears rather paltry versus gross NPAs of 11.5% and net NPAs of 5.9% of bank loans. Yet there are serious reasons to be concerned about the cyber risks Indian banks are faced with.

First, the estimates give above are under conservative scenarios. For major attacks the impact can even be 20-30 times more pronounced. Second, while for the banking system as a whole the cyber-risk exposure may look insignificant, estimates for certain banks suggest a considerably graver impact. Third, in 2017, RBI issued a circular, which lays the liability regarding the loss of customer money through cyberattacks almost exclusively on banks. As the impact of this has not been reported as yet, the cyber-risk estimates talked about above could not incorporate this. Lastly, extant personal data-protection norms in India are not stringent. Consequently, costs incurred by banks on litigation and penalties on this count have so far been very low, reflected in the above-mentioned estimate. The draft Personal Data Protection Bill, 2018, however, has proposed that contravention of fiduciary responsibilities of personal-data protection would entail penalties of up to `15 crore or 4% of turnover, whichever is higher. Enactment of the Bill is likely to be the turning point in the cyber-risk exposure of banks.

It is, hence, not surprising that the Indian Banks’ Association is advising banks to buy cyber insurance as part of cyber-risk management.

By Sujan Hajra. Chief Economist, Anand Rathi Group. Views are personal