P2.T9.901. Cyber Risk, Market Failures, and Financial Stability (Part 2 of 2)

Nicole Seaman

Director of FRM Operations
Staff member
Learning objectives: Evaluate the appropriateness of current regulatory frameworks and supervisory approaches to the reduction of systemic risk. Evaluate measures that can help increase resiliency to cyber risk.


901.1. In their paper Cyber Risk, Market Failures, and Financial Stability, Kopp, Kaffenberger, and Wilson explain there is significant uncertainty surrounding the potential financial impact of cyber events, in terms of both relatively well-understood direct costs (e.g., the cost of forensic investigation, legal assistance, customer notification, post-breach customer security/credit protection and post-event measures to strengthen cybersecurity) and also less visible, long-term indirect costs (e.g., negative effects on brand name and customer relationships, depreciation of intellectual property value, higher ongoing operational expenses and the impact of a given incident on future cyber insurance premiums). These realities help to frame a compelling case for companies' need to employ a threat identification process which identifies, analyzes and evaluates cyber risks; such active risk management is crucial to ensure that cybersecurity-related measures are appropriate for, and commensurate with, the underlying risks.

In this context of the need for active cyber risk management, each of the following statements is true EXCEPT which is not accurate?

a. Third-party service providers with indirect intermediary liability helps to solve the problem of non-identifiable perpetrators
b. Cyber liability insurance is structured to transfer indemnifiable first-party losses (i.e., direct and possibly indirect costs) and third-party losses, including third-party liability
c. The accurate pricing of cyber risk and liability insurance is challenging due to the complexities of risk aggregation and risk correlations in the context of an immature, concentrated industry that lacks developed actuarial modeling techniques
d. Cyber risk management is uniquely different than traditional risk management (i.e., market, credit, and operational risk management) because the discipline does not have available the basic options of risk avoidance, risk reduction and risk transfer

901.2. According to Kopp et al, "Regulation of the financial services sector aims to promote long term economic growth and minimize the costs and negative externalities from financial instability. A stable financial system is a prerequisite for a well-functioning economy that supports economic growth. In a stable financial system, institutions and markets will function, prices will reflect fundamentals and short-term stresses and fluctuations will only affect a limited circle of participants. To remain effective, however, regulation may need to adapt to new technological developments and risk factors such as cyber risk. Given the pervasive role of technology in finance, regulators have established minimum standards for management of IT-related risks. An established regulatory framework for IT-related risks applies to the majority of financial services firms ... "

In regard to the current regulatory frameworks and supervisory approaches to the reduction of systemic risk, each of the following statements is true EXCEPT which is inaccurate?

a. In most regulatory frameworks, cyber risk is classified as a sub-class of market risk, specifically exogenous market risk
b. The regulatory architecture includes the following sectors: Securities (IOSCO), Financial Market Infrastructures (CPMI), Banks (BCBS), and Insurers (IAIS)
c. The Group of Seven (G7) developed a set of seven fundamental elements: Cybersecurity Strategy and Framework; Governance; Risk and Control Assessment; Monitoring; Response; Recovery; and Information Sharing
d. U.S. authorities have stepped-up the focus on cyber resilience through targeted risk management standards and supervisory intensity for banks; since 2013, U.S. banks include cyber risks and operational risks in the scenarios they submit in their annual stress tests

901.3. In regard to the evaluation of measures that can help increase resiliency to cyber risk, which of the following statements is TRUE (according to Kopp et al)?

a. Existing regulatory architecture has finally matured and is generally sufficient for "approximately the next five years"
b. Cybersecurity risk needs to be managed with a balance of both ex-ante regulation and ex-post liability
c. Given the abundance of standardized cyber risk loss data, the role of scenario analysis has been diminished
d. In regard to addressing idiosyncratic risk by reducing access vulnerabilities, a key challenge is that, even on very basic problems, different security experts propose different action items

Answers here: