Cybersecurity Risk and Lessons Learned from Credit and Market Risk Quantification

January 16, 2020  Steven Tabacek

Formalization of cybersecurity reporting using the industry standard Factor Analysis of Information Risk (FAIR™) mirrors the early adoption of credit and market risk reporting.

It seems quite ludicrous to think that, at one time, credit and market risk analysts used subjective assessments instead of formal quantification models. Today, regulators and stakeholders require credit and market risk to be quantified and reported using industry accepted and regulatory approved models. Let us explore some of the credit and market risk reporting origins and then learn why the marketplace is quickly adopting cyber risk quantification reporting methods.

Credit Risk

In 1998, the Journal of Banking and Finance published a paper describing the previous 20 years of credit risk measurement and reporting. The origins of credit risk reporting relied exclusively on subjective analysis or banker “expert” systems to assess credit risk.

Risk managers used information such as borrower character (reputation), capital (leverage), capacity (volatility of earnings), and collateral, the 4 “Cs” of credit, to reach a largely subjective judgement as to whether or not to grant credit.

Steve Tabacek is Co-Founder and President of RiskLens

It is well documented in papers throughout the 90’s, like Somerville and Taffler (1995), that these “expert” subjective ratings were wildly inaccurate, at times overly pessimistic and other times too optimistic about corporate risk. In the late 90’s, several factors such as the worldwide increase in the number of bankruptcies, declining value of real assets (collateral), growth of off-balance sheet instruments with inherent default risk exposure, and the ability for consumers to invest directly in the securities market, drove the marketplace and then regulators to implement objective risk measurement instruments. Subjective analysis was obviously not reliable enough to maintain stakeholder or regulator confidence.

Today regulation requires objective quantitative measurement, analysis, and reporting. The benefits have had significant positive results for consumers, businesses, and shareholders.

Market Risk 

Like credit risk, market risk also experienced a subjective-to-objective maturity curve.

Since 1997, the Federal Reserve has required U.S. holding companies to analyze and report on market risk and make those reports available to the public. This requirement is meant to detail a company’s exposure to financial risk. Sources of market risk include recessions, political turmoil, changes in interest rates, natural disasters, and terrorist attacks.

Publicly traded companies in the United States are required by the Securities and Exchange Commission (SEC) to disclose how their productivity and results may be linked to the performance of the financial markets. Regular reporting in the U.S. takes place quarterly, and banks are expected to manage risk in their trading book daily to ensure capital requirements are being met.

In September of 2017, Nasdaq published a white paper discussing the transition from subjective to objective risk management. In the paper’s opening paragraph, it notes that subjectivity plays an important, yet dangerous role in risk management.

Subjective perspectives are formulated from the unique knowledge, experiences and, unfortunately, biases in the mind of the analyst. Subjectivity in market risk led to inefficient, unpredictable, and ineffective risk management which negatively affected stakeholders. The outcome resulted in increased risk program oversight by executives, boards, auditors, and regulators.

Today, market risk programs employ the value-at-risk (VaR) method. VaR modeling is a statistical risk management method that quantifies an asset’s potential loss as well as the probability of that potential loss occurring.

With both credit and market risk, we have noted a transition from unstructured subjective assessments which led to marketplace instability and unpredictability to regulatory oversight-driven structured objective risk assessment methodologies. Government regulatory bodies now have clear expectations for credit and market risk reporting.

Lessons for Cybersecurity Risk

This is a good point to reflect on the lessons learned from credit and market risk maturity when designing cybersecurity risk management programs.

Over the past ten years, cybersecurity risk has also proven to have had devastating financial consequences to consumers, corporate executives, boards, and shareholders. This has squarely put corporate cyber/technology risk programs in the cross hairs of regulators. How many consumers, businesses, and shareholders need to experience significant financial losses before regulators require objective risk measurement, assessment, structured mitigation, and reporting?

Apparently, the time is now. In February, 2018, the SEC adopted the Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures. “I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors,” said SEC Chairman Jay Clayton. “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

Applicable to cyber/tech risk fiduciary responsibility, the SEC 2018 Guidance focuses on these key areas:

1. Pre-Incident Public Disclosure: prior incidents, probability and probable magnitude of future incidents, limitations of the company to prevent or mitigate risk, third-party risk disclosure, potential for reputational harm, and legal risk and cost of enforcement actions by other regulatory bodies.

2. Board Oversight: When deemed material, proxy statements contain disclosures about a board’s role and engagement in cyber risk oversight. Additionally, cyber risk disclosures be reflected in risk factor disclosures MD&A, description of business, disclosure of legal proceedings, and financial reporting.

3. Controls and Procedures: Guidance on disclosure controls and procedures to ensure that cyber risk and incident information is processed and reported up the ladder so that senior management can make informed disclosure decisions and compliance certifications.

Cybersecurity risk has affected the marketplace with the same expediency of the developing digital economy. If your company hasn’t adopted objective-based quantitative risk measurement, assessment, risk-prioritized mitigation, and reporting, maybe here’s a reason to take this seriously; In 2018 alone, the Cyber Unit at the SEC brought 20 stand-alone cases related to cybersecurity, and as of 2019 has 225 cyber-related investigations that it deems “ongoing.” Regulatory oversight has teeth! Enforcement actions were issued to include a $35M settlement over the Yahoo! data breach. Several other stand-alone cases are under review and included in the agencies Cyber Enforcement Actions.

The SEC is not the only regulatory body protecting consumers and stakeholders. FTC’s enforcement has cost Equifax a $425M settlement to help people affected by their data breach. Equifax is not the exception, but one of many data security cases within the FTC’s Enforcement register.

Responsibility for cybersecurity risk programs starts at the top with the Board and C-Suite, but within most organizations, the CFO, Chief Risk Officer, Chief Operational Risk Officer, or CIO assign the risk management responsibility directly to the CISO or Chief Technology Risk Officer. Whatever the org structure, the person who is ultimately responsible for cybersecurity risk needs to advance from subjective high-medium-low, or 1-5 ordinal scale assessments to a quantitative risk assessment that enables well-informed reporting and risk mitigation decisions.

If this is your role, or you’re on a Board or in a senior leadership position, ask your peers within the FTC’s Cases & Proceedings about the repercussions for not meeting FTC or 2018 SEC Guidance.

In summary, the lessons learned from subjective to objective credit and market risk measurement, assessment, and analysis apply directly to cybersecurity risk. Unlike credit and market risk, the growth rate of the digital economy is forcing a more rapid advancement and maturity of cyber and technology risk management practices. As proved by numerous 2018 and 2019 enforcement actions by federal and state regulatory agencies, and the substantial fines awarded in civil case law, accelerated fiduciary responsibility for cybersecurity risk management should be your imperative.

At this point it’s only appropriate that I provide you some direction on how to accelerate building your corporate cybersecurity risk program that will meet and exceed regulatory expectations. Here are some resources on building an objective-based quantitative risk management program:

FAIR Institute