SMA, cyber threats and Mifid

SMA alternative not a success

CYBER THREAT AND SMA hot topics at OpRisk conferences

MIFID DISCLOSURE fails to impress buy side

COMMENTARY: Keeping up with cyber

Our Operational Risk conferences in London and New York this month were once again dominated by discussion of cyber risk, still justifying its place as the top operational risk of 2017 (and for that matter 2016). Then, just as the New York conference finished, yet another malware outbreak hit the headlines. The WannaCry ransomware in May affected systems in more than 150 countries, costing billions for victims from Chinese universities to the UK National Health Service.

Hot on the heels of WannaCry comes a successor with disturbing similarities. The latest epidemic is so far centred in Ukraine, though it has spread to major companies abroad such as Maersk Shipping. It appears to be ransomware as well, one of a family of similar programs (including WannaCry and Petya, to which it bears a very close resemblance) based on a collection of exploits hoarded by the US National Security Agency and leaked by an anonymous hacker possibly related to the Russian government. Some experts point out, however, that the authors seem remarkably uninterested in actually collecting the $300 bitcoin ransom demanded from each victim, suggesting it may be a state-sponsored (and possibly Russian) cyberweapon masquerading as ransomware, and should probably in that case be called NotPetya.

I apologise for the complexity of that last sentence, but if your head started to buzz a bit while you were reading it you weren’t the only one. And this really is the core of the problem when it comes to cyber risk.

It’s not just that insurance is proving largely ineffective in the face of the massive and potentially business-ending losses a major cyber attack could cause (though it is). Or that the potential losses are set to rise still further once EU rules on data protection come into force. Or that banks (though overall doing well) are still being worryingly haphazard about installing the kind of patches that protect against attacks such as WannaCry and Petya/NotPetya. Or even that the target recovery time from a cyber attack, according to US regulators, is just two hours.

The real problem, from a risk management point of view, is that the cyber threat is evolving very rapidly. Past experience has only very limited value, either for defence planning or for risk modelling and underwriting, leaving risk managers struggling to deal with ever-increasing volumes of irrelevant information, and modellers without the kind of loss data they need to produce their estimates. Ransomware had virtually died out as a threat due to the difficulty of collecting the ransom payment without being tracked by law enforcement – the growth of bitcoin and other anonymous currencies has solved that problem and brought about an explosion in the ransomware industry, and even the emergence of “ransomware as a service”. The years to come will bring more radically different and unexpected cyber threats. Judging by the recent growth of high-profile incidents, this is a war the aggressors are winning.

STAT OF THE WEEK

A $1 billion interest rate swap with a remaining maturity of seven years would have a potential future exposure (PFE) of $15 million. Adopting the settled-to-market approach for the same swap would cut PFE to $5 million. One bank estimated it could deliver a 25% cut in capital.

QUOTE OF THE WEEK

“The CCAR focus is on saying you have to understand all your material risks. Absolutely you need to understand all of that, but you don’t want to forget about the risks that are currently deemed immaterial. Maybe that immaterial risk is tomorrow’s material risk, or maybe collectively some of your immaterial risks, if they have similar drivers, could become a material risk” – Mike Rachlin, BNY Mellon