The bluntness of the Basel Committee on Banking Supervision’s revised approach to calculating operational risk capital could leave banks undercapitalised against a rise in future losses from cyber attacks, risk managers at Asia-Pacific banks fear. Some even argue the new method could disincentivise banks to quantify such exposures.
One of the major determinants of a bank’s op risk capital under the standardised measurement approach (SMA) is its losses from past op risk breaches. Yet with realised losses from cyber attacks among Apac banks relatively low, many argue this approach is inherently flawed. The new method precludes the use of scenario analysis in calculating op risk capital requirements – a key part of current cyber risk quantification practices under the current own-models approach, and one that has encouraged banks to invest heavily in internal op risk modelling capabilities.
Both of those facets combined could lead to a dangerous weakening of cyber risk management standards when the SMA comes into force from 2022 – something banks should be vigilant against, says Stuart Williams, head of operational risk for Asia markets at ANZ in Hong Kong.
“The SMA, as a formula, has zero benefits for encouraging structural analysis for cyber risk quantification,” says Williams. “With the advanced measurement approach (AMA), you can actually apply scenarios when you’re analysing different types of cyber threats. But regardless of the regulatory capital framework, it is possible to put a dollar range on all types of cyber risks, even tail-end events,” he says.
Under the AMA, banks are permitted to use four different inputs to determine capital requirements: internal loss data, external data, scenario analysis, and business environment and internal control factors (BEICF). Basel acknowledges that, in the case of business lines with a fat-tailed loss distribution and a small number of observed losses, scenario analysis and BEICF may play a more dominant role in the risk measurement system.
But the SMA does away with these freedoms in favour of a rigid approach, which sets a bank’s required op risk capital largely according to its size. This is then scaled according to its average losses over the past decade.
Bharan Guntupalli, who heads operational and enterprise risk for a large publicly listed Indian bank, says the SMA is a problematic tool for calculating cyber-related op risk capital. His bank is switching from the old standardised approach under Basel II, but has been doing parallel runs with the AMA to calculate op risk capital for several years.
The SMA, as a formula, has zero benefits for encouraging structural analysis for cyber risk quantificationStuart Williams, ANZ
Under the AMA, his bank uses internal loss data for risk modelling. At the same time, he uses external loss data for scenario analysis when quantifying cyber risk.
“We are able to see the potential impact from using this analysis. We have inputted the impact of regulatory fines, external event losses, then we estimate the potential loss. That becomes critical input in our business capital model. This is also important when you’re taking out a cyber risk insurance policy,” he says.
Modelling cyber risk is notoriously difficult in any event, op risk practitioners say, primarily because of the difficulty in predicting the frequency of attacks and the severity of losses, and the non-linear relationship between risk controls and losses.
The lack of a universally used approach in measuring cyber threats has prompted risk managers to apply solutions that are unique to a specific bank’s needs. Some prefer to use scenario analysis, which requires a great deal of subjective interpretation; others, projections driven by purer forms of modelling.
Risk managers face challenges in assessing cyber risk at both ends of the probability distribution. More common threats include instances of breaches involving consumer data, malware, ransomware, or an isolated incident such as a distributed denial of service attack. At the other extreme are so-called zero-day attacks – external threats that exploit unforeseen breaches in a bank’s defences, to catastrophic effect.