IDEAS home Printed from https://ideas.repec.org/a/nzb/nzbbul/feb20202.html
   My bibliography  Save this article

Cyber incident cost estimates and the importance of building resilience

Author

Listed:

Abstract

Cyber resilience is the ability to withstand, contain, and rapidly recover from a cyber incident by anticipating and adapting to cyber threats and other relevant changes in the environment. With the development of digitalisation, the financial sector enjoys more opportunities to improve customer experience and drive efficiency. The flip side is an increasing exposure to cyber risk due to ever-evolving cyber threats, the contagion effects of cyber incidents, a shortage of cybersecurity professionals, and increasing outsourcing to third parties. These developments pose both ongoing and new challenges for firms as they must constantly invest in maintaining their desired level of cyber resilience. Cyber risk imposes costs upon the financial sector, not only for financial institutions but also for their customers and the financial system as a whole. These costs include both direct costs from financial loss and indirect costs such as reputational damage and the opportunity cost from foregoing more productive investment. A good understanding of these costs is important in order to raise general awareness and to inform decisions around the management of cyber risk. Estimating these costs, however, is not easy. The fast-evolving nature of cyberattacks, a lack of historical data and the difficulty of quantifying the adverse impact on customer confidence and financial stability all mean that robust and reliable cost estimates are difficult to establish. This article draws on two internationally recognised methods to shed more light on the potential cost that cyber risk poses to the banking and insurance sectors in New Zealand. The first method is a bottom-up approach that uses firm specific data from abroad which is then extrapolated to New Zealand. The second method uses top-down analysis, linking the cost of cyber incidents to GDP. Both methods rely on historical survey information, assumptions and expert judgment, and neither method takes into account extreme events that have a low probability but are still plausible, i.e. black swan events. There are also some definitional discrepancies to contend with.

Suggested Citation

  • Rosie Collins & Cavan O’Connor-Close & Aria Zhang, 2020. "Cyber incident cost estimates and the importance of building resilience," Reserve Bank of New Zealand Bulletin, Reserve Bank of New Zealand, vol. 83, pages 1-17, February.
    • Handle: RePEc:nzb:nzbbul:feb2020:2
    as

    Download full text from publisher

    File URL: https://www.rbnz.govt.nz/hub/-/media/project/sites/rbnz/files/publications/bulletins/2020/rbb2020-84-02.pdf
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. Martin Eling & Werner Schnell, 2016. "What do we know about cyber risk and cyber risk insurance?," Journal of Risk Finance, Emerald Group Publishing Limited, vol. 17(5), pages 474-491, November.
    2. Bauer, Johannes M. & van Eeten, Michel J.G., 0. "Cybersecurity: Stakeholder incentives, externalities, and policy options," Telecommunications Policy, Elsevier, vol. 33(10-11), pages 706-719, November.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Anneke Kosse & Zhentong Lu, 2022. "Transmission of Cyber Risk Through the Canadian Wholesale Payment System," Staff Working Papers 22-23, Bank of Canada.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Mazaher Kianpour & Stewart J. Kowalski & Harald Øverby, 2021. "Systematically Understanding Cybersecurity Economics: A Survey," Sustainability, MDPI, vol. 13(24), pages 1-28, December.
    2. Matteo Malavasi & Gareth W. Peters & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang & Georgy Sofronov, 2021. "Cyber Risk Frequency, Severity and Insurance Viability," Papers 2111.03366, arXiv.org, revised Mar 2022.
    3. Ulrik Franke, 2020. "IT service outage cost: case study and implications for cyber insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 760-784, October.
    4. Xiaoying Xie & Charles Lee & Martin Eling, 2020. "Cyber insurance offering and performance: an analysis of the U.S. cyber insurance market," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 690-736, October.
    5. Farkas, Sébastien & Lopez, Olivier & Thomas, Maud, 2021. "Cyber claim analysis using Generalized Pareto regression trees with applications to insurance," Insurance: Mathematics and Economics, Elsevier, vol. 98(C), pages 92-105.
    6. Ulrik Franke, 0. "IT service outage cost: case study and implications for cyber insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 0, pages 1-25.
    7. Zängerle, Daniel & Schiereck, Dirk, 2022. "Modelling and predicting enterprise‑level cyber risks in the context of sparse data availability," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 136276, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    8. David M. Pooser & Mark J. Browne & Oleksandra Arkhangelska, 2018. "Growth in the Perception of Cyber Risk: Evidence from U.S. P&C Insurers," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 43(2), pages 208-223, April.
    9. Gareth W. Peters & Matteo Malavasi & Georgy Sofronov & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang, 2022. "Cyber Loss Model Risk Translates to Premium Mispricing and Risk Sensitivity," Papers 2202.10588, arXiv.org, revised Mar 2023.
    10. Caroline Hillairet & Olivier Lopez, 2021. "Propagation of cyber incidents in an insurance portfolio: counting processes combined with compartmental epidemiological models," Post-Print hal-02564462, HAL.
    11. Wade, Megan, 2021. "Digital hostages: Leveraging ransomware attacks in cyberspace," Business Horizons, Elsevier, vol. 64(6), pages 787-797.
    12. Eric Dal Moro, 2020. "Towards an Economic Cyber Loss Index for Parametric Cover Based on IT Security Indicator: A Preliminary Analysis," Risks, MDPI, vol. 8(2), pages 1-12, May.
    13. Maik Dehnert, 2020. "Sustaining the current or pursuing the new: incumbent digital transformation strategies in the financial service industry," Business Research, Springer;German Academic Association for Business Research, vol. 13(3), pages 1071-1113, November.
    14. Meier, Samira & Rodriguez Gonzalez, Miguel & Kunze, Frederik, 2021. "The global financial crisis, the EMU sovereign debt crisis and international financial regulation: lessons from a systematic literature review," International Review of Law and Economics, Elsevier, vol. 65(C).
    15. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    16. Caroline Hillairet & Olivier Lopez, 2020. "Propagation of cyber incidents in an insurance portfolio: counting processes combined with compartmental epidemiological models," Working Papers hal-02564462, HAL.
    17. Frank Cremer & Barry Sheehan & Michael Fortmann & Arash N. Kia & Martin Mullins & Finbarr Murphy & Stefan Materne, 2022. "Cyber risk and cybersecurity: a systematic review of data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 47(3), pages 698-736, July.
    18. Spencer Wheatley & Annette Hofmann & Didier Sornette, 2021. "Addressing insurance of data breach cyber risks in the catastrophe framework," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 46(1), pages 53-78, January.
    19. M. Martin Boyer, 2020. "Cyber insurance demand, supply, contracts and cases," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 559-563, October.
    20. Alain Mermoud & Marcus Matthias Keupp & Kévin Huguenin & Maximilian Palmié & Dimitri Percia David, 2019. "To share or not to share: A behavioral perspective on human participation in security information sharing," Post-Print hal-02147702, HAL.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:nzb:nzbbul:feb2020:2. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Reserve Bank of New Zealand Knowledge Centre (email available below). General contact details of provider: https://edirc.repec.org/data/rbngvnz.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.