IDEAS home Printed from https://ideas.repec.org/a/pal/risman/v24y2022i4d10.1057_s41283-022-00095-w.html
   My bibliography  Save this article

Heterogeneity in cyber loss severity and its impact on cyber risk measurement

Author

Listed:
  • Martin Eling

    (University of St. Gallen)

  • Kwangmin Jung

    (POSTECH (Pohang University of Science and Technology))

Abstract

We use the world’s largest publicly available dataset of operational risk to model cyber losses and show that the Tweedie model best fits the cyber loss severity in the financial industry. Three key determinants of loss severity are firm size, contagion risk and legal liability. We also measure the size of risk based on the estimation results and show a large degree of heterogeneity across financial firms. The results are particularly relevant with respect to the recent discussion on simplifying operational risk capital requirements and reiterate the importance of considering individual firm characteristics when modelling operational losses.

Suggested Citation

  • Martin Eling & Kwangmin Jung, 2022. "Heterogeneity in cyber loss severity and its impact on cyber risk measurement," Risk Management, Palgrave Macmillan, vol. 24(4), pages 273-297, December.
    • Handle: RePEc:pal:risman:v:24:y:2022:i:4:d:10.1057_s41283-022-00095-w
    DOI: 10.1057/s41283-022-00095-w
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1057/s41283-022-00095-w
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1057/s41283-022-00095-w?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Eling, Martin & Jung, Kwangmin, 2018. "Copula approaches for modeling cross-sectional dependence of data breach losses," Insurance: Mathematics and Economics, Elsevier, vol. 82(C), pages 167-180.
    2. Farkas, Sébastien & Lopez, Olivier & Thomas, Maud, 2021. "Cyber claim analysis using Generalized Pareto regression trees with applications to insurance," Insurance: Mathematics and Economics, Elsevier, vol. 98(C), pages 92-105.
    3. Jin, Chenglu & Chen, Rongda & Cheng, Diandian & Mo, Sitian & Yang, Ke, 2020. "The dependency measures of commercial bank risks: Using an optimal copula selection method based on non-parametric kernel density," Finance Research Letters, Elsevier, vol. 37(C).
    4. Gareth W. Peters & Pavel V. Shevchenko & Bertrand Hassani & Ariane Chapelle, 2016. "Should the advanced measurement approach be replaced with the standardized measurement approach for operational risk?," Papers 1607.02319, arXiv.org, revised Sep 2016.
    5. Aldasoro, Iñaki & Gambacorta, Leonardo & Giudici, Paolo & Leach, Thomas, 2022. "The drivers of cyber risk," Journal of Financial Stability, Elsevier, vol. 60(C).
    6. Pasquale Cirillo & Nassim Nicholas Taleb, 2016. "Expected shortfall estimation for apparently infinite-mean models of operational risk," Quantitative Finance, Taylor & Francis Journals, vol. 16(10), pages 1485-1494, October.
    7. Caporale, Guglielmo Maria & Kang, Woo-Young & Spagnolo, Fabio & Spagnolo, Nicola, 2020. "Non-linearities, cyber attacks and cryptocurrencies," Finance Research Letters, Elsevier, vol. 32(C).
    8. Eling, Martin & Jung, Kwangmin & Shim, Jeungbo, 2022. "Unraveling heterogeneity in cyber risks using quantile regressions," Insurance: Mathematics and Economics, Elsevier, vol. 104(C), pages 222-242.
    9. Eling, Martin & Wirfs, Jan, 2019. "What are the actual costs of cyber risk events?," European Journal of Operational Research, Elsevier, vol. 272(3), pages 1109-1119.
    10. Gareth W. Peters & Pavel V. Shevchenko & Bertrand K. Hassani & Ariane Chapelle, 2016. "Should the advanced measurement approach be replaced with the standardized measurement approach for operational risk?," Documents de travail du Centre d'Economie de la Sorbonne 16065, Université Panthéon-Sorbonne (Paris 1), Centre d'Economie de la Sorbonne.
    11. Kwangmin Jung, 2021. "Extreme Data Breach Losses: An Alternative Approach to Estimating Probable Maximum Loss for Data Breach Risk," North American Actuarial Journal, Taylor & Francis Journals, vol. 25(4), pages 580-603, November.
    12. Antoine Bouveret, 2018. "Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment," IMF Working Papers 2018/143, International Monetary Fund.
    13. Gareth W. Peters & Pavel V. Shevchenko & Bertrand K. Hassani & Ariane Chapelle, 2016. "Should the advanced measurement approach be replaced with the standardized measurement approach for operational risk?," Post-Print halshs-01391091, HAL.
    14. Zhu, Xiaoqian & Wei, Lu & Li, Jianping, 2021. "A two-stage general approach to aggregate multiple bank risks," Finance Research Letters, Elsevier, vol. 40(C).
    15. Ganegoda, Amandha & Evans, John, 2013. "A scaling model for severity of operational losses using generalized additive models for location scale and shape (GAMLSS)," Annals of Actuarial Science, Cambridge University Press, vol. 7(1), pages 61-100, March.
    16. Kjartan Palsson & Steinn Gudmundsson & Sachin Shetty, 2020. "Analysis of the impact of cyber events for cyber insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 564-579, October.
    17. Christian Biener & Martin Eling & Jan Hendrik Wirfs, 2015. "Insurability of Cyber Risk: An Empirical Analysis†," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 40(1), pages 131-158, January.
    18. de Fontnouvelle, Patrick & Dejesus-Rueff, Virginia & Jordan, John S. & Rosengren, Eric S., 2006. "Capital and Risk: New Evidence on Implications of Large Operational Losses," Journal of Money, Credit and Banking, Blackwell Publishing, vol. 38(7), pages 1819-1846, October.
    19. Md. Hamid Uddin & Md. Hakim Ali & Mohammad Kabir Hassan, 2020. "Cybersecurity hazards and financial system vulnerability: a synthesis of literature," Risk Management, Palgrave Macmillan, vol. 22(4), pages 239-309, December.
    20. Valérie Chavez-Demoulin & Paul Embrechts & Marius Hofert, 2016. "An Extreme Value Approach for Modeling Operational Risk Losses Depending on Covariates," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 83(3), pages 735-776, September.
    21. Spencer Wheatley & Annette Hofmann & Didier Sornette, 2021. "Addressing insurance of data breach cyber risks in the catastrophe framework," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 46(1), pages 53-78, January.
    22. Gareth W. Peters & Pavel V. Shevchenko & Bertrand K. Hassani & Ariane Chapelle, 2016. "Should the advanced measurement approach be replaced with the standardized measurement approach for operational risk?," Université Paris1 Panthéon-Sorbonne (Post-Print and Working Papers) halshs-01391091, HAL.
    23. Edward W. Frees & Gee Lee & Lu Yang, 2016. "Multivariate Frequency-Severity Regression Models in Insurance," Risks, MDPI, vol. 4(1), pages 1-36, February.
    24. Lu Wei & Jianping Li & Xiaoqian Zhu, 2018. "Operational Loss Data Collection: A Literature Review," Annals of Data Science, Springer, vol. 5(3), pages 313-337, September.
    25. Ohlsson, Esbjörn & Johansson, Björn, 2006. "Exact Credibility and Tweedie Models," ASTIN Bulletin, Cambridge University Press, vol. 36(1), pages 121-133, May.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Malavasi, Matteo & Peters, Gareth W. & Shevchenko, Pavel V. & Trück, Stefan & Jang, Jiwook & Sofronov, Georgy, 2022. "Cyber risk frequency, severity and insurance viability," Insurance: Mathematics and Economics, Elsevier, vol. 106(C), pages 90-114.
    2. Matteo Malavasi & Gareth W. Peters & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang & Georgy Sofronov, 2021. "Cyber Risk Frequency, Severity and Insurance Viability," Papers 2111.03366, arXiv.org, revised Mar 2022.
    3. Zängerle, Daniel & Schiereck, Dirk, 2022. "Modelling and predicting enterprise‑level cyber risks in the context of sparse data availability," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 136276, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    4. Lu Wei & Jianping Li & Xiaoqian Zhu, 2018. "Operational Loss Data Collection: A Literature Review," Annals of Data Science, Springer, vol. 5(3), pages 313-337, September.
    5. Daniel Zängerle & Dirk Schiereck, 2023. "Modelling and predicting enterprise-level cyber risks in the context of sparse data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 434-462, April.
    6. Xu, Chi & Zheng, Chunling & Wang, Donghua & Ji, Jingru & Wang, Nuan, 2019. "Double correlation model for operational risk: Evidence from Chinese commercial banks," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 516(C), pages 327-339.
    7. Benjamin Avanzi & Xingyun Tan & Greg Taylor & Bernard Wong, 2023. "Cyber Insurance Risk: Reporting Delays, Third-Party Cyber Events, and Changes in Reporting Propensity -- An Analysis Using Data Breaches Published by U.S. State Attorneys General," Papers 2310.04786, arXiv.org.
    8. Uddin, Md Hamid & Mollah, Sabur & Islam, Nazrul & Ali, Md Hakim, 2023. "Does digital transformation matter for operational risk exposure?," Technological Forecasting and Social Change, Elsevier, vol. 197(C).
    9. Marco Migueis, 2017. "Forward-looking and Incentive-compatible Operational Risk Capital Framework," Finance and Economics Discussion Series 2017-087, Board of Governors of the Federal Reserve System (U.S.).
    10. Xiaoqian Zhu & Jianping Li & Dengsheng Wu, 2019. "Should the Advanced Measurement Approach for Operational Risk be Discarded? Evidence from the Chinese Banking Industry," Review of Pacific Basin Financial Markets and Policies (RPBFMP), World Scientific Publishing Co. Pte. Ltd., vol. 22(01), pages 1-15, March.
    11. Yin-Yee Leong & Yen-Chih Chen, 2020. "Cyber risk cost and management in IoT devices-linked health insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 737-759, October.
    12. Frank Cremer & Barry Sheehan & Michael Fortmann & Arash N. Kia & Martin Mullins & Finbarr Murphy & Stefan Materne, 2022. "Cyber risk and cybersecurity: a systematic review of data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 47(3), pages 698-736, July.
    13. Marco Migueis, 2019. "Evaluating the AMA and the new standardized approach for operational risk capital," Journal of Banking Regulation, Palgrave Macmillan, vol. 20(4), pages 302-311, December.
    14. Yin-Yee Leong & Yen-Chih Chen, 0. "Cyber risk cost and management in IoT devices-linked health insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 0, pages 1-23.
    15. Gareth W. Peters & Matteo Malavasi & Georgy Sofronov & Pavel V. Shevchenko & Stefan Trück & Jiwook Jang, 2023. "Cyber loss model risk translates to premium mispricing and risk sensitivity," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 372-433, April.
    16. Md. Hamid Uddin & Md. Hakim Ali & Mohammad Kabir Hassan, 2020. "Cybersecurity hazards and financial system vulnerability: a synthesis of literature," Risk Management, Palgrave Macmillan, vol. 22(4), pages 239-309, December.
    17. Dacorogna, Michel & Debbabi, Nehla & Kratz, Marie, 2023. "Building up cyber resilience by better grasping cyber risk via a new algorithm for modelling heavy-tailed data," European Journal of Operational Research, Elsevier, vol. 311(2), pages 708-729.
    18. Ajjima Jiravichai & Ruth Banomyong, 2022. "A Proposed Methodology for Literature Review on Operational Risk Management in Banks," Risks, MDPI, vol. 10(5), pages 1-18, May.
    19. Bennet Skarczinski & Mathias Raschke & Frank Teuteberg, 2023. "Modelling maximum cyber incident losses of German organisations: an empirical study and modified extreme value distribution approach," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 463-501, April.
    20. Gareth W. Peters & Matteo Malavasi & Georgy Sofronov & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang, 2022. "Cyber Loss Model Risk Translates to Premium Mispricing and Risk Sensitivity," Papers 2202.10588, arXiv.org, revised Mar 2023.

    More about this item

    Keywords

    Operational risk; Cyber risk; Financial services industry; Tweedie model;
    All these keywords.

    JEL classification:

    • C13 - Mathematical and Quantitative Methods - - Econometric and Statistical Methods and Methodology: General - - - Estimation: General
    • G32 - Financial Economics - - Corporate Finance and Governance - - - Financing Policy; Financial Risk and Risk Management; Capital and Ownership Structure; Value of Firms; Goodwill

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:pal:risman:v:24:y:2022:i:4:d:10.1057_s41283-022-00095-w. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.palgrave.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.