Reinventing Operational Risk Regulation for a World of Climate Change, Cyberattacks, and Tech Glitches
Proposes a new framework for regulating operational threats such as damage to physical assets, business disruption, and system failures. It suggests replacing rwa regulation with simple buffers of equity and outlines what a “macro-operational” approach to banking supervision might look like. It also acknowledges the limitations of macro-operational supervision and considers what new types of […]
Building Resilience in Cybersecurity — An Artificial Lab Approach
“Using the lab, in numerical case studies, we identify two classes of measures to control systemic cyber risks: security- and topology-based interventions. We discuss the implications of our findings on selected real-world cybersecurity measures currently applied in the insurance and regulation practice or under discussion for future cyber risk control. To this end, we provide […]
The Tensions of Cyber-Resilience: From Sensemaking to Practice
“We apply Weick’s (1995) sensemaking framework to examine four foundational tensions of cyber-resilience: a definitional tension, an environmental tension, an internal tension, and a regulatory tension. We then document how these tensions are embedded in cyber-resilience practices at the preparatory, response and adaptive stages. We rely on qualitative data from a sample of 58 cybersecurity […]
Modeling and Pricing Cyber Insurance — A Survey
“We distinguish three main types of cyber risks: idiosyncratic, systematic, and systemic cyber risks. While for idiosyncratic and systematic cyber risks, classical actuarial and financial mathematics appear to be well-suited, systemic cyber risks require more sophisticated approaches that capture both network and strategic interactions.” Lire
When It Rains, It Pours: Cyber Risk and Financial Conditions
“We observe that cyber vulnerability and other financial shocks cannot be treated as uncorrelated risks and policy solutions for cyber security need to be calibrated for adverse financial conditions.” Lire
Vine Copula Modelling Dependence Among Cyber Risks: A Dangerous Regulatory Paradox
” In quantifying the solvency capital requirement gradient for cyber risk measurement according to Solvency II, a dangerous paradox emerges: an insurance company can be ranked as solvent according to Pillar 1 without adequately evaluating the operational solvency capital requirements under Pillar 2. “ Lire
The Nature of Losses from Cyber-Related Events: Risk Categories and Business Sectors
“… we do not find a distinct pattern between the frequency of events, the loss severity, and the number of affected records as often alluded to in the literature. We also analyse the severity distribution of cyber related events across all risk categories and business sectors. This analysis reveals that cyber risks are heavy-tailed, i.e., […]
Crisis Preparedness in the Digital World
“The paper will focus on the important role that financial supervisors and regulators can play in promoting effective risk management, supervision and crisis preparedness in relation to fintech developments, and the need for coordination and collaboration with policymakers, government, and the financial sector to address potential threats to financial stability. “ Lire