Cyber Risk Definition and Classification for Financial Risk Management

September 20, 2021

Filippo Curti, Jeffrey Gerlach, Sophia Kazinnik, Michael Lee and Atanas Mihov∗

Abstract: Cyber risk is undeniably one of the most critical emerging risks to the financial industry. However, even though cyber risk is recognized as a significant threat to financial institutions and, more generally, to financial stability, the quantification and analysis of cyber risk has not yet matured to the point where it can be consistently measured and managed against corporate risk appetites. This impedes efforts to effectively measure and manage such risk, diminishing institutions’ individual and collective readiness to handle system-level cyber threats. This paper aims to address this gap by providing a preliminary cyber risk definition and classification of cyber risk for risk management purposes. As such, the proposed definition and classification would ensure that adopting institutions are utilizing common language and allowing consistent data collection and sharing. We provide a deeper dive into the reasoning behind the variables we propose to collect and demonstrate how some of the existing cybersecurity events map into our proposed scheme.

Keywords: operational risk; nonfinancial risk; cyber risk; risk measurement
Read the full paper here.