The drivers of cyber risk

BIS Working Papers  |  No 865  | 
20 May 2020

Focus

Information technology (IT) has become indispensable, underpinning economic growth over the past decades. As organisations of all sizes in both the public and private sector become ever more interconnected and reliant on IT products and services such as cloud-based systems and artificial intelligence, they are increasingly exposed to cyber risks - the risk of financial loss, disruption or reputational damage to an organisation resulting from the failure of its IT systems. These episodes include malicious cyber incidents (cyber attacks) where the threat actor intends to do harm (eg ransomware attacks, hacking incidents or data theft by employees).

Contribution

Cyber incidents are becoming more sophisticated and their costs difficult to quantify. Using a unique database of more than 100,000 cyber events across sectors, we first document the characteristics of cyber incidents and obtain some stylised facts. The richness of the database also lets us examine the relationship between firm-, sector- and event-specific characteristics, and the relative cost of cyber events.

Findings

Cyber costs are higher for larger firms and for incidents that affect several organisations at once. The financial sector incurs a larger number of cyber attacks but suffers lower costs, on average, because of its greater investment in IT security. The use of cloud services is associated with lower costs, especially when cyber incidents are relatively small. By contrast, as cloud providers become systemically important, cloud dependence is likely to increase tail risks. Crypto-related activities, which are largely unregulated, are particularly vulnerable to cyber attacks.


Abstract

Cyber incidents are becoming more sophisticated and their costs difficult to quantify. Using a unique database of more than 100,000 cyber events across sectors, we document the characteristics of cyber incidents. Cyber costs are higher for larger firms and for incidents that impact several organisations simultaneously. The financial sector is exposed to a larger number of cyber attacks but suffers lower costs, on average, thanks to proportionately greater investment in information technology (IT) security. The use of cloud services is associated with lower costs, especially when cyber incidents are relatively small. As cloud providers become systemically important, cloud dependence is likely to increase tail risks. Crypto-related activities, which are largely unregulated, are particularly vulnerable to cyber attacks.

JEL classification: D5, D62, D82, G2, H41

Keywords: cyber risk, cloud services, financial institutions, bitcoin, cryptocurrencies, cyber cost, cyber regulation