Interconnectedness of banking system at risk of cyberattack

The Federal Reserve Bank of New York’s Staff Report No. 909 explores how a cyberattack on several small or midsize banks could create an interbank funding failure.” Such a failure would lead to a broader systemic liquidity crisis. Putting cybersecurity tools and policies in place at individual banks would not address the interconnectedness of the entire banking ecosystem. However, employing a thorough modeling approach that takes into account the potential points of cascading failures would help decision makers understand the interconnectedness of their risk. Milliman’s Chris Harner, Chris Beck, and Blake Fleisher in the article “Cyberattacks could cripple U.S. financial system.”

Coronavirus: Staying ahead of the risk (part 2)

The scope and breadth of the coronavirus (COVID-19) represents an unprecedented shock to the world’s economies, communities, and societal norms. The rapidly evolving nature of the crisis very potently demonstrates the continuing importance of considering future pathways, potential consequences, and how best to respond.

The previous post began by stating: “the global coronavirus pandemic is very clearly a rapidly evolving, complex, multi-factor event with significant downside potential over both the immediate short and medium-longer terms”. This post further explores the virus under the lens of a set of key principles we believe are fundamental to effective emerging risk analysis:

  • focus on multi-factor scenarios ahead of single factor stresses – a couple of moderate adverse events occurring at the same time are more likely to be the cause of business failure than a single extreme tail event;
  • consider a wider set of measures than just the balance sheet impact – many seemingly severe stresses can look quite benign (or at least manageable) from a capital perspective, but could well have more concerning implications for a firm’s liquidity, its operational integrity, or considering the potential response by key stakeholders;
  • develop novel scenarios that involve aspects or dynamics that the business has not previously encountered – these tend to be more challenging to manage, situations that have happened before are generally well understood and firms should have plans in place to deal with them appropriately should they arise again; and, finally
  • recognise the highly complex, highly interconnected nature of today’s business environment (and the wider world) – this creates emergent outcomes that are highly non-linear and which can unfold unexpectedly and at high velocity.

A multi-factor event

Firstly, the present situation would not be in any way accurately described as an event for which the only impact is a direct near-term shock to mortality and morbidity rates. Beyond the infections and deaths, in past weeks, markets have responded turbulently with dramatic falls in equity prices, credit spreads widening significantly and sovereign yields falling to new lows. Most firms have already had to respond to the increasingly strict social distancing measures, which present challenges in terms of both staff and customers. As an unfolding risk event, the crisis can today be characterised by demographic, market and operational risks that have already crystallised.

Looking forward, the only aspect that can be reliably predicted is that the multi-faceted nature of the crisis will continue. From a demographic perspective, in the UK it is widely acknowledged we are perhaps a few weeks behind other European countries in terms of infections. It is an unknown whether the newly announced measures will be effective or are, in fact, being introduced too late. Furthermore, assuming current or increased social distancing measures prove impractical or undesirable to enforce beyond a few months, there are expectations of a second significant spike in infections towards the end of the year. And over the longer term, even with a vaccine (which estimates suggest will take 18 months to develop), the virus could establish itself as an ever-present threat in much the same way as seasonal flu. On a more positive note, researchers are already making good progress with advances in testing, which would potentially allow those who have already had the virus to be identified and returned to work quickly and safely.

Further market falls and sustained volatility should also be anticipated, and initial hopes of ultimately seeing a “v-shaped” recovery in markets appear to be fading fast. It is far from certain that the economy will be able to pick back up where it left off once the virus infection rate subsides and mitigating measures are phased out. There is also the question of whether the coronavirus was the sole cause of the severe market falls or instead triggered a crash that was already primed and waiting to happen, with the risk being obscured and delayed by macroeconomic measures such as depressed interest rates and quantitative easing. In the latter case, fundamental economic weaknesses will need to be addressed in addition to stopping the virus before we can return to economic growth. In the intervening period, we can anticipate a dramatic drop in corporate investment spending as well as increased default rates and company bankruptcies. The effects of the virus might have a lasting impact on factors such as the size of the workforce and consumer demand.

Operationally, the option of working from home will not be practical for certain industries, and with recommended or mandatory social distancing measures in place, many firms will find it extremely challenging (in some cases impossible) to maintain their business-as-usual capacity and capability. Others firms that transition to remote working will nevertheless face their own challenges, not least of which is the need to be mindful of the potential for reduced staff productivity, engagement and morale.

Whatever the type of business, the direct challenges to maintaining the day-to-day functioning of business will need to be managed alongside an increased exposure to existing operational risks. Likelihoods of occurrence will, in many cases, be materially elevated. For example, malevolent cyber actors may view the spread of the coronavirus as an ideal opportunity to launch a targeted or wide spread cyberattack and empty offices/facilities, remote working and supplier restrictions over an extended period all raise the prospect of operational failure.

Furthermore, every firm’s ability to respond to and recover from the occurrence of any operational risk events will also be materially impaired. Existing post-event mitigation and recovery plans will (almost without exception) be designed around incidents lasting a matter of weeks, not months or longer. And they will invariably rely on having people on the ground and readily available outside resources and expertise, replacement equipment and cash to meet a significant, short-term spike in expenditure. None of these can be taken for granted. Firms will need to reassess both their assumptions regarding the availability and efficacy of recovery measures and their own internal definition of what constitutes “recovery”.

Continue reading

The Three R’s to understanding the complexities of cyber risk

Cyber is proving itself to be the ultimate enterprise risk, encompassing not only information technology, but also risks involving vendors, people, legal questions, and reputation, all while moving with stealth and a velocity that is extremely difficult to cope with.

What often flies under the radar is the risk posed to companies that are not the direct target of cyberattacks. Who could have predicted that an attack targeting Ukraine would simultaneously affect global shipping, a pharmaceutical company in the U.S., and a chocolate company in Australia? This type of risk event was unprecedented until the release of NotPetya in June 2017.

The attack on Maersk is an example of the law of unintended consequences when it comes to cyber. NotPetya’s impact on the shipping company illustrates the “Three R’s” of complex risks like cyber: robustness, resiliency, and redundancy.

In this article, Milliman’s Chris Harner, Chris Beck, and Blake Fleisher view Maersk’s experience and response to NotPetya through the lens of the Three R’s.

Coronavirus: Staying ahead of the risks

To start with the obvious, the global coronavirus pandemic is very clearly a rapidly evolving, complex, multi-factor event with significant downside potential over both the immediate short and medium-longer terms. Consumer behaviours and attitudes, financial markets and the political, fiscal and regulatory response are all developing at pace with little certainty or predictability. Firms need to be thinking and acting with similar dynamism to manage the here and now and plan effectively for multiple future scenario pathways. But how to do this in an informed way?

Earlier affected countries

In the absence of meaningful past scenarios (COVID-19 is increasingly being viewed as unprecedented compared to recent previous outbreaks such as SARS and swine flu), the practical experiences of firms in regions hit earlier by the virus may be invaluable, even though the lead time may only be a matter of weeks or (at best) months. In this context, Vicky Yu, a compliance professional in China, provides just this insight in her recent paper “Risk management during the coronavirus outbreak”.

Three important themes are explored in the paper:

  • An emergency management system is essential” – For UK firms this offers a reminder (if one were needed) that business continuity management should now already be in effect or very shortly needs to be.

    Most mature firms should have a plan specifically designed for pandemics/epidemics and the senior crisis management team should be meeting regularly to discuss a growing list of live and emerging operational issues that the virus is creating. This includes, for example, how best to communicate with staff, customers and other stakeholders (such as third parties), implementing measures to limit the spread of the virus on company property and planning how to maintain the operations of the business if working arrangements need to change significantly from the norm.

    The experience from Chinese companies is that far more agile decision-making than firms are typically used to may be required in order to access mitigating measures whilst they remain available and effective and to minimise the lag in responding to changing circumstances.
  • Following up on government regulations can be challenging” – New government measures (e.g., travel restrictions, school closures, etc.) may be announced with little forewarning and the timeframe over which firms and their employees then need to react to adjust or comply could be exceedingly short. In these circumstances, Yu stresses that it may be necessary for firms to put additional resources and expertise into support functions such as compliance and human resources (HR).
  • HR compliance needs to be strong” – Like any other function, HR will need to be able to manage through sick leave, self-isolation and social distancing measures (such as significantly increased working from home). However, HR will also need to contend with an increased workload stemming from:
    • An influx of employee questions (to which giving a definitive or positive response may not be possible)
    • A greater monitoring and reporting ask from management
    • Providing direct support to affected employees
Continue reading

Considerations for Solvency II variation analysis templates

(Re)insurance undertakings completing their Solvency II reporting are required to submit four reporting templates analysing the variance over the year. EIOPA’s explanatory note on these templates was updated most recently in July 2018 with the updated Implementing Technical Standards and LOG files published in November 2018. In this briefing, Milliman’s Matthew McIlvanna and Aisling Barrett discuss these templates and offer perspective on how to approach them.

EIOPA publishes information request for Solvency II 2020 review

The European Insurance and Occupational Pensions Authority (EIOPA) has published its information request on its proposed changes to Solvency II. This provides some insight into EIOPA’s thinking following the consultation on its proposed changes to Solvency II (summarised in Milliman briefing notes here). 

Interestingly, despite not proposing changes to the risk margin in its consultation papers, EIOPA is including a possible change to the risk margin in the impact assessment. The technical specification for the impact assessment sets out a scenario where the projected Solvency Capital Requirements (SCRs) used in the calculation of the risk margin are multiplied by a factor of 0.975 (“the lambda factor”) compounded by the number of years between the valuation date and the projected date. This adjustment to projected SCRs is subject to a minimum of 50% (which bites at projection year 28). This tapering approach is mentioned in a paper by a working party of the Institute and Faculty of Actuaries that reviewed the risk margin and was included in a submission to EIOPA from the Association of British Insurers.

In relation to extrapolation, an alternative extrapolation method is proposed which affects the Euro yield curve at 31 December 2019 as shown in the graph below. This is one of the five options proposed in the EIOPA consultation paper.

As can be seen, the impact is to reduce the Euro curve after the LLP, but not as materially as some of the other EIOPA proposals that were included in the consultation which involved increasing the LLP. Non-Euro yield curves will also be affected but less materially as the Last Liquid Point (LLP) is later. By comparison the UK yield curve actually increases at later durations using this approach. 

Unsurprisingly, interest rate shocks are proposed which increase the impact of the interest rate down shock for the Euro yield curve. The graph below shows the interest rate shocks that would apply as at 31 December 2019 using the current approach and those proposed in the impact assessment (both based on the alternative base Euro yield curve proposed above). 

As can be seen, the proposed interest down shock would increase the impact of this shock (while the impact of the interest up shock would reduce).

Several other changes are being assessed including:

  • Reflecting realistic new business assumptions in best estimate expenses
  • Correlation factor between interest rate risk and spread risk
  • Volatility adjustment
  • Dynamic volatility adjustment in standard formula (and internal models)
  • A floor on the interest rate down shock
  • Long-term equity requirements for use
  • Recognition of risk mitigation techniques
  • Non-life Minimum Capital Requirement factors
  • Contract boundaries clarification

Supervisors have notified companies that are required to participate in the impact assessment. Submissions are due 31 March 2020. EIOPA’s final opinion on the 2020 review of Solvency II is due in June.