According to Basel Committee on Banking Supervision (2003), Operational risk is defined as the risk of losses resulting from inadequate or failed internal processes, people, systems or from external events. There are different types of operational risks like fiduciary breaches, aggressive sales, breaches of privacy, account churning, failure of IT systems, health and safety, litigation and misuse of confidential information.
The organization has control over the operational risk through risk assessment and risk management practices, including external and internal factors. External factors such as natural disasters, political upheavals, weak financial policies, out-dated business regulations and criminal fraud that have only compounded operational risk. On the other hand, internal factors include failure of existing systems, inefficient hardware and server maintenance, inadequate processes. Below image shows different types of events with descriptions.
The figure (1) shows that the highest is by Clients, products and business practices and the lowest is by Disaster and public safety. Due to operational risk in the financial sector, there are three primary areas where it gets impacted most. Such as Property exposure (company’s physical assets), Personnel exposure (risks faced by the customers, contractor and suppliers), and Financial exposure (intellectual property, goodwill and patents). Thus, it is very important to have a higher quality of financial regulation and supervision to reduce the operational risk in the financial sector.
The Basel II accord allows three methods for calculating the capital charge which was assigned to operational risk such as:
- The Basic Indicator Approach (BIA)
- The Standardized Approach (SA)
- The Advanced Measurement Approach (AMA)
The rules require banks to calculate their regulatory capital requirement as the sum of expected and unexpected losses.
Cyber Risk in the Financial Sector
Cyber and IT-related risk can be seen as a subset of operational risks and it is a very important class of emerging risks in the financial sector. The financial sector is one of the most targeted sectors due to its reliance on information and due to regulatory requirements regarding operational risk. According to Cebula and Young (2010), cyber risk can be defined as operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information system. In December 2018, the Basel Committee on Banking Supervision published a report on the range of cyber-resilience practices. Cybersecurity is defined as confidentiality (case of data breach), integrity (case of fraud) and availability (business disruption) and these three are the main aspects that get impacted by the cyber risk in the financial sector. The risk of a loss of confidentiality could be high for the financial sector.
Business Disruption in Financial Sector
DDOS attack is the common method to disrupt from business operations that attack on the targeted firm’s server. For example, it was reported that there was a disruption of the top cloud provider in the U.S for three to six days. It leads to losses of around USD 24 billion (Lloyd’s, 2018). Most losses were incurred in the manufacturing and trade sectors, while losses for the financial sector would be limited to USD 450 Mn. Some more examples of disruption of business are given below in the box. Cyber-attacks can also target multiple financial institutions to disrupt the financial sector.Several countries have been exposed to coordinated cyber-attacks on the banking sector using DDoS, although no significant damages have been reported so far (Box 1).
Data breaches in Financial Sector
In 2018, the financial sector reported 819 cyber incidents and there was a significant increase from 69 incidents reported in 2017. The financial sector has already experienced a number of data breaches in 2019 – 2020. For example, In May 2019, First American Corp suffered a data breach that compromised nearly 885 millions files related to mortgage deeds and KrebsOnSecurity revealed. The data breach exposed information included bank account numbers and statements, mortgage, social security numbers, transaction receipts and images of driver’s licenses. The Ponemon Institute estimates that the average cost per stolen record was USD 141 in 2017 and by applying the Ponemon estimates, over the last three years, U.S financial firms lost around $38 billion.
Fraud in Financial Sector
Fraud is basically when someone gets access to confidential information including client’s credentials used for online payment can be used by cyber-criminals. There are different types of fraud such as identity fraud, phishing emails, card fraud, skimming, and counterfeit cards. The counterfeit cards are the leading type of debit card fraud. According to American Bankers Association (ABA) Deposit Account Fraud Survey Report, there were losses due to fraud in the financial sector to $2.2 billion in 2016. The American Bankers Association (ABA) has recommended some measures to prevent the fraud. Consumers should not provide their Social Security Number or account information to anyone online or on the phone. Consider enrolling in online banking and make strong username and passwords. Also, be up-to date with the new update of online banking and make sure to use three authentication factors for security.
Losses by cyber-risk in Financial sector
Table 5 shows that the average loss due to cyber attacks for the countries in the ORX sample amounts to USD 97 bn or 9% of bank net income. The VaR would range between USD 147 and 201 billion (14 to 19 percent of net income) and the expected shortfall between USD 187 and 281 billion. Thus, cyber risk is an emerging threat for all types of financial institutions which includes both central bank and fintech firms.
The probability of cyber losses is relatively a small portion of overall operational risk losses in terms of frequency. However the impact of cyber risk is significant and it causes major damage to any type of financial sectors. Understanding and measuring the operational risk is important for both banks and public authorities. By using the three types of Basel II method, the operational risk can be measured in the financial sector or any other business sectors. Technology changes everyday, it has become very important to every organization from small to large sized companies including profit and non-profit to update their technology (hardware and software) for security purposes. Therefore to lower operational risk losses, it is very important to have a higher quality of financial regulation, and supervision and also the increase of bank competition leads to a reduction in operation losses.