Tail events from a systemic cyber risk event caused by a ‘single point of failure’ could be “material”, warns Fitch

US banks are generally well positioned to handle average modelled cyber risk losses; however, tail events from a systemic cyber risk event can be material, according to a report from Fitch.

The financial impact of a cyber event often centers around the reported remediation, or in the case of ransomware, the requested ransom payment. But the financial cost from a cyber event is likely to extend well beyond just headline figures.

Additional costs from these tail events can include data restoration, investigation and response, regulatory legal fines, and brand damage. Cyber risk insurance can mitigate some of these costs.

Fitch partnered with CyberCube to model the impact of systemic cyber events on the US banking sector under various cyber risk scenarios. CyberCube’s model focuses on “single points of failure” (SPOF) for cyber incidents that could impact parts of the US banking system. 

A cyber attack on a particular SPOF may have a cascading impact on connected banks.

The infection of a SPOF is a force multiplier creating significantly larger footprints of compromise than in traditional attacks that infect one bank or system at a time.

“Systemic cyber risks are as important to analyse as idiosyncratic cyber risks,” said Fitch managing director Christopher Wolfe. “Cyber risk is evolving into broader aggregations and concentrations within the vendor management and supply chain.”

”An incident at a single critical third- or fourth-party vendor could lead to significant business interruption losses.”

For the research, Fitch and CyberCube analysed the entire US banking sector of approximately 4,900 banks with over $1.1 trillion in total revenues. 

Souki Chahid, CyberCube principal product advisor, commented: “A greater understanding of the inherent risks faced by the banking sector will support banks in their decision-making with regards to their insurance purchasing and their operational risk.”