28/9/19: Evidence of Systemic Risk from Major Cybersecurity Breaches

In our post for Columbia Law School's CLS Blue Sky Blog, myself and Shaen Corbet explain in non-technical terms our ground-breaking findings on systemic nature of cybersecurity risks in financial markets:

• LexBlog link: https://www.lexblog.com/2019/09/26/evidence-of-systemic-risk-from-major-cybersecurity-breaches/
• CLS link: http://clsbluesky.law.columbia.edu/2019/09/27/evidence-of-systemic-risk-from-major-cybersecurity-breaches/
• Original working paper: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3033950
• Published paper: https://www.sciencedirect.com/science/article/pii/S1057521919300274.

Our study is the first in the literature showing evidence of systemic contagion from cyber attacks on one company to other companies and stock exchanges.

Based on these findings, we have a chapter forthcoming in an academic volume on the future of regulation, proposing a novel mechanism for regulatory detection, monitoring and enforcement of cybersecurity risks. We will post this chapter when it goes to print, so stay tuned.

28/11/17: Hacking the market: Systemic contagion from cybersecurity breaches

Our article for LSE Business Review is now live on the site: http://blogs.lse.ac.uk/businessreview/2017/11/28/hacking-the-market-systemic-contagion-from-cybersecurity-breaches/.

You can read (free) our paper, on which this article is based, in full here: Corbet, Shaen and Gurdgiev, Constantin, What the Hack: Systematic Risk Contagion from Cyber Events (September 7, 2017). Available at SSRN: https://ssrn.com/abstract=3033950.

Enjoy.

10/6/17: Visualizing Cyber Security Attacks

Here is a brilliant visualization of data breaches over time and by size: http://www.visualcapitalist.com/worlds-biggest-data-breaches/.

As the chart above clearly shows, the number of reporter/disclosed attacks has exploded, staring with 2014, and the volume of attacks (data files impacted) has blown out starting 2010 (note: Yahoo attacks were severely lagged in reporting). In part, the two factors are down to changes in reporting and disclosure rules, and in part they are down to changes in reporting practices. But, as we observe econometrically in our recent papers on the subject: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2892842 and https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2904749, the pattern on frequency, severity and impact of attacks, as well as their typology, are richer than the chart above provides.

Starting with 2010s, the typology of cyber security risks and attacks has been shifting from malicious and accidental losses of hardware and accidental disclosures of data to malware-based hacks, direct hacks, and illegal disclosures. The distribution of attacks has been changing since 2014, with smaller and larger, state and private sector players being hit with higher frequency, as opposed to the 2000s-early 2010s when we had more concentrated distribution of attacks. And, crucially, the impact of the attacks is also changing: starting with 2014, we are witnessing systemic shocks contagion propagating from individual attack targets to their exchanges and even to other exchanges.

9/4/17: JTCI Article on Cybercrime & Financial Markets Contagion

Our paper on cybersecurity risks spillovers across financial markets was published in the JTCI: http://www.terrorismcyberinsurance.com/. You can access full paper here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2892842.

24/2/17: Cybersecurity Threats: Business Survey

An interesting insight via https://www.bloomberg.com/politics/articles/2017-02-21/threat-of-cyber-attack-is-biggest-fear-for-businesses-survey on the rising importance of the cyber-security risks and changing business perceptions of the risk. Goes handily with our findings here: http://trueeconomics.blogspot.com/2017/01/23117-regulating-for-cybercrime-hacking.html.

21/2/17: The Future of Finance

Last week I was speaking at a forum on Open Societies in Panama City. My speech covered the key threats and transformational changes in the global financial services. Here are my annotated slides:

2/2/17: FactSet on Five 'Notable' 2016 Corporate Data Breaches

In our recent working paper on the systemic effects of cyber risks expressed via financial markets, we have shown the first empirical evidence of systemic (cross exchanges and cross companies) contagion from cyber risks to share prices of the world’s largest corporates, starting with 2014. You can read the full paper here: http://trueeconomics.blogspot.com/2017/01/23117-regulating-for-cybercrime-hacking.html.

Some new evidence on the effects of cyber crime on corporate performance is now also presented in a recent FactSet analysis here.

In this article, FactSet look at the corporate performance effects arising from five “notable” 2016 data breaches, specifically focusing on the stock performance. The methodology in this analysis, unfortunately, is weak and does not lend itself to establishing any specific hypotheses, including those claimed.

Still, an interesting collection of factoids and illustrations of the shorter term impacts (or lags in such).

23/1/17: Regulating for Cybersecurity: A Hacking-Based Mechanism

Our second paper on systemic nature (and regulatory response to) cyber security risks is now available in a working paper format here: Corbet, Shaen and Gurdgiev, Constantin, Regulatory Cybercrime: A Hacking-Based Mechanism to Regulate and Supervise Corporate Cyber Governance? (January 23, 2017): https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2904749.

Abstract: This paper examines the impact of cybercrime and hacking events on equity market volatility across publicly traded corporations. The volatility influence of these cybercrime events is shown to be dependent on the number of clients exposed across all sectors and the type of the cyber security breach event, with significantly large volatility effects presented for companies who find themselves exposed to cybercrime in the form of hacking. Evidence is presented to suggest that corporations with large data breaches are punished substantially in the form of stock market volatility and significantly reduced abnormal stock returns. Companies with lower levels of market capitalisation are found to be most susceptible. In an environment where corporate data protection should be paramount, minor breaches appear to be relatively unpunished by the stock market. We also show that there is a growing importance in the contagion channel from cyber security breaches to markets volatility. Overall, our results support the proposition that acting in a controlled capacity from within a ring-fenced incentives system, hackers may in fact provide the appropriate mechanism for discovery and deterrence of weak corporate cyber security practices. This mechanism can help alleviate the systemic weaknesses in the existent mechanisms for cyber security oversight and enforcement.

2/1/16: Financial digital disruptors and cyber-security risks

My and Shaen Corbet's new paper titled Financial digital disruptors and cyber-security risks: paired and systemic (January 2, 2017), forthcoming in Journal of Terrorism & Cyber Insurance, Volume 1 Issue 2, 2017 is now available at SSRN: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2892842.

Abstract:
The scale and intensity of digital financial criminality has become more apparent and audacious over the past fifteen years. To counteract this escalating threat, financial technology (FinTech) and monetary and financial institutions (MFI) have attempted to upgrade their internal technological infrastructures to mitigate the risk of a catastrophic technological collapse. However, these attempts have been hampered through the financial stresses generated from the recent international banking crises. Significant contagion channels in the aftermath of cybercriminal events have also been recently uncovered, indicating that a single major event may generate sectoral and industry-wide volatility spillovers. As the skillset and variety of tactics used by cybercriminals develops further in an environment of stagnating and underfunded defensive technological structures, the probability of a devastating hacking event increases, along with the necessity for regulatory intervention. This paper explores and discusses the range of threats and consequences emanating from financial digital disruptors through cybercrime and potential avenues that may be utilised to counteract such risk.