570 likes | 778 Views
Quantifying e-Commerce Risk. David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK. CAS Seminar on Ratemaking - March, 2001. The Problem. You’re the risk manager of a financial institution with a new web site
E N D
Quantifying e-Commerce Risk David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK CAS Seminar on Ratemaking - March, 2001
The Problem • You’re the risk manager of a financial institution with a new web site • Your insurance broker has provided you a quote for new e-commerce risk insurance coverage: $350,000 - $450,000 with low limits • Your not exactly sure what the risks of the web site are • What to do?
Background • The financial institution provides community banks with a product portfolio of ancillary products such as: • investments (mutual funds and stock trading) • insurance • other banking services • You provide web sites for these community banks for investments, insurance and lending
What are the risks? • Failure of the web site • problems with the surroundings, power failure, fire or flooding • failure of the hardware • failure of the software • attack through virus or computer hacker
Resultant damages are also varied • Delay in performing a service • Loss of brand value due to unreliability of service or transmission of computer virus • loss of value through failure to deliver • for example, an uncompleted stock trade
Background: E-commerce insurance coverage • There is an intensive application • the problem is that you can’t figure out how complex or risky a web site you are running • A system audit is part of the insurance coverage • there is a bias to find fault
How do you insure the high P/E ratio • Its 1999 and the price/earnings ratio of the e-commerce function seems to have broken down • The unspoken issue is how do you insure the value lost if something happens to the web site? • Not sure this is an issue today
Why bring in Actuaries? • Looking for someone to quantify the risk • We brought a multidisciplinary team of actuaries, economists and policy expert • The actuaries provided the quantification and modeling skill sets
Methodology • Model the web site • Stochastic testing • Scenario testing
Model • MMC ER developed a computer program to model the economic performance of the e-commerce infrastructure • Used company’s performance statistics • Used a Monte Carlo simulation to produce expected revenue and branding values • Based on this quantification, valued the potential losses of a series of scenarios
Flow of Information and quantification of failure probabilities ISP Provider Application Server/Firewall/Proxy Layer In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage, data base performance etc were considered.
Assumptions • Visits per week • Usage over the week • Revenue • Customer value • Application acceptance • Downtime
The Scenarios • Denial of service • Physical damage to hardware location • New virus brings down complete system • Malicious employee • Threats/extortion • Theft of credit card numbers
The Scenarios Denial of service • Attack causes a degradation of performance or loss of service to web site • Not covered under current coverage • Modeling assumption: site down for 3 hours • Income loss/Customer value loss
The Scenarios Physical damage to hardware location • Location of where hardware is kept is disabled • Covered under current insurance • Modeling assumption: site down for 10 days • Income loss/Customer value loss • Client bank’s lost revenue
The Scenarios New virus brings down complete system • Not covered under current coverage • Model assumption: system down for 2 days • Income loss/Customer loss
The Scenarios Malicious Employee • Destruction of important data or programs • Cost of recovery process covered under current coverage • Not modeled • Theft of policyholder info or other intangible property • Not covered under current coverage
The Scenarios Threats/extortion • Threat to commit a computer crime or to use information gained from a computer crime in exchange for money, personal gain or to embarrass the company • Would be covered under current kidnap and ransom policies
The Scenarios Theft of credit card numbers • CD universe and Salesgate (e-mall) • No credit card numbers are stored
Results of analysis • Biggest risk business interruption • Third party loss is minimal at this time though in time the Internet will affect its client relationship
Conclusions • Better quantification of risks • Better able to make a purchase decision • Other risk management decisions • What isn’t at risk is also important
Postscript • The website is still in operation • Strategy has been proven successful
e-Commerce Risk • Bruce Schneier - Secrets and Lies(Wiley Computer Publishing, 2000) • “The insurance industry does this kind of thing all the time; it’s how they calculate premiums. They figure out the annual loss expectancy for a given risk, tack on some extra for their operational costs plus some profit and use the result”
e-Commerce Risk • Bruce Schneier - Secrets and Lies(Wiley Computer Publishing, 2000) • “Of course there’s going to be a lot of guesswork in any of these; the particular risks we’re talking about are just too new and too poorly understood to be better quantized (sic).”
e-Commerce Risk • Pricing e-Commerce Risk • Determine Strategy • Identify the Risks • Collect Available Data • Develop Model • Price According to Strategy
e-Commerce Risk • Determine Strategy • “Guess and Confess” • Loss Leader • Self-Supporting • Franklin Approach
e-Commerce Risk • Determine Strategy - “Guess and Confess” • Insurer uses best available judgment (usually discovered deep in the bowels of the marketing department) as to the proper rate • Alternatively, rely on advice of career agents
e-Commerce Risk • Determine Strategy - Loss Leader • Aptly named, this strategy is based upon the assumption that the best way to develop experience and expertise is to write a lot of exposure
e-Commerce Risk • Determine Strategy - Self-Supporting • Goal is to cover losses and expenses, including start-up expenses, over some reasonable period of time. This is a radical strategy and has rarely been adopted in the property-casualty industry.
e-Commerce Risk • Determine Strategy - Franklin Approach • Focuses on loss avoidance • Underwrites against “undesirable” hazards, e.g. • large user base • large asset base • high public profile
e-Commerce Risk • Identify the Risks • We have a good track record here • Medical Malpractice • Computer Leasing • Asbestos and Environmental
e-Commerce Risk • How many do you recognize? • Daemon • Data mining • Digital wallet • Extranet • Luhn formula • Smart card • Thin client
e-Commerce Risk • How many do you recognize? • Daemon - a structured background process
e-Commerce Risk • How many do you recognize? • Daemon - a structured background process • Data mining - looking for hidden data patterns
e-Commerce Risk • How many do you recognize? • Daemon - a structured background process • Data mining - looking for hidden data patterns • Digital wallet - encryption software, user ID
e-Commerce Risk • How many do you recognize? • Daemon - a structured background process • Data mining - looking for hidden data patterns • Digital wallet - encryption software, user ID • Extranet - authorized outsider-available intranet
e-Commerce Risk • How many do you recognize? • Daemon - a structured background process • Data mining - looking for hidden data patterns • Digital wallet - encryption software, user ID • Extranet - authorized outsider-available intranet • Luhn formula - credit card verifying algorithm
e-Commerce Risk • Luhn formula (1) Start with penultimate digit and, moving left, double the value of each alternating digit. If you get a two digit number, add the two digits. (2) Add up all digits. Result must be zero mod 10
e-Commerce Risk • Luhn formula • 1234 567890 12347 • 1438 537790 14387 • 1+4+3+8+5+3+7+7+9+0+1+4+3+8+7=70
e-Commerce Risk • How many do you recognize? • Daemon - a structured background process • Data mining - looking for hidden data patterns • Digital wallet - encryption software, user ID • Extranet - authorized outsider-available intranet • Luhn formula - credit card verifying algorithm • Smart card - personal electronic memory card
e-Commerce Risk • How many do you recognize? • Daemon - a structured background process • Data mining - looking for hidden data patterns • Digital wallet - encryption software, user ID • Extranet - authorized outsider-available intranet • Luhn formula - credit card verifying algorithm • Smart card - personal electronic memory card • Thin client - network computer w/o hard drive
e-Commerce Risk • Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company • “The court finds that ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry, but includes loss of access, loss of use and loss of functionality.”
e-Commerce Risk • Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company • “Restricting the policy’s language to that proposed by American [i.e.that contained in the policy] would be archaic.”
e-Commerce Risk • TD Waterhouse fined $225,000 for repeated outages which left customers unable to trade • 11 online brokers reported 88 outages for 1st 9 months 1999 (12th firm reported so many outages it didn’t keep track).
e-Commerce Risk • Collect Available Data • Exposure base not well-defined • Economic costs of losses not disclosed • Industry is young and evolving • Threat base is also evolving
e-Commerce Risk • Collect Available Data • Remember, “Lloyd’s List” was started in 1696 but it wasn’t until 75 years later that the Society of Lloyd’s was formed
e-Commerce Risk • Develop Model • Identify major processes • Identify major threats • Relate threats to processes • Determine (or guess at) parameters
e-Commerce Risk • Example - Distributed Denial of Service (DDoS)
e-Commerce Risk • “Attack of the Zombies” - February,2000 • Monday, February 7 • Yahoo! portal rendered inaccessible for 3 hours • Tuesday, February 8 • Buy.com 90% inaccessible • eBay incapacitated • CNN 95% inaccessible • Amazon.com slowed to 5 minute access time • Wednesday, February 9 • ZDNet.com unreachable • E*Trade slowed “to a crawl” • Excite 60% inaccessible