A Report on the Future of Finance, Future of Risk, and Future of Quant: Risk, Uncertainty, and, Profit for the Cyber Era: Model Risk Management of Cyber Insurance Models using Quantitative Finance and Advanced Analytics

Abstract

Background: This body of work represents the first thesis to advance Finance Quantitative Methods, Quantitative Finance and Fintech Modeling R&D to the AI-ML-Quant-Cyber-Crypto-Quantum-Risk-Computing Era. The Current Post-Doctoral Research Thesis On Finance, Quant, and Risk Modeling beyond the Global Financial Crisis is based upon synthesizing post-crisis Quantitative Finance, Computer Science, Network & Computer Security Engineering R&D. It proposes pioneering Crypto-era Cyber-Finance-Trust Engineering frameworks advancing upon the first Digital Transformation Social Networks Quant Modeling PhD thesis that pioneered post-WWW Digital Quant-IT-Finance-Controls-Risks, Decentralized Control Models, and, Digital-Social Knowledge-Assets R&D.

Preface

Coming from an Engineering background as a Chartered Engineer, I led global Banking & Finance modeling and development projects for largest US and worldwide banks. I also led modeling and implementation projects for the Big-3 IT firm on which hundreds of global Banking & Finance firms relied as a key global financial systems provider. Then, I earned a quantitative PhD with 2xPhD Credits from Top-10 PhD Program and subsequently taught as Associate Professor and Assistant Professor of Quantitative Methods at Syracuse University with research focus on quantitative risk modeling. Just before the Global Financial Crisis, my research was surfacing critical questions about the model risk inherent in Financial Engineering models. For instance, I made reference to it in an interview by a UK based global management research publisher in 2005.

Those questions were about the compatibility of deterministic and stochastic models of natural sciences with the increasingly non-deterministic, i.e., uncertain, sociotechnical post-WWW digitally social networked world. Those questions were also about the capacity of deterministic and stochastic Financial Engineering risk models to cope with increasing uncertainty characterizing a rapidly and dynamically changing digital world. Those questions led me to post-doctoral research in Quantitative Finance leading to working for top Wall Street investment banks such as JP Morgan Private Bank in midtown Manhattan. My technical and applied hands-on leadership guiding JP Morgan top executives and MDs focused on advancing their advanced Quantitative Finance risk modeling and analytics. I focused on guiding their financial risk modeling beyond quantitative models that had become targets of criticism given association with large-scale financial failures over the span of the Global Financial Crisis.

After concluding those Quantitative Finance projects, I continued to further advance related post-doc research in Computational Finance and Cybersecurity. While conducting research on rapidly increasing Cyber risk in Banking and Finance domains with emergency warnings coming from the White House, US Treasury, Department of Homeland Security, and, Office of Comptroller of Currency, this thesis was born. It was born out of the observation about the specific risk models blamed for the Global Financial Crisis which nearly drove US investment banks to extinction. The same models were now becoming the predominant models of choice by commercial providers for cyber risk and cyber insurance related modeling for estimation of potential cyber risk related financial loss….

Abstract

Quantitative modeling of cyber risk for cyber insurance modeling is at a nascent stage characterized by sparse empirical research and reliable data. Our current investigation reveals that VaR, short for Value-at-Risk (Jorion, 2006), is the current predominant model of choice for cyber insurance modeling. Model risk related to VaR was a key factor in the Global Financial Crisis given its known limitations in modeling tail risks and systemic risks (Haldane & Nelson, 2012; Malhotra, 2012, 20141). As a result, US Federal Reserve and OCC issued model risk compliance guidance for US financial institutions (US Fed & OCC, 2011). Basel Committee of worldwide central bank supervisors stopped relying on VaR for risk modeling (BCBS, 2013). Given history of model risks associated with VaR, we investigate if current reliance of cyber insurance modeling on VaR entails model risk. We develop qualitative frameworks to benchmark relative levels of tail risks and systemic risks associated with cyber risk vis-à-vis financial risks typically modeled with VaR. Our analysis reveals that cyber risk entails exponentially higher tail risks and systemic risks thus making VaR unfit for reliance as the primary risk model for cyber insurance modeling. We develop specific frameworks of model risk management (Derman, 1996; Morini, 2011) for cyber insurance modeling and demonstrate their empirical application in model risk management. We distinguish between model risks arising from the choice of specific quantitative models from those arising from the choice of quantitative methodologies. We demonstrate how to manage model risks associated with VaR using it with multiple simple and advanced models to cross-check its reliability. We also offer alternative coherent risk measures as better alternatives to VaR and empirically demonstrate their application. To enable further minimization of model risk in cyber insurance modeling we do three more things. First, we analyze the Bayesian quantitative statistical inference methodology as a possible alternative to frequentist classical inference methodology that VaR and advanced models typically rely upon. Second, we analyze the Markov Chain Monte Carlo models and related Gibbs Sampling and Metropolis-Hastings statistical computing algorithms to enable the use of Bayesian methodology. Finally, given increasing uncertainty in cyber risk modeling and management, we develop a framework for enabling Knightian uncertainty management (Knight, 1921) relating it to model risk management.

Contributions

To avert the impending national Cyber risk and Cyber-insurance disaster based upon large-scale commercial reliance upon quantitative models with inherent model risks, tail risks, and systemic risks in current form, this dissertation makes the following key contributions.

▪ First, we develop the first known Cyber-Finance-Trust framework for Cyber insurance modeling to analyze how finance risk entangled with Cyber risk further exacerbates the systemic, interdependent, and correlated character of Cyber risks.

▪ Second, we develop the first known model risk management framework for Cyber insurance modeling as model risk management has received sparse attention in Cyber risk assessment and Cyber insurance modeling.

▪ Third, our review of quantitative models in Cyber risk and Cyber insurance modeling develops the first known analysis establishing significant and extreme model risks, tail risks, and, systemic risks related to predominant models in use.

▪ Fourth, we develop an empirical study of VaR and Bayesian statistical inference methodologies with specific guidance for containing model risks by applying multiple simple and advanced models for cross-checking the reliability of VaR.

▪ Fifth, we develop an analysis of the Markov Chain Monte Carlo Models, Gibbs Sampling and Metropolis-Hastings statistical computing algorithms for enabling Bayesian statistical inference methodologies to minimize model risk in Cyber risk and Cyber insurance risk modeling for the specific context of cybersecurity.

▪ Sixth, we develop the first known portfolio theory based framework for Cyber insurance modeling with guidance to minimize model risks, tail risks, and systemic risks inherent in models in commercial Cyber insurance modeling.

▪ Finally, given increasing role of uncertainty in cyber (and financial) risk modeling and management, we develop a framework for enabling Knightian uncertainty management relating it to model risk management.

Understanding of the developed frameworks and technical models listed above should minimize model risk in the recommended applications based on above contributions.

Updated, revised, summary version of the thesis invited for submission by NAIC as:

National Association of Insurance Commissioners (NAIC) Expert Paper: The National Association of Insurance Commissioners (NAIC) is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Updated, revised, summary version of the thesis invited for submission by NAIC as: National Association of Insurance Commissioners Expert Paper:

Malhotra, Yogesh, Advancing Cyber Risk Insurance Underwriting Model Risk Management beyond VaR to Pre-Empt and Prevent the Forthcoming Global Cyber Insurance Crisis (June 24, 2017). Available at SSRN: https://ssrn.com/abstract=3081492. Expert Paper prepared and submitted on the request of the National Association of Insurance Commissioners on June 24, 2017.