e-Commerce Risk

A Case Study

CAS 2000 Annual Meeting

David Fishbaum

Enterprise Risk 1
The Problem
You’re the risk manager of a financial institution
with a new web site
Your insurance broker has provided you a quote
for new e-commerce risk insurance coverage:
$350,000 - $450,000 with low limits
Your not exactly sure what the risks of the web
site are
What to do?

Enterprise Risk 2
Background

The financial institution provides community

banks with a product portfolio of ancillary
products such as:
investments (mutual funds and stock trading)
insurance
other banking services
You provide web sites for these community
banks for investments, insurance and lending

Enterprise Risk 3
What are the risks?

Failure of the web site

problems with the surroundings, power failure, fire or
flooding
failure of the hardware
failure of the software
attack through virus or computer hacker

Enterprise Risk 4
Resultant damages are
also varied

Delay in performing a service

Loss of brand value due to unreliability of
service or transmission of computer virus
loss of value through failure to deliver
for example, an uncompleted stock trade

Enterprise Risk 5
Background: E-commerce
insurance coverage

There is an intensive application

the problem is that you can’t figure out how complex
or risky a web site you are running
A system audit is part of the insurance coverage
there is a bias to find fault

Enterprise Risk 6
How do you insure the high
P/E ratio

Its 1999 and the price/earnings ratio of the e-

commerce function seems to have broken down
The unspoken issue is how do you insure the
value lost if something happens to the web site?
Not sure this is an issue today

Enterprise Risk 7
Why bring in Actuaries?

Looking for someone to quantify the risk

We brought a multidisciplinary team of
actuaries, economists and policy expert
The actuaries provided the quantification and
modeling skill sets

Enterprise Risk 8
Methodology

Model the web site

Stochastic testing
Scenario testing

Enterprise Risk 9
Model
MMC ER developed a computer program to
model the economic performance of the e-
commerce infrastructure
Used company’s performance statistics
Used a monte carlo simulation to produce
expected revenue and branding values
Based on this quantification, valued the
potential losses of a series of scenarios

Enterprise Risk 10
 Flow of Information and quantification of failure probabilities

ISP Provider

Application Server/Firewall/Proxy Layer

In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage,
data base performance etc were considered. 11
Assumptions

Visits per week

Usage over the week
Revenue
Customer value
Application acceptance
Downtime

Enterprise Risk 12
Results-Base Case
2000 2001 2002

# of participating banks

Internet applications

Application fees
Insurance underwriting

TOTAL

New loans to banks

Present value of income on
new loans

Enterprise Risk 13
The Scenarios

Denial of service
Physical damage to hardware location
New virus brings down complete system
Malicious employee
Threats/extortion
Theft of credit card numbers

Enterprise Risk 14
The Scenarios
Denial of service
Attack causes a degradation of performance or
loss of service to web site
Not covered under current coverage
Modeling assumption: site down for 3 hours
Income loss/Customer value loss

Enterprise Risk 15
The Scenarios
Physical damage to hardware location
Location of where hardware is kept is disabled
Covered under current insurance
Modeling assumption: site down for 10 days
Income loss/Customer value loss
Client bank’s lost revenue

Enterprise Risk 16
The Scenarios
New virus brings down complete system
Not covered under current coverage
Model assumption: system down for 2 days
Income loss/Customer loss

Enterprise Risk 17
The Scenarios
Malicious Employee
Destruction of important data or programs
Cost of recovery process covered under current
coverage
Not modeled
Theft of policyholder info or other intangible
property
Not covered under current coverage

Enterprise Risk 18
The Scenarios
Threats/extortion
Threat to commit a computer crime or to use
information gained from a computer crime in
exchange for money, personal gain or to
embarrass the company
Would be covered under current kidnap and
ransom policies

Enterprise Risk 19
The Scenarios
Theft of credit card numbers
CD universe and Salesgate (e-mall)
No credit card numbers are stored

Enterprise Risk 20
Results of analysis

Biggest risk business interruption

Third party loss is minimal at this time

though in time the Internet will affect its
client relationship

Enterprise Risk 21
Conclusions

Better quantification of risks

Better able to make a purchase decision
Other risk management decisions
What isn’t at risk is also important

Enterprise Risk 22
Postscript

The Website is still in operation

Strategy has been proven successful

Enterprise Risk 22
Causes for stock drops -
MMC Research

Investigated risk factors behind the 100 largest

one month drops in shareholder value amongst
Fortune 1000 companies between 1993-98
Found top 100 stock drops
Identified triggering event
Determined causes of triggering event
Categorized primary cause
Analyzed results and implications

Enterprise Risk 23
 Causes for stock drops -
Fortune 1000 group
Risk Event Precipitating Stock Drop (# of Companies)
% of top 100
25 24

20

15
12
11

10
7 7 7
6 6
5 4
3
2 2
1 1 1 1
0 0
0
Competitive Mis- Loss of R&D Cost Manage- Foreign High Interest Law- Natural
Pressure aligned Key Delays Overruns ment Macro- Input Rate suits Disasters
Products Customer ineffective- Economic Comm- Fluct-
Customer M&A Customer Regulatory Supplier Accounting ness Issues odity uation
Demand Integration Pricing Problems Problems irregularities Supply Chain Price
Shortfall Problems Pressure Issues

Strategic Operational Financial Hazard

58% 31% 6% 0%

Enterprise Risk 24