e-Commerce Risk
A Case Study
CAS 2000 Annual Meeting
David Fishbaum
Enterprise Risk 1
�The Problem
You’re the risk manager of a financial institution
with a new web site
Your insurance broker has provided you a quote
for new e-commerce risk insurance coverage:
$350,000 - $450,000 with low limits
Your not exactly sure what the risks of the web
site are
What to do?
Enterprise Risk 2
�Background
The financial institution provides community
banks with a product portfolio of ancillary
products such as:
investments (mutual funds and stock trading)
insurance
other banking services
You provide web sites for these community
banks for investments, insurance and lending
Enterprise Risk 3
�What are the risks?
Failure of the web site
problems with the surroundings, power failure, fire or
flooding
failure of the hardware
failure of the software
attack through virus or computer hacker
Enterprise Risk 4
�Resultant damages are
also varied
Delay in performing a service
Loss of brand value due to unreliability of
service or transmission of computer virus
loss of value through failure to deliver
for example, an uncompleted stock trade
Enterprise Risk 5
�Background: E-commerce
insurance coverage
There is an intensive application
the problem is that you can’t figure out how complex
or risky a web site you are running
A system audit is part of the insurance coverage
there is a bias to find fault
Enterprise Risk 6
�How do you insure the high
P/E ratio
Its 1999 and the price/earnings ratio of the e-
commerce function seems to have broken down
The unspoken issue is how do you insure the
value lost if something happens to the web site?
Not sure this is an issue today
Enterprise Risk 7
�Why bring in Actuaries?
Looking for someone to quantify the risk
We brought a multidisciplinary team of
actuaries, economists and policy expert
The actuaries provided the quantification and
modeling skill sets
Enterprise Risk 8
�Methodology
Model the web site
Stochastic testing
Scenario testing
Enterprise Risk 9
�Model
MMC ER developed a computer program to
model the economic performance of the e-
commerce infrastructure
Used company’s performance statistics
Used a monte carlo simulation to produce
expected revenue and branding values
Based on this quantification, valued the
potential losses of a series of scenarios
Enterprise Risk 10
� Flow of Information and quantification of failure probabilities
ISP Provider
Application Server/Firewall/Proxy Layer
In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage,
data base performance etc were considered. 11
�Assumptions
Visits per week
Usage over the week
Revenue
Customer value
Application acceptance
Downtime
Enterprise Risk 12
�Results-Base Case
2000 2001 2002
# of participating banks
Internet applications
Application fees
Insurance underwriting
TOTAL
New loans to banks
Present value of income on
new loans
Enterprise Risk 13
�The Scenarios
Denial of service
Physical damage to hardware location
New virus brings down complete system
Malicious employee
Threats/extortion
Theft of credit card numbers
Enterprise Risk 14
�The Scenarios
Denial of service
Attack causes a degradation of performance or
loss of service to web site
Not covered under current coverage
Modeling assumption: site down for 3 hours
Income loss/Customer value loss
Enterprise Risk 15
�The Scenarios
Physical damage to hardware location
Location of where hardware is kept is disabled
Covered under current insurance
Modeling assumption: site down for 10 days
Income loss/Customer value loss
Client bank’s lost revenue
Enterprise Risk 16
�The Scenarios
New virus brings down complete system
Not covered under current coverage
Model assumption: system down for 2 days
Income loss/Customer loss
Enterprise Risk 17
�The Scenarios
Malicious Employee
Destruction of important data or programs
Cost of recovery process covered under current
coverage
Not modeled
Theft of policyholder info or other intangible
property
Not covered under current coverage
Enterprise Risk 18
�The Scenarios
Threats/extortion
Threat to commit a computer crime or to use
information gained from a computer crime in
exchange for money, personal gain or to
embarrass the company
Would be covered under current kidnap and
ransom policies
Enterprise Risk 19
�The Scenarios
Theft of credit card numbers
CD universe and Salesgate (e-mall)
No credit card numbers are stored
Enterprise Risk 20
�Results of analysis
Biggest risk business interruption
Third party loss is minimal at this time
though in time the Internet will affect its
client relationship
Enterprise Risk 21
�Conclusions
Better quantification of risks
Better able to make a purchase decision
Other risk management decisions
What isn’t at risk is also important
Enterprise Risk 22
�Postscript
The Website is still in operation
Strategy has been proven successful
Enterprise Risk 22
�Causes for stock drops -
MMC Research
Investigated risk factors behind the 100 largest
one month drops in shareholder value amongst
Fortune 1000 companies between 1993-98
Found top 100 stock drops
Identified triggering event
Determined causes of triggering event
Categorized primary cause
Analyzed results and implications
Enterprise Risk 23
� Causes for stock drops -
Fortune 1000 group
Risk Event Precipitating Stock Drop (# of Companies)
% of top 100
25 24
20
15
12
11
10
7 7 7
6 6
5 4
3
2 2
1 1 1 1
0 0
0
Competitive Mis- Loss of R&D Cost Manage- Foreign High Interest Law- Natural
Pressure aligned Key Delays Overruns ment Macro- Input Rate suits Disasters
Products Customer ineffective- Economic Comm- Fluct-
Customer M&A Customer Regulatory Supplier Accounting ness Issues odity uation
Demand Integration Pricing Problems Problems irregularities Supply Chain Price
Shortfall Problems Pressure Issues
Strategic Operational Financial Hazard
58% 31% 6% 0%
Enterprise Risk 24
