1. 1 e-Commerce Risk A Case Study CAS 2000 Annual Meeting David Fishbaum Enterprise Risk

2. 2 The Problem zYou’re the risk manager of a financial institution with a new web site zYour insurance broker has provided you a quote for new e-commerce risk insurance coverage: $350,000 - $450,000 with low limits zYour not exactly sure what the risks of the web site are zWhat to do? Enterprise Risk

3. 3 Background zThe financial institution provides community banks with a product portfolio of ancillary products such as: yinvestments (mutual funds and stock trading) yinsurance yother banking services zYou provide web sites for these community banks for investments, insurance and lending Enterprise Risk

4. 4 What are the risks? zFailure of the web site yproblems with the surroundings, power failure, fire or flooding yfailure of the hardware yfailure of the software yattack through virus or computer hacker Enterprise Risk

5. 5 Resultant damages are also varied zDelay in performing a service zLoss of brand value due to unreliability of service or transmission of computer virus zloss of value through failure to deliver yfor example, an uncompleted stock trade Enterprise Risk

6. 6 Background: E-commerce insurance coverage zThere is an intensive application ythe problem is that you can’t figure out how complex or risky a web site you are running zA system audit is part of the insurance coverage ythere is a bias to find fault Enterprise Risk

7. 7 How do you insure the high P/E ratio zIts 1999 and the price/earnings ratio of the e- commerce function seems to have broken down zThe unspoken issue is how do you insure the value lost if something happens to the web site? zNot sure this is an issue today Enterprise Risk

8. 8 Why bring in Actuaries? zLooking for someone to quantify the risk zWe brought a multidisciplinary team of actuaries, economists and policy expert zThe actuaries provided the quantification and modeling skill sets Enterprise Risk

9. 9 Methodology zModel the web site zStochastic testing zScenario testing Enterprise Risk

10. 10 Model zMMC ER developed a computer program to model the economic performance of the e- commerce infrastructure zUsed company’s performance statistics zUsed a monte carlo simulation to produce expected revenue and branding values zBased on this quantification, valued the potential losses of a series of scenarios Enterprise Risk

11. 11 Application Server/Firewall/Proxy Layer ISP Provider In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage, data base performance etc were considered. Flow of Information and quantification of failure probabilities

12. 12 Assumptions zVisits per week zUsage over the week zRevenue zCustomer value zApplication acceptance zDowntime Enterprise Risk

13. 13 Results-Base Case Enterprise Risk

14. 14 The Scenarios zDenial of service zPhysical damage to hardware location zNew virus brings down complete system zMalicious employee zThreats/extortion zTheft of credit card numbers Enterprise Risk

15. 15 The Scenarios zAttack causes a degradation of performance or loss of service to web site zNot covered under current coverage zModeling assumption: site down for 3 hours zIncome loss/Customer value loss Denial of service Enterprise Risk

16. 16 The Scenarios zLocation of where hardware is kept is disabled zCovered under current insurance zModeling assumption: site down for 10 days zIncome loss/Customer value loss zClient bank’s lost revenue Physical damage to hardware location Enterprise Risk

17. 17 The Scenarios zNot covered under current coverage zModel assumption: system down for 2 days zIncome loss/Customer loss New virus brings down complete system Enterprise Risk

18. 18 The Scenarios zDestruction of important data or programs zCost of recovery process covered under current coverage zNot modeled zTheft of policyholder info or other intangible property zNot covered under current coverage Malicious Employee Enterprise Risk

19. 19 The Scenarios zThreat to commit a computer crime or to use information gained from a computer crime in exchange for money, personal gain or to embarrass the company zWould be covered under current kidnap and ransom policies Threats/extortion Enterprise Risk

20. 20 The Scenarios zCD universe and Salesgate (e-mall) zNo credit card numbers are stored Theft of credit card numbers Enterprise Risk

21. 21 Results of analysis zBiggest risk business interruption zThird party loss is minimal at this time though in time the Internet will affect its client relationship Enterprise Risk

22. 22 Conclusions zBetter quantification of risks zBetter able to make a purchase decision zOther risk management decisions zWhat isn’t at risk is also important Enterprise Risk

23. 22 Postscript zThe Website is still in operation zStrategy has been proven successful Enterprise Risk

24. 23 Causes for stock drops - MMC Research zInvestigated risk factors behind the 100 largest one month drops in shareholder value amongst Fortune 1000 companies between 1993-98 zFound top 100 stock drops zIdentified triggering event zDetermined causes of triggering event zCategorized primary cause zAnalyzed results and implications Enterprise Risk

25. 24 Causes for stock drops - Fortune 1000 group % of top 100 Enterprise Risk Cost Overruns Accounting irregularities Manage- ment ineffective- ness Supply Chain Issues Competitive Pressure M&A Integration Problems Mis- aligned Products Customer Pricing Pressure Loss of Key Customer Supplier Problems R&D Delays Customer Demand Shortfall Regulatory Problems StrategicOperationalFinancialHazard Foreign Macro- Economic Issues Interest Rate Fluct- uation High Input Comm- odity Price Law- suits Natural Disasters 58%31%6%0% Risk Event Precipitating Stock Drop (# of Companies)