Written by Robert Vescio, SSIC Chief Analytics Officer & X-Analytics Inventor
“Until someone is prepared to lay out the systemic problem, we will simply go through cycles of finding corruption, finding a scapegoat, eliminating the scapegoat, and relaxing until we find the next scandal.” – Newt Gingrich
Systemic cyber risk. “What is it?” and “What can we do about it?”
The answer to both questions is not as complicated as you may think.
Following the traditional economic definition of systemic risk, Systemic Cyber Risk is the breakdown of all or a substantial portion of an internet-based or otherwise connected macro ecosystem. Note that this is more than the failure of an individual server, application, or network. To put it another way, systemic cyber risk is the exposure triggered when one cyber incident or a series of cyber incidents causes widespread impact.
In general, catastrophic systemic cyber losses are unlikely, but systemic cyber risks are certainly plausible, and there have been recent examples of incidents that reinforce susceptibility and plausibility. The range of plausible events include environmental (such as a solar flare that produces a massive electromagnetic interference), a sophisticated cyber-attack (such as a state-sponsored attack that aims to disrupt a massive chunk of internet-based services), human errors (such as faulty code release that accidentally alters the functionality of critical core Internet infrastructure), and/or a malicious insider and privileged misuse incident (such as using an Internet “kill switch” to violate civil rights or suppress political opponents). The impact from any of these plausible actions would be severe in economic and social terms.
Addressing systemic cyber risk is important, and fortunately, there are reasonable strategies that can be employed. Classically, there are four risk treatment options for any risk: avoid, accept, mitigate, and transfer. “Mitigate” – the detailed approach to addressing the technological vulnerabilities and “Transfer” – the use of cyber insurance to limit the financial exposure to cyber risks tend to get the most airtime. They are actionable and measurable but are not foolproof. There are recent events where errors in core networking equipment have disabled entire market segments; because of cyber insurance limits, sub-limits, and retention, cyber insurance is not intended to reimburse every business’s financial impact to a cyber event, nor provide the resilience to recover operations.
A treatment option that is often overlooked is “Avoid” – but in this context, introduce the notion of “Diversity”. Diversity is a countermeasure used across the ages – to paraphrase – “don’t put all of your eggs in one basket.” As an example, a solar flare may only affect the northwestern part of North America, which means that electromagnetic interference will not directly impact internet-based assets that are outside of that zone. Diversity is the best way to increase scope and limit systemic cyber risk.
Business leaders can diversify where it matters most, and can diversify essential business units and essential operations. For one business, this may mean diversifying internet service providers, and for another business, this may mean diversifying SCADA equipment from one manufacturing plant to the next. Like with all risk management decisions, business leaders could lean on applied economics to inform such decisions. Foundational to this analysis is having a clear financial understanding of the various cyber risks to the business. By understanding cyber risk in financial detail, business leaders will have the ability to determine:
which business units contain the most economic exposure to cyber risk,
which loss categories (data breach, business interruption, intellectual property and electronic funds theft, or ransomware) carry the most expected loss and catastrophic impact,
which vendors or partners within the supply chain ecosystem encompass the most financial exposure, and
which threat categories and asset groups require the most attention.
With the above knowledge, business leaders can prioritize diversification based on expected loss benefit. Further, business leaders could apply the actual cost of diversification – in comparison with the expected loss benefit – to prioritize diversification based on return on investment.
It is important to stress that true systemic cyber risk is unlikely, but that such an incident would produce unequal results amongst the affected businesses. Systemic cyber risk will most likely be about business interruption on a massive scale, not data breach or theft of intellectual property. There is always a chance that systemic cyber risk could also include large-scale market, political, or social manipulation – which could have equally catastrophic implications (i.e., civil unrest, military actions, etc.). In addition to mitigation and transfer, diversification – in vendor technologies, suppliers, partners, geographical operations, etc. – could be a significantly impactful countermeasure in addressing systemic cyber risk.