Report likens complex cyber risk to view of financial risk prior to 2008 crash

By Erin Ayers on April 18, 2014



Cyber risk managers could learn some lessons from the 2008 financial crisis on the fallout they could be facing and ways to prevent future “global shocks,” according to a new report from Zurich Insurance Group and The Atlantic Council.

Released this week, the report warns that cyber risk management is “essentially reductionist,” taking a fragmented, company-specific approach to safeguarding data. Society’s reliance on the Internet grows exponentially but control only grows linearly.

According to researchers, governments and businesses should be working together on a holistic solution to protect data and create a secure Internet for the future.

Zurich and the Atlantic Council nicknamed their research project “cyber sub-prime,” since they believed they saw evidence the growing cyber threats could be likened to the sub-prime mortgage market fiasco that propelled the financial crash.

They explained that a cyber attack could threaten societal safety in ways not yet experienced or measured. Internet failures have the ability to shut down banks, water systems, cars, medical devices, hydroelectric dams, transformers, and power stations.

Just this week, Connecticut regulators revealed that the state’s public utility system was hacked, but defended before any damage was done. The regulators cautioned Gov. Dannel P. Malloy that “nefarious” hackers are growing in sophistication and more must be done to prevent attacks. Connecticut released a plan for addressing cyber-security, based on a framework designed by the National Institute of Standards and Technology (NIST) in January.

It’s this type of public-private partnership the Zurich-Atlantic Council report feel is necessary to be truly prepared for vulnerabilities in the system.

“Problems in that segment spread far beyond the institutions that took the original risks, and proved severe enough to administer a shock that reverberated throughout the entire global economy. At first, the term ‘cyber sub-prime’ was just a quirky nickname, but it soon became a useful analogy, helping us to gain additional insights into cyber risks based on extended parallels with the financial sector,” commented Fred Kempe, president and CEO of the Atlantic Council, and Axel P. Lehmann, chief risk officer of the Zurich Insurance Group, in an introduction to the report.

Envision a scenario where a company stores all its data with a cloud service provider, and it has a “Lehman moment.” Friday afternoon, all is well, the data are safe. Midway through the weekend, hackers strike, and the information in the cloud …. Well, it dissipates. The issue may have been related to the cloud server, but it automatically spreads to any company doing business in that particular spot in cyberspace and possibly beyond.

“If that failure cascaded to a major logistics provider or company running critical infrastructure, it could magnify a catastrophic ripple running throughout the real economy in ways difficult to understand, model or predict beforehand,” stated Jason Healey, author of the report and director of the Cyber Statecraft Initiative of the Atlantic Council.

It’s that type of interconnectivity that the Healey warns could create a system-wide shock that results not only in the loss of passwords and financial information, but a major meltdown of infrastructure. Companies have come to expect that the service providers they work with can handle any little hiccups as they come, according to the report. Healey quoted Dan Geer, a computer security analyst, as saying, “As society becomes more technologic, even the mundane comes to depend on distant digital perfection.”

Any risk manager will tell you that merely assuming that something else is keeping their eye on the potential problem isn’t managing that risk. And any insurer would be happy to tell you about third-party liability. In today’s world, “distant digital” trouble can quickly be at your doorstep. The report warned of a “Cybergeddon” – a “future in which attackers − whether hackers, organized crime or national militaries − have an overwhelming, dominant and lasting advantage over defenders could be just one disruptive technology away.”

Zurich and Atlantic Council outlined several recommendations for change on cyber risk, including a G20-style commission of governments and technology firms to expand and improve Internet governance. The report suggested a system for determining those Internet providers and systems that should be considered “too big to fail” or systemically important. This tactic borrows from the experience of the global financial system and could provide a framework for stress-testing capabilities for responding to cyber attacks, according to Healey.

“Properly structured, this should not be a move towards added regulation, but better governance,” he added. He also firmly recommended cyber insurance for all companies dealing with data.

“With cyber insurance, companies can transfer cyber risks, especially third-party risks associated with data breaches or business interruption. As more companies become involved, offering more products, this option is becoming more available as a recommendation for all companies, not just ‘advanced’ ones,” said Healey.

The report indicated that society and cyberspace are unlikely to prevent all attacks that could be lurking in the coming years, but should focus instead on resilience and recovery.

“Organizations can no more ‘secure’ themselves against these risks than they can hope to forever stack sandbags to protect from a hurricane,” said Healey. “Too much risk will be external, complex, and interdependent. The main hope for companies therefore is resilience, the ability to bounce back from disruptions to make them as short and limited as possible.”'

Erin is an editor at Advisen. She has 15 years of journalism experience. Prior to Advisen, Erin covered property-casualty insurance for 13 years as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].