Lessons for Cyber Risk Managers

This post is brought to you by Zurich South Africa. Zurich South Africa is a member of the global Zurich Insurance Group. It is a short-term insurance company listed on the Johannesburg Stock Exchange (“JSE”).

Prior to the financial crisis, risks were assessed by financial institutions individually. For example, a bank with significant exposure to certain risks – such as those associated with a large portfolio of sub-prime mortgages – might have had to set aside a reserve and perhaps expect to have a bad quarter or two if the underlying risk led to a meltdown. There was little assessment by either regulators or the market participants themselves of the complex interconnections among the financial risks of different institutions. The resulting shock started with those who made the riskiest decisions, but soon cascaded to everyone, even those who had invested wisely and conservatively.

Not only were the chances for a cascading catastrophe widely ignored, but many experts insisted at the time that the system was sufficiently diversified so that linkages between risks were impossible. The system’s very complexity allowed risk to be spread to those most willing and able to deal with it. But it was this complexity, magnified by attendant lack of transparency and limited understanding, which contributed to the ultimate crash of 2008. A failure in one small part of the U.S. mortgage market thus could lead to a global recession, the collapse of governments, a sovereign debt crisis requiring bailouts, and even fears for the future of the euro and European Union.

Unfortunately, cybersecurity professionals often approach risks in a similar fashion, relying on a reductionist analysis of risks, while assuming that the risk posed to the system as a whole is merely the sum of all the point risks. They analyze cyber vulnerabilities looking at one technology, one organization or one nation at a time, paying little attention to how risk might emerge from the interaction of those organizations or technologies. Just as sound, internally-focused risk management failed to protect companies from the collapse of the financial system, strong internal computer security controls won’t shield even the best-protected companies from a ‘cyber sub-prime’ failure.

The similarities between the financial and cyber risk management methodologies go well beyond simple analogy.

In the financial crisis, banks, corporations, individuals and even nations became vulnerable because they were highly leveraged, taking on incredible financial debts. The same is true in cybersecurity, where modern economies and societies are perhaps even more heavily leveraged, but their leverage involves information technologies (IT), not borrowed dollars, yen or euros.

The number of man-made and natural disasters has tripled over the past 40 years, a trend not likely to diminish any time soon. Reports by the OECD and World Economic Forum agree that global shocks will become increasingly more likely and frequent while the US National Intelligence Council believes the “risks of interstate conflict are increasing owing to changes in the international system.”

As summarized by PwC, “In short, improbable risks aren’t so improbable now; they’re becoming the norm in a more uncertain world.”

The internet will not be immune to these shocks and conflicts. As a highly connected and increasingly tightly coupled system, with extensive common-mode functions, and one on which societies and economies are so dependent, it is very likely to initiate and or amplify disruptions. These cascading cyber disruptions, where a series of local incidents (each perhaps unimportant on their own) will be passed along through connections to cause more widespread shocks.

Companies are feeling the pressure to increase their IT leverage for the same reason that banks and other companies once increased their financial leverage: to keep pace with rivals that are all doing the same. IT leverage has just as much complexity, lack of transparency with regard to the risks, and lack of understanding of the underlying fundamentals as financial leverage. Few people truly understand their own computers or the internet, or the cloud to which they connect, just as few before the crisis truly understood the financial system as a whole or the parts to which they were most directly exposed.

Cyber Risk Managers

Complex Systems, Unexpected Risks

Both the financial sector and cybersecurity risks are passed along to others to become concentrated – possibly toxically – in places far removed from the companies or entities where the risks originate. Because the system has been incredibly resilient for several decades, the underlying expectation is that it will stay safe indefinitely, a belief that is often most pronounced among professionals who are part of the system.

Worse, these risks get lost even to the system as a whole: the effects are so far removed from the source, and they are so complex and interconnected, that they are neither tracked nor easily modeled. Among those repackaging mortgage securities, these risks were obscured and concentrated when banks originated sub-prime mortgages and chopped the risk into securitized tranches that were sometimes re-combined. Ultimately no one fully foresaw where these risks would end up.

In cybersecurity a similar process occurs when companies outsource functions or information, allowing them to focus on core competencies, freeing them from the worries associated with managing servers, IT processes and security. All too often these companies know nothing of the information security or business continuity measures of the company to which they’ve outsourced. Worse, portions of the outsourced work often get further outsourced as each individual company focuses on its core competencies, and so on. Alternatively, a company might seek to mitigate risk by diversifying its outsourcing by, for example, working with four separate providers, only to find that in turn, they all rely on the same cloud service provider, on the same operating system, or on the same internet service providers.

With so many unknowns, it will be difficult or impossible to adequately measure the resulting risk of this hyperconnectivity and where it might be concentrated in places such as large cloud service providers. As one expert involved in this project put it, “the internet is an enabler of unknowable things.”

The financial sector, at least, had developed theories and formulas to try to understand the interconnected risks, developing models run by financial, physics and mathematics PhDs. The banking industry is also highly regulated with at least some system-wide, international governance and crisis management structures: the Basel Committee on Banking Supervision, International Monetary Fund, G8, and (later) the G20.

Zurich South Africa

To learn more about 'What can cyber risk managers learn from the 2008 financial crisis?' download Zurich Insurance Group's cyber risk report titled 'Risk Nexus - Beyond data breaches: global interconnections of cyber risk'