Understanding systemic cyber risk

For over a decade, the World Economic Forum’s Global Risks Report series has shed light on the increasing interconnectedness of our societies and the resulting evolution of the risks humans face.

The Global Risks Report 2016 recognizes that these risks are becoming increasingly tangible, and identifies the “resilience imperative” – an urgent need to find new avenues to withstand, mitigate, adapt to and build resilience against global risks, predominately through deeper collaboration among stakeholders.

To encourage this process, over the past two years the Global Agenda Council (GAC) on Risk & Resilience, with strong contribution with Zurich experts, embarked on developing a series of resilience use cases, which sought to:

1) deepen the understanding of the global risk environment;

2) identify potential steps that entities could take to increase their resilience; and

3) distil the attributes needed for successful collaboration, based on individual stakeholders’ capabilities, capacities and roles.

The GAC, of which Nick Wildgoose, Zurich’s Global Corporate Supply Chain Product Leader is a member, also  built this use case – Understanding Systemic Cyber Risk – which seeks to understand the nature and scope of emerging systemic cyber risk with examples from the following sectors:

• Financial services
• Transportation and
• Healthcare

The Global Risks Report 2016 finds that the risk of “large-scale cyberattacks” continues to be considered a high impact/high likelihood risk. Remarkably, however, the GRR 2016 also indicates that the evolving nature of cyber risk – from seemingly isolated attacks against specific companies (e.g. data breaches) to system-wide attacks with the potential for massive cascading effects (e.g. as recently occurred in the Ukraine energy sector) – is not yet fully understood as demonstrated by how experts perceive two risks closely related to “large-scale cyberattacks” (as identified and associated in the GRR 2016). Despite clear evidence of the growing internet connectivity of critical infrastructure services (including critical information infrastructure), the risk of “failure/shortfall of critical infrastructure” is perceived to be the sixth least likely risk with the second smallest potential impact, and the “breakdown of critical information infrastructure and networks” has continued to decrease in perceived impact over the last few years, and is considered among the least likely global risks to occur.

In fact, the GRR 2016 warns of the failure to understand risks related to technology as more organizations digitize their unique business value within increasingly connected environments that rely on machine learning and automated decision-making. Risks related to technology and cyberattacks might go unnoticed until it is too late, as organizations fail to account for their increasingly connected environments.

Today, every company is a software company. Some forward-looking companies recognize the digital transformation and actively seek to build capabilities to respond to the hyperconnected environment. For example, Goldman Sachs “has more engineers and programmers working on tech matters than Facebook”.  But today the vast majority of entities have yet to actually or fully recognize this transformation and as a result these enterprises can unknowingly assume tremendous risk. This risk may well exceed their individual capability for risk acceptance, mitigation or transference. Individually and collectively, this contributes to the likelihood of a systemic cyber event in one or more markets nationally and globally.

This use case goes beyond assessments of cybercrime and data breaches and begins to examine the emerging systemic nature of cyber risk that threatens to compromise, degrade or, in some instances, destroy key functions and capabilities. Two workshops were held to assess the nature of systemic cyber risk, and dozens of interviews and discussions were conducted with recognized global experts, owners, operators and senior private- and public-sector leaders. One finding was consistent – the meaning and implications of systemic cyber risk are not yet fully recognized or understood.

Read more of this paper to further understand some characteristics and engage in the discussion on the following areas:

Section 1 – Systemic cyber risk: provides a definition of “systemic cyber risk” to create a baseline for the discussion, and examines the environment operated in today.  There is also a discussion of how the changing environment and threat result in new and novel vulnerabilities with systemic cyber risk resulting in the potential for complex and cascading consequences.

Section 2 – Cyber Risk to systems:  examines cyber risk to systems, assets and networks in the financial services, transportation and healthcare sectors.

Section 3 – Analysis:  identifies areas where additional thinking and analysis are needed and suggests some entities and actors who may be best positioned to lead the needed multi-stakeholder efforts.

Through this use case, as with Resilience Insights, the intention of the Global Agenda Council on Risk & Resilience is to ignite an in-depth discussion about today’s risks and to point the way towards building and strengthening resilience to address them.