Systemic risk is a term that is causally used to express the potential magnitude of the cyber risk condition. In most cases, the term implies a catastrophic significance. However, is that is right use of the term and does systemic always equate to catastrophic.
Systemic risk (noun)
in financial terms, systemic risk denotes the risk of a cascading failure within a sector, caused by linkages within the sector, resulting in economic downturn.
in cyber risk terms, systemic risk is the breakdown of all or a substantial portion of internet-based or otherwise inter-connected IT and/or OT macro ecosystem.
in cyber economic terms, systemic risk is the exposure triggered when one cyber incident or a series of cyber incidents causes widespread financial damage.
Systemic Cyber Risk Is a Pressing Concern for Many
Systemic risk is a pressing concern for the U.S government, insurance underwriters, the Insurance-Linked Securities (ILS) market, and individual businesses. All these groups are asking the same question:
“How will systemic cyber risk impact our function?”
The U.S. government is concerned about direct damage to the critical core infrastructure that could cause widespread downstream consequences.
Insurance underwriters are concerned that one cyber-incident or a series of cyber incidents could cause a massive increase in claims and create an insolvency issue.
The ILS market is concerned that one cyber incident or a series of cyber incidents could force a payout on a catastrophic bond or other securitization instrument.
Individual businesses are concerned that one cyber incident or a series of cyber incidents within their dependency ecosystem (which includes suppliers, service providers, shared technology, common technology, and other) could cause direct damage to their business.
The possibility of systemic cyber risk is real. But how real is it and does it replace other top priorities?
As a base reference, let’s consider that 65.6% of businesses will fail within 10 years. This would mean the daily probability of failure is 0.0180%. This is a concerning probability because it means the end of the business, but it does not prevent business leaders from starting businesses nor operating their business daily. Smart business leaders will use knowledge and tact to reduce this chance of failure.
How do the loss categories relate to systemic risk?
Loss Category | Systemic Risk Damage | Possibility of being related to a systemic cyber incident. |
Cyber-Physical | Availability & Integrity, loss of operations, property damage, and human casualty. | Since cyber-physical includes incidents that cause property damage and human casualty, which could further lead to a wide-spread disruption, a cyber-physical incident could translate into systemic incident (even though this somewhat improbable). Disruption damages will accumulate until incident resolution. This is the worst of all loss categories because it could include explosions, fires, floods, and other catastrophic damages. |
Data Breach | Confidentiality, loss of data (such as personal identifiable information records) | Since data is generally segmented and since victim saturation is common with massive data breaches, a data breach incident will probably not translate into a systemic incident. Damages will be related to the volume of breach and total unique victim count. |
Business Interruption | Availability, loss of revenue and ability to operate as expected. | Since business interruption incidents interfere with operations that could cause further downstream damages (think of supply chain ecosystems), a business interruption incident could translate into systemic incident. Damages will continue to accumulate until incident resolution. |
Misappropriation | Confidentiality & Integrity, loss of intellectual property and electronic funds, and possible corruption altering the function of a system. | Since misappropriation incidents are generally isolated (think of fund transfer fraud or theft of intellectual property) and since existing backstop protections exist in certain industries (like financial services), a misappropriation incident will probably not translate into a systemic incident. Damages will vary based on the type of fraud. |
Ransomware | Availability & Confidentiality, loss of revenue and ability to operate as expected, plus potential loss of stolen data as secondary component to ransomware incident. | Since ransomware incidents interfere with operations, which could further interfere with downstream operations (again, think supply chain ecosystem), a ransomware incident could translate into a systemic incident. Damages will accumulate until incident resolution. |
Cyber-Physical attacks targeting U.S power plants and water dams are highly improbable, yet the damages are too great to ignore.
We estimated that an attack on a U.S. power plant or water dam that leads to a catastrophic property damage and human casualty is around 0.0001% probability per day, per state. This is an extremely low probability. A state-sponsored attack, which would be a declaration of war against the U.S. in this case, could potentially increase this probability. This probability is subject to change based on motivation and inherent weaknesses within our critical core infrastructure. If such an incident occurs, business leaders, within the impacted area, have a much bigger problem than worrying about their own cyber risk problem.
Why is systemic cyber risk not going to be a data breach incident?
Even though there are data aggregations points, service providers segment the data within those aggregation points which reduces the chance of broad exposure. But if even the data was fully exposed, there is a saturation point the prevents data breach from being a systemic incident. As an example, if there was a massive data breach in Google cloud that exposed information amongst thousands of businesses, there would be a point where the data begins to overlap, and costs no longer accumulate. Sure, people will be upset that an attacker compromised their data, but daily life will go on. Data breach is a nuisance and not a disruption incident that would lead to widespread financial damage.
Why is systemic cyber risk not going to be a misappropriation incident?
Like with data breach, most misappropriation incidents are a nuisance and not a disruption incident. Sure, you could argue that there has been a massive theft of intellectual property over the years. However, this is not coming from a singular cyber incident nor a series of connected cyber incidents. As business continue to move intellectual property intro common cloud services, the probability of this type of incident is subject to change.
With theft of funds, the attackers are using techniques that are isolated and limited in breadth. These incidents are a nuisance and not a disruption incident. Though, this could change in the future as more and more electronic transfers use common technologies with well known weaknesses. The providers of such technology will need to continue with enhancing anti-fraud capabilities to reduce the chance of a systemic cyber risk incident.
Misappropriation of service could potentially translate into a systemic cyber risk incident. However, the probability is low because backstop protections already exist in major sectors (like financial services). This type of incident would be disruptive if it were to occur. Backstop protections (such as cross-market circuit breakers in securities and future exchanges) are necessary to reduce the probability of a systemic cyber risk incident.
A business interruption (including ransomware) incident is the most likely systemic cyber risk incident.
There are numerous business interruption varieties that could lead to a systemic cyber risk incident.
Here are a few examples. A power outage is the most probable variety, and this probability varies per U.S. state. A cloud outage (which could be related to human error) is the second most probable variety, and this probability varies per cloud provider.
Systemic cyber risk incidents, related to business interruption, are intriguing because they could be a result of malice, human error, and environmental conditions. Widespread damage is directly related to breadth and duration. Breadth determines the volume of entities impacted by the incident, and duration determines the accumulation of financial damage until full resolution. Each business interruption incident is unique because they are not equal in breadth or duration.
With power outages, malice, human error, or environmental conditions will most likely be the cause of the incident. The chance of power outage is different in each state. Businesses in Maine are more likely to experience a power outage than businesses in Arizona. Fortunately, the average power outage in Maine is around 93 minutes[5]. Most businesses can fully recover from such duration. For insurance underwriters and the ILS market, this type of incident is well within waiting periods and has no impact on their financial condition.
With cloud outages, malice and human error conditions will most likely be the cause of the incident. The chance of a cloud outage is different per cloud provider per region. Fortunately, the average cloud outage is around 14 hours. Most businesses will experience some damage from this incident. For insurance underwriters and the ILS market, this type of incident will trigger claims for some policy holders that have a waiting period that is under 24 hours.
With geopolitical incidents, malice will most likely be the cause of the incident. The degree of disruption depends on the type of incident and region in which the incident takes place. Fortunately, the probability of this type of incident is extremely rare. Most businesses within the impacted region will experience damage. For underwriters and the ILS market, war exclusions would most likely prevent any damages to their businesses.
With X-class solar flares, environmental is always the cause of this incident. This disruption-level incident is highly improbable. The degree of disruption depends on size of X-class flare and region in which the incident takes place. Assuming such an incident cause power outages and other disruptions, all businesses within the impacted region would experience damage. For insurance underwriters and the ILS market, “acts of God” exclusions would most likely prevent any damages to their businesses.
Overall, systemic cyber risk is a potential problem. Though, we have not yet experienced a major incident. Even with Colonial Pipeline, there was direct interference with operations within one region of the U.S, but life returned to normal shortly thereafter. From our analysis, we believe a cloud outage is the most likely scenario that would impact individual businesses, insurance underwriters, and the ILS market.
[1] Power outage probability: determined by using data from “The Blackout Tracker: United States Annual Report 2018” by the Energy experts of Eaton. [2] Cloud outage probability: determined by aggregating and analyzing cloud outages amongst Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. [3] Geopolitical probability: determined by aggregating and analyzing geopolitical incidents on U.S. soil. [4] Solar flare probability: determined by analyzing X-class solar fare activity from Space Weather Live and calculation data from NASA. [5] https://casinobonusca.com/odds-of-experiencing-a-power-outage-today/
However, let’s examine the systemic cyber risk problem for each concerned entity.
Concerned Entity | Primary Concern | Probability | Damage | Reaction |
U.S Government | Damage to critical core infrastructure | Very low | Minor to catastrophic property, human casualty, and/or financial damage. | The U.S government doesn’t have a choice; they must react to improbable yet catastrophic scenarios since the potential damages are too great to ignore. |
Insurance Carriers | High loss ratio or insolvency | Low | Minor to catastrophic financial damage. | The insurance carriers can adjust policies and selection criteria to improve their overall odds of loss. For example, a 24 hour waiting period eliminates the most probable business interruption incidents that could cause wide-spread damage. |
ILS Market | Developing or investing in a risky ILS instrument | Low | Minor to catastrophic financial damage. | The ILS market can be selective in developing and investing in ILS instruments to improve overall odds. Aggregation node ratios per insurance portfolio is a great place to focus for risk reduction. |
Individual Businesses | Operational disruption that impacts revenue, margin, and brand. | Moderate | Minor to catastrophic financial damage. In certain cases, could cause property or human casualty damage. | Individual businesses can diversify and segment their businesses to reduce damages from a systemic incident. As an example, a business may select to operate from multiple cloud zones/regions within one cloud provider or may select to operate from multiple cloud providers. |
As indicated in the table above, the systemic cyber risk problem is unique for each concerned entity. However, there are strong overlaps amongst individual businesses, insurance underwriters, and ILS market.
In summary, here are the side-by-side probabilities for a few systemic risk scenarios.
In the graph above, power outages are just slightly more probable than the business failing due to non-cyber related issues. The systemic cyber risk problem is mostly related to power outages and cloud outages that are 8 hours or less in duration.
For help reducing probability and impact...
Please see insights related to cyber risk mitigation and transfer.
Comments