Cyber risk management professionals need to look beyond their internal IT safeguards to the interconnected risks created by counterparties, outsourced suppliers, supply chains, disruptive technologies, upstream infrastructure and external shocks.
This is one of the conclusions from the Zurich Cyber Risk Report, which warns that a build-up in these risks could create a failure on a similar scale to the 2008 financial crisis.
Such interconnected risks are compounded when a company outsources the management of its servers, information technology and cyber security to focus on its core activities. Little information may be known about the third party’s information security or business continuity safeguards and it may also, in turn, outsource activities to other companies.
The report calls for organisations to incorporate the best ideas from financial governance such as creating a G20+20 Cyber Stability Board to enhance cyber risk management and identify and improve the governance of G-SIIOs (Global Significantly Important Internet Organisations).
Christoph Leuzinger, executive head of global corporate at Zurich South Africa, comments: “This research further solidifies the findings of the Global Risks 2014 Report, released earlier this year by Zurich and the World Economic Forum (WEF), which lists cyber-attacks as the fifth most likely risk to face the globe in the next 10 years.
“With the internet becoming increasingly coupled with the real world, the nature of cyber risk is undergoing a fundamental change – only with a holistic view on risk are we able to build resilience to the changed cyber risk environment.”
The Zurich Cyber Risk Report identifies the following seven interconnected risks:
* Internal IT enterprise is the risk associated with the cumulative set of an organisation’s (mostly internal) IT. Examples include hardware; software; servers; and related people and processes;
* Counter-parties and partners is the risk from dependence on, or direct interconnection (usually non-contractual) with an outside organisation. Examples include university research partnerships; relationship between competing/ co-operating banks; corporate joint ventures; industry associations;
* Outsourced and contract risk is usually from a contractual relationship with external suppliers of services, HR, legal or IT and cloud provider. Examples include IT and cloud providers; HR, legal, accounting and consultancy; contract manufacturing;
* Supply chain presents risks to both supply chains for the IT sector and cyber risks to traditional supply chains and logistics. Examples include exposure to a single country; counterfeit or tampered products; risks of disrupted supply chain;
* Disruptive technologies includes the unseen effects of or disruptions either to or from new technologies, either those already existing but poorly understood, or those due soon. Examples include the Internet of things; smart grid; embedded medical devices; driverless cars; the largely automatic digital economy;
* Upstream infrastructure risks are from disruptions to infrastructure relied on by economies and societies, especially electricity, financial systems and telecommunications. Examples include Internet infrastructure like internet exchange points and submarine cables; some key companies and protocols used to run the internet (BGP and Domain Name System); and Internet governance; and
* External shocks present risks from incidents outside the system, outside of the control of most organisations and likely to cascade. Examples include major international conflicts; or a malware pandemic.
“Cybercrime poses a growing threat to the individuals, institutions and companies embedded in a complex and international online environment and will have a profound effect on the short-term insurance industry in particular,” adds Leuzinger. “Insurers who stay ahead of market trends will, ultimately, lead the way in helping their customers mitigate cyber risk.”
