Systemic Cyber Risk: Demystifying a Hidden Threat
Jul 12, 2017
Editor's Note: In this article, we discuss the potential for catastrophic losses due to industry-level damage caused by a systemic cyber attack that government agencies, insurers, and industry trade groups must prepare for. We also discuss tools that risk managers of all industries can use to analyze systemic cyber risk to determine an individual organization’s exposure to this risk.
In May, President Donald J. Trump signed an executive order to shore up the cybersecurity of U.S. systems and improve the coordination between the public and private sectors on cyber defense. The latter goal specifically refers to securing the critical industry sectors “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” All companies are exposed to some level of cyber risk, but the most pressing issue facing companies today is systemic cyber risk—the extent to which the same form of cyber risk exists within most, if not all, companies within an industry and the potential for a single incident to affect the security and profitability of that entire industry.
BI Losses Can Far Exceed Losses from Direct Damage
The recent global ransomware attack known as WannaCry highlights how systemic cyber risk has unknowingly been allowed to permeate across society, becoming the most significant threat to critical industries. When these industries have cyber vulnerabilities in common, an exploitation of a vulnerability can result in damage to entire systems (industries) as opposed to individual parts or components (companies). The challenge with systemic cyber risk is that often its existence only becomes apparent—or activities to contain the risk only occur—after an incident. For example, global ransomware infections became widespread because many computer operating systems had not been updated with security patches, despite their being made available months beforehand.
Most concerning about systemic cyber risk is that collateral damage often far exceeds the direct damage of the cyber attack. For example, the business interruption losses WannaCry caused have been estimated to be in the billions of dollars, but the actual ransom collected by the hackers amounted to just over USD 140,000 as of the end of June. As more attacks of this nature occur, we can expect that the economic losses will mostly comprise business interruption loss, rather than losses associated with repair or recovery costs.
With cyber insurance coverage for business interruption loss still limited—due to relatively high waiting periods and other deductibles, and/or low limits—the burden of covering business interruption losses must be borne by the impacted industries themselves.
Because of the potential for catastrophic losses due to the industry-level damage that can occur as a result of a systemic cyber attack, risk managers should be asking: What is the level of systemic cyber risk within particular industries? Is the same type of systemic cyber risk present across many industries? What is the potential financial impact of a systemic cyber attack? What risk mitigation actions should industries be taking?
Quantifying Systemic Cyber Risk
The three-step, bottom-up process described in the following sections provides a view of systematic cyber risk more tailored to the specific industries and the companies within them.
1. Understanding the Industry-Level Virtual Supply Chain
Cyber risk is different from physical risk because the drivers of risk may not be correlated with an organization’s geographic location. For example, with flood risk one can look at all the properties that lie within a certain distance from a river or coast; in the case of cyber risk, a cloud service provider may have client companies scattered across the globe, so the location of the provider and its client companies are uncorrelated. This challenge is being addressed with technologies that monitor the public space of the internet, allowing risk managers to identify all the internet-based services that a company may rely on. Once detailed data on the virtual supply chain has been collected, risk managers can begin to understand the level of exposure to systemic cyber risk at an industry level.
2. Testing the Industry’s Resilience by Studying “What-If” Scenarios
The detailed data about the virtual supply chain can then be used to identify which cyber scenarios are most relevant and to quantify the systemic risk within an industry in the form of potential financial losses. For example, if a certain cloud provider is relied upon more than any other by many companies within an industry, then a downtime scenario for a range of outage durations for that specific cloud provider would reveal a distribution of potential outcomes. Similarly, these scenarios can also be used to quantify the impact of risk mitigation activities. What if the market share of cloud providers within an industry were more evenly distributed? What if all companies were to upgrade their software to the latest release versions? What if the adoption of cyber insurance by companies increases? By adjusting the underlying scenario conditions and retesting, risk managers can measure the financial benefits and compare them with the cost of implementation and enforcement of specific mitigation tactics.
3. Estimating the Frequency of Systemic Cyber Events Occurring
Frequency estimates provide additional context for the distributions of losses obtained in the scenario analysis. They change the conversation from, “What will the impact of a cyber incident be?” to “How likely is it that such an incident will occur?” When probabilities are attached to the losses, risk managers can have discussions with executive management and begin to make risk mitigation decisions based on the organization’s unique risk appetite. For example, if the company is willing to live with an X% probability that a Y$ loss will occur, and has quantified those variables, the company can then allocate the optimal amount of funding for mitigation and response activities and evaluate the return on investment of those activities.
Limitations of the Market Share Approach
Risk managers have traditionally used market share analyses that use broad assumptions to estimate systemic cyber risk. To examine the limitations of a market share approach, AIR conducted an analysis utilizing its database of cyber industry exposures, which has data on the virtual supply chain of most U.S. businesses. The study consisted of grouping companies into different notional portfolios and measuring the market share of a specific IT service provider for each unique portfolio. The different portfolios’ market shares were then compared against the overall market share of the provider. Specifically, we looked at Dyn, a domain name service (DNS) provider, which was the victim of a mass denial of service attack that brought down the internet pages of many of its clients. Dyn is known to have a 4% market share. This 4% share would be the share applied broadly across any portfolio if a market share approach were used. Figure 1 shows how systemic cyber risk is likely to be misjudged within specific portfolios when using market shares.
AIR’s analysis shows that there is only a 20% chance that a unique portfolio has a Dyn market share of 4%, the known value. So in general terms, you have only a 20% chance of estimating your systemic cyber risk accurately when using a market share approach. In fact, you also have a 20% chance that the Dyn market share within a unique portfolio is 50–150% higher than the known value (i.e., 6–10% of market share). Risk managers should find it concerning that they have only a 20% chance of estimating their systemic cyber risk correctly when using a market share approach.
Modeling Systemic Cyber Risk Using ARC’s Detailed Accumulation Approach
AIR developed a detailed accumulation approach as an improvement over market share methods. A detailed accumulation approach utilizes data about a company’s virtual supply chain to determine with greater certainty which companies would be impacted by the systemic risk scenario. This approach provides a more confident view of the risk because it identifies the exposures that would actually be affected by the event and omits those that should not be considered. Below is a visual comparison of the two approaches.
In Figure 2, two identical portfolios are tested against the same cloud failure cyber scenario. Using a market share approach (left) the exposures impacted by the scenario are arbitrarily carved out. For example, if Cloud Vendor X has a 30% market share, then you would assume that same share exists within your portfolio and that 30% of your companies would be at risk of experiencing a loss if that cloud provider were to go down. With the detailed accumulation approach (right), companies are organized around the specific cloud providers each company actually relies on. By identifying these aggregation points, only the companies known to be at risk are considered.
AIR’s cyber risk modeling application, ARC, uses this detailed accumulation approach as the foundation for the various deterministic scenario models that can be used by risk managers from all industries. Coupled with AIR’s comprehensive database of industry exposures, ARC provides new insights into the causes and impacts of systemic cyber risk.