Systemic Cyber Risk: Prepare Individually, Fail Collectively

By their evolving nature today, cyber threats cannot be addressed in isolation. Increasingly,cyber risk becomesrisk if we are virtually connected, and a system's aggregated risk becomes the risk ofcomponent users and contributors.
This post was published on the now-closed HuffPost Contributor platform. Contributors control their own work and posted freely to our site. If you need to flag this entry as abusive, send us an email.
Protecting digital encoding. Padlock and decoding algorithm, script programming, safety and protect system, vector illustration
Protecting digital encoding. Padlock and decoding algorithm, script programming, safety and protect system, vector illustration

Not surprisingly, as data security breaches and cyberattacks against large companies continue to be highly publicized, awareness of cyber risk and the need for cybersecurity continues to increase. Of the 29 global risks discussed in the World Economic Forum's Global Risks Report 2016, large-scale cyberattacks is ranked as the eleventh most likely global risk, and massive incident of data fraud or theft is ranked eighth. Remarkably, however, the Report also indicates that perhaps the evolving nature of cyber risk -- from seemingly isolated attacks against specific companies, such as entertainment and electronic giant Sony in 2104, to system-wide attacks with the potential for massive cascading effects, as recently occurred in Ukraine -- is not fully understood.

Our cyber dependence and the digital connectivity of systems, assets, data and networks continues to grow, increasing the interconnection of risks and the potential for cascading effects resulting from a cyber incident. As a result, cyberattacks can lead to breakdowns, outages and disruptions to entire systems -- not just individual components or entities. Today's cyber risk is systemic. And yet, two risks closely interconnected to large-scale cyberattacks rank much lower in the Report. The failure/shortfall of critical infrastructure is perceived to be the sixth least likely and the second least impactful risk, and the breakdown of critical information infrastructure and networks has continued to decrease in perceived impact over the last few years, and is considered among the least likely global risks to occur after unmanageable inflation, weapons of mass destruction and the rapid and massive spread of infectious disease. This disconnect seems to indicate an ignorance of the systemic nature of cyber risk today. These interconnected risks do not exist in a vacuum -- as cyberattacks and their impacts increase -- so too will the likelihood and impacts of closely interconnected risks.

Enterprise risk management (ERM) programs and approaches must evolve to meet the changing and expanding nature of systemic cyber risk. Risk managers should increase their awareness and understanding and should consider the following:

(1) Hollywood Scripts Become Reality: Enterprise Risk Must Include the Risk to Global Systems.

The horizon and landscape assessed through ERM must include global systems upon which we all increasingly rely to operate. 'The enterprise' is no longer limited to an entity's owned or controlled systems, networks, and assets. A successful cyberattack on global critical infrastructure systems such as transportation, electricity grids, or financial payment, clearing and settlement systems could potentially adversely affect all entities that rely on them to transact and operate business and government services. Such risks must be assessed and included in ERM. For example, an attack on payment and settlement systems by a sophisticated actor could not only disable the ability of consumers and businesses to make transactions but could, if not effectively mitigated, adversely affect national economies.

Recent events such as the Ukrainian rolling blackout, believed to be the result of hacking, demonstrate that physical and cyber interdependencies can result in systemic level disruptions or failures -- it is no longer only the imaginings of Hollywood script writers. Further, disruptions of underlying or enabling critical information infrastructure such as positioning, navigation, and timing (PNT) technologies could disrupt critical functions and services in turn causing outages or disruptions to power grids, banks, communications networks or air traffic control systems. Micro or seemingly isolated incidents have the potential to quickly morph into a chain of adverse consequences that cross geographical, sectoral and time boundaries.

(2) Isolated to Cascading Consequences: Assess Consequences of System Risk Systemically.

Systemic risks result in systemic consequences and yet despite the fact that the risk of massive data theft/ fraud is considered to be of similar likelihood to cyberattacks, it continues to rank well below average in terms of perceived impact. This seems startling, given the frequency, volume and invasive nature of the breaches reported in 2015 from sectors as diverse as financial services, travel, health and government entities. The breach of the U.S. Office of Personal Management alone resulted in the exposure of extremely personal information -- such as Social Security numbers, fingerprints, residency, education, employment, health, criminal and financial history, and information about immediate family and acquaintances -- for 21.5 million individuals.

Perhaps the respondents perceived the risk impact to be relatively low because most often the immediate consequences and costs of known breaches amount to annoyances for most affected. But in fact, the expansive nature of recent data breaches demonstrates that the immediate effects and cost of response are just the tip of the impact iceberg. The longer-term systemic and aggregated consequences of data breaches for businesses include a loss of trust and reputation at the industry level, costs associated with adjusting business plans and strategies to address changes in consumer behavior and preferences, and an increased risk of litigation, regulation and compliance reporting. Businesses and governments need a deeper understanding of the long-term potential systemic consequences of seemingly isolated cyber incidents- data theft/fraud is but one type of cyber incident. The quantification of systemic risks must include assessing actual and potential consequences systemically.

(3) Your Risk is My Risk: Partner to Build Resilience

By their evolving nature today, cyber threats cannot be addressed in isolation. Increasingly, your cyber risk becomes my risk if we are virtually connected, and a system's aggregated risk becomes the risk of all component users and contributors. No one entity has all of the authorities, capabilities and capacities to address all possible attack vectors, shore up all possible vulnerabilities and address the risk of all connections. We must work together leveraging our unique perspectives, expertise and operating environments. Risk managers should seek to partner with their suppliers (and suppliers' suppliers), customers, and industry colleagues to pursue an integrated approach to protecting assets, information and systems logically connected throughout the enterprise.

As the Fourth Industrial Revolution unfolds, increasing hyperconnectivity, digitization and rapid technological innovation are forever changing and complicating our global risk landscape. Cyber related risks continue to present risk managers with unique considerations, scenarios and consequences. The next generation of cyber enterprise risk managers must study and understand the systems and networks in which their organization participate and upon which they rely. It is only through more fully understanding system characteristics, the full scope of both uses and users, and component systems and networks that we can -- in partnership -- hope to effectively manage the systemic nature of cyber risk including diffused system vulnerabilities, single points of failure and over-dependency on critical nodes of systems and networks.

To further inform enterprise risk management of systemic cyber risk, the Global Agenda Council on Risk & Resilience is developing a resilience use case discussing how to strengthen cyber resilience. We welcome your thoughts and participation.

This post is part of a series produced by The Huffington Post and The World Economic Forum aimed at providing an overview of the critical issues facing the world over the coming decade. The series is developed in conjunction with the Global Risk Report 2016. The series is running one week before the commencement of the Forum's Annual Meeting 2016 (in Davos-Klosters, Switzerland, Jan. 20-23). Read all the posts in the series here.