BIIS Business No Comments

Cyber-risk management professionals must look beyond their internal information technology safeguards to interconnected risks that could build up and create a global shock on a similar scale to the 2008 financial crisis, cautions recently published research from Zurich Insurance Group.

The reliance on information technology has created a complex web of interconnected risks, notes a statement from the Swiss insurance group.

Findings – detailed in the Zurich Cyber Risk Report, created in collaboration with the international think tank Atlantic Council and issued earlier this week – shows organizations must improve their response to cyber risks to avoid a potential global shock.

“While our society’s reliance on the Internet grows exponentially, our control of it only grows linearly, limited by outdated government procedures and ineffective governance,” notes the report.

“Yet modern cyber risk management does not give much thought to ‘distant digital perfection,’ the aggregations of cyber risk, which lie sometimes far outside an organization’s own server and firewalls.”

The report identifies seven interconnected risks, namely internal IT enterprise, counterparties and partners, outsourced and contract, supply chain, disruptive technologies, upstream infrastructure, and external shocks.

Even cyber security professionals are not clear on how the failure of an organization or of technology could develop to become a system-wide risk. “Cyber-risk management professionals need to look beyond their internal information technology safeguards to interconnected risks which can build up relating to counterparties, outsourced suppliers, supply chains, disruptive technologies, upstream infrastructure and external shocks,” the statement notes.

The report calls for organizations to incorporate best ideas from financial governance to enhance cyber risk management, and identify and improve the governance of global significantly important Internet organizations.

Although the Internet “has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can – and likely will – backfire,” Axel Lehmann, Zurich Insurance Group’s group chief risk officer and regional chairman, Europe, cautions in the statement.

“Organizations are unknowingly exposed to risks outside their organization, having outsourced, interconnected or exposed themselves to an increasingly complex and unknowable web of networks,” Lehmann explains.

More specifically, the seven interconnected risks are as follows:

Internal IT enterprise: described as risk associated with the cumulative set of an organization’s (mostly internal) IT; examples include hardware, software, servers and related people and processes;
Counterparties and partners: described as risk from dependence on, or direct interconnection (usually non-contractual), with an outside organization; examples include university research partnerships, relationship between competing/cooperating banks, corporate joint ventures and industry associations;

Outsourced and contract: described as risk usually from a contractual relationship with external suppliers of services, HR, legal or IT and cloud provider; examples include IT and cloud providers, HR, legal, accounting and consultancy, and contract manufacturing;

Supply chain: described as both risks to supply chains for the IT sector and cyber risks to traditional supply chains and logistics; examples include exposure to a single country, counterfeit or tampered products, and risks of disrupted supply chain;

Disruptive technologies: described as risks from unseen effects of, or disruptions either to or from, new technologies, either those already existing, but poorly understood, or those due soon; examples include Internet of things, smart grid, embedded medical devices, driverless cars, and the largely automatic digital economy;

Upstream infrastructure: described as risks from disruptions to infrastructure relied on by economies and societies, especially electricity, financial systems and telecommunications; examples include Internet infrastructure such as Internet exchange points and submarine cables, some key companies and protocols used to run the Internet, and Internet governance; and

External shocks: described as risks from incidents outside the system, outside the control of most organizations and likely to cascade; examples include major international conflicts, malware and pandemic.

Governments and forward-looking organizations must look beyond data breaches “to broader risks, including the increasing danger of global shocks initiated and amplified by the interconnected nature of the Internet,” notes the report forward by Lehmann and Fred Kempe, president and CEO of the Atlantic Council. “The Internet of tomorrow will both initiate and amplify global shocks in ways for which risk managers, corporate executives, board directors and government officials may not be adequately prepared,” they note.

The report makes the following recommendations – the first two relating to system-wide risk and aimed at governments and organizations with systemic responsibilities; the next three relating to local risk and aimed at individual organizations: expand the horizon of cyber risk management to system-wide resilience and response; borrow ideas from finance-sector governance;
basic: provide application white-listing, use standard secure system configurations, patch application software within 48 hours, patch system software within 48 hours, and reduce the number of users with administrative privileges; advanced: push out risk horizon, cyber insurance, demand more resilient and secure standards and products, and more effective board-level risk management; and
resilience: redundancy, incident response and business continuity planning, and scenario planning and exercises.

If you have any questions, please call our office at 604-408-8695 or e-mail to