How cyber risk aware is your business? Zurich identifies seven cyber risks that threaten systemic shock

8
May
2014
To avoid a global shock similar to the 2008 financial crisis, organisations must improve their response to cyber risks, says a new report published by Zurich in collaboration with international think tank the Atlantic Council.

The recently published report: Beyond Data Breaches: Global Interconnections Of Cyber Risk reveals that even cyber security professionals are not clear on how the failure of an organisation or of technology could develop to become a system-wide risk.

National Underwriting Manager, Professional Indemnity - Financial Lines, James Stringer, says the reliance on information technology in this day and age has created a complex web of interconnected risks.

“Cyber-risk management professionals need to look beyond their internal information technology safeguards to interconnected risks which can build up relating to counterparties, outsourced suppliers, supply chains, disruptive technologies, upstream infrastructure and external shocks,” says James.

The report found that a build-up in these risks could create a failure on a similar scale to the 2008 financial crisis. These interconnected risks are compounded when a company outsources the management of its servers, information technology and cyber security to focus on its core activities. Little information may be known about the third party’s information security or business continuity safeguards and it may also in turn outsource activities to other companies.

The report calls for organisations to incorporate the best ideas from financial governance such as creating a G20+20 Cyber Stability Board to enhance cyber risk management and identifying and improving the governance of G-SIIOs (Global Significantly Important Internet Organizations).

The internet is a very complex system. While it has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can – and likely will – backfire.

“Organisations are unknowingly exposed to risks outside their organisation, having outsourced, interconnected or exposed themselves to an increasingly complex and unknowable web of networks,” says James.

“Few people truly understand their own computers or the internet, or the cloud to which they connect, just as few truly understood the financial system as a whole or the parts to which they are most directly exposed. The result means that a significant chain of disruptions to an interconnected system could bring it all crashing down. Companies need to build resilience and the ability to bounce back from disruptions to make them as short and limited as possible.”

The report identifies the following seven interconnected risks:


Description Examples

Internal IT enterprise

Risk associated with the cumulative set of an organization’s (mostly internal) IT

Hardware; software; servers; and related people and processes


Counterparties and partners

Risk from dependence on, or direct interconnection (usually non-contractual) with an outside organization

University research partnerships; relationship between competing/cooperating banks; corporate joint ventures; industry associations


Outsourced and contract

Risk usually from a contractual relationship with external suppliers of services, HR, legal or IT and cloud provider

IT and cloud providers; HR, legal, accounting, and consultancy; contract manufacturing


Supply chain

Both risks to supply chains for the IT sector and cyber risks to traditional supply chains and logistics

Exposure to a single country; counterfeit or tampered products; risks of disrupted supply chain


Disruptive technologies

Risks from unseen effects of or disruptions either to or from new technologies, either those already existing but poorly understood, or those due soon

Internet of things; smart grid; embedded medical devices; driverless cars; the largely automatic digital economy


Upstream infrastructure

Risks from disruptions to infrastructure relied on by economies and societies, especially electricity, financial systems, and telecommunications

Internet infrastructure like internet exchange points, and submarine cables; some key companies and protocols used to run the internet (BGP and Domain Name System); internet governance


External shocks

Risks from incidents outside the system, outside of the control of most organizations and likely to cascade

Major international conflicts; malware pandemic



A full copy of the report can be downloaded at www.zurich.com

ENDS

For further information contact:

Helen Black
Head of Marketing, Communications & Customer
Zurich Financial Services Australia
Business ph: +61 (02) 9995 1368

Zurich Insurance Group (Zurich) is a leading multi-line insurer that serves its customers in global and local markets. With about 55,000 employees, it provides a wide range of general insurance and life insurance products and services. Zurich’s customers include individuals, small businesses, and mid-sized and large companies, including multinational corporations, in more than 170 countries. The Group is headquartered in Zurich, Switzerland, where it was founded in 1872. The holding company, Zurich Insurance Group Ltd (ZURN), is listed on the SIX Swiss Exchange and has a level I American Depositary Receipt (ZURVY) program, which is traded over-the-counter on OTCQX. Further information about Zurich is available at www.zurich.com.