Systemic Cyber Risks: Ever Present, Ever Expanding (Originally published late 2023 – no changes)

Posted on by Barry

I almost titled this post “Something Wicked This Way Comes” but I realized that systemic cyber risks are already here. They have come. There is no shutting the door to keep systemic cyber risks out. They are an attribute of any portfolio of two or more companies linked together through the use of the web.

Systemic cyber risks will continue to emerge throughout every industry that uses the web in every region of the world. All aspects of society from commerce to healthcare to media to entertainment will be impacted.

OK, Systemic cyber risks are an emergent property … but what are they, really?

One problem is that there is no insurance industry consensus about defining or describing systemic cyber risks.

I offer my description of systemic cyber risks to fill the void:

Systemic cyber risks are an emergent property of the web-enabled interconnections and interdependencies among and between companies, the ecosystems in which they participate, the people who work for or conduct commerce with them, and every one of the physical artifacts with digital content (e.g. IoT) the companies, the people who work for or with them, and their clients and prospects use whether infrequently or frequently.

Similarly, I haven’t yet come across approaches from cyber protection advisory, modeling, and monitoring firms advising carriers how to avoid or limit their long-tail losses from systemic cyber risk events through the:

  • identification of systemic cyber risk descriptive attributes to create models estimating probable maximum losses which would guide insurers’ decisions regarding whether to offer cyber insurance coverage for systemic cyber risk losses.
  • use of lower limits of lower cyber insurance coverages;
  • tightening of terms, conditions, and restrictions of cyber insurance policies that are intended to offer coverage for them.

Note: Admittedly, I have yet to be briefed by any cyber protection advisory firms who create cyber loss models about their models and the advice or services that they provide insurance firms, inclusive of their models of systemic cyber risk events.

My initial ideas about systemic cyber attacks

For me, systemic cyber risks are the reality of what many cyber risks really are. When a cyber attack happens, I believe investigations of the impact of the cyber risk event will show that a systemic cyber risk event occurred.

There are risk professionals (I’m including (re)insurers, insurance brokers, cyber consultants, others) who believe a systemic cyber attack is an attack that impacts an entire country, a component of a critical national infrastructure, or an entire industry sector.

I believe their viewpoint is far too narrow.

I consider a systemic cyber attack as an attack that impacts not just the primarily attacked company but also impacts the entities and people who are two degrees, three degrees, or higher degrees impacted through their direct and indirect interconnections and interdependencies of the primarily attacked company.

Put another way:

A cyber attack on a company that shuts off or slows down its operational capabilities (whether with the cyber attack objectives being ransomware or extortion; nuisance; corruption; disruption; or destruction style attacks), will impact, at a minimum, one or more of its:

  • employees (not being able to work and therefore potentially lose their paychecks or their income cash flow )
  • brand / reputation (and therefore its competitive position, ability to hire, or ability to sell its products)
  • stock price (and therefore its investors as well as the stock brokers buying or selling shares in the company)
  • suppliers (and therefore shipping and/or storing the attacked company’s products).

I created the visual below to emphasize how a cyber attack could cascade through a number of interconnected and interdependent “zones” outward from the primary attacked company.

Thinking in terms of a finite area of cyber impact (e.g. only the company cyber attacked is impacted) is dangerously myopic from (at least) three viewpoints:

1. cyber loss viewpoint;
2. cyber risk modeling initiative;
3. decisions about how much or whether to offer cyber insurance coverage.

Summing up: I believe there are more systemic cyber attacks than some (most ?) others believe have occurred and will occur. 

Delving deeper about systemic cyber risk

As I identified and read materials about systemic risk and systemic cyber risk, I realized that the visual I created (and show above) is too simple to reflect the reality of systemic cyber risks. The above visual does show some aspects of systemic cyber risk but it is limited in the points I am striving to make.

For context, here are some direct quotes from “Systemic Risks from Different Perspectives”, by Ortwin Renn, Manfred Laubichler, Klaus Lucas, Wolfgang Kroger, Jochen Schanze, Roland W. Scholz, and Pia-Johanna Schweizer, Risk Analysis, Vol 42, No. 9, 2022:

“Systemic risks are characterized by high complexity, multiple uncertainties, major ambiguities, and transgressive effects on other systems outside of the system of origin.”

“Systemic risk refers to the risk or probability of breakdowns in an entire system, as opposed to breakdowns in individual parts or components, and is evidenced by co-moments (correlation) among most or all parts.”

“Systemic risks need to be differentiated on the regional, national, and global level and do not exclusively denote global breakdowns.”

” “Guidelines for the governance of systemic risks” emphasizes that systemic risks are characterized by cascading effects that affect the larger system.”

“Systemic risks as a potential for a threat or hazard to propagate disruptions or losses to multiple connected parts of complex systems.”

“The notion of systemic risks describe phenomena of functionality losses at the macro-level involving multiple agents at the micro-level.”

“As systemic risks have no clear boundaries with respect to scope, time, and space, there is ambiguity about which other systems are affected and which of these potentially affected systems need to be included or excluded.”

This material, and others, drove me to find a better visual.

My first visual is too simple because it doesn’t capture macro-level or micro-level functionality; it doesn’t capture cascading effects; and it doesn’t capture disruptions to multiple connected parts of a complex system. (And that’s what the expanding Cyber Era is: a complex system – really, a complex adaptive system – of interconnected and interdependent entities (e.g. people, companies, IoT devices, processes, and information flows))

As importantly, my first visual does not reflect the higher number of dimensions of the cyber attack (hyper-dimensional) spaces that have been created, and continues to be created by the never-ending growth of the number of interconnections and interdependencies among and between digital artifacts, the digital content of physical artifacts, and physical artifacts. Each of the hyper-dimensional cyber attack spaces births cyber attacks along, through, and within any point, any vector, or any sector of the continuously unfolding (and refolding) attack space.

The visual below (of a 10-dimensional topographic space) from bing.com is still, I believe, wholly inadequate, but feels better at getting my (multiple-dimensional) point across than my initial visual.

Evolution of Cyber risks

Systemic cyber risks are an example of the evolution of the “simple” cyber risks that existed back in 1997 (1998 ?) when insurers began to offer cyber insurance. The “simple” cyber risks have evolved into the more “complex” cyber risks that are significantly more dangerous to insure in 2023. The evolution of cyber risks into more complex risks (with longer tails?) will continue in the months and years to come as more interconnected and interdependent entities are added into and to the cyber attack hyper-dimensional space.

At the same time that cyber risks are evolving into systemic cyber risks, they are also becoming more fragile (to effectively model, manage, secure, and insure). There are a host of reasons the emergent and expanding cyber world is becoming (more) fragile due to:

  • The never-ending and ever-expanding plethora of interconnections and interdependencies among and between tangible and intangible assets is setting dangerously false expectations among consumers and corporations (it’s just another risk; all we need to do is gather more data).
  • Too many people and businesses believing that the (supposed) safety of laws, rules, and regulations they enjoyed throughout the previous decades of relying on tangible assets continues into the Cyber Era which is becoming ever-more replete with intangible assets.
  • The reliance on the efficacy of the wireless, unseen threads that weave people, businesses, tangible assets, and intangible assets together. 
  • People and companies increasingly relying on technology vendors (IT and Telco) which provide solutions, whether on-premises or off-premises, to be vigilant about the cyber security of their own operations and the cyber safety of the solutions they sell.
  • Cyber hackers who can, and do, attack digital systems at will. Cyber has created an environment where the predators will always have advantages over the prey (any person, any company, any thing, any animal connected to the web).
  • The existence of cyber risks, whether one-off or as a set of systemic risks, that can shut down businesses, shut down specific operations within a business, cost businesses significant money, damage the reputation of businesses, and/or cause the clients – and suppliers and other partners – of businesses to lose personal information.

What should insurers do about systemic cyber risks?

Insurers need to realize that systemic cyber risks are, at a minimum, a:

  • potential existential threat to insurance carriers whose book of cyber business is all or mostly policies that cover systemic cyber risks (because the resulting combined ratios from systemic cyber risks will become horrendously high and financially unbearable to carriers) [I hypothesize that insurers will realize that increasingly more of the cyber risks they currently offer coverage are actually systemic cyber risks because no commercial corporation is on a web-connected island onto itself. Actually, consumers are not on a web-connected island onto themselves either.];
  • a trigger that does, and will increasingly, encompass losses from more than one line of insurance beyond cyber insurance such D&O; product liability; technology E&O; and agent/broker E&O;
  • threat to producers selling and servicing cyber insurance because systemic cyber risks could be (are? will be?) the clarion call for carriers to:
    • continually lower the limits of cyber coverage they offer;
    • tighten the terms, conditions, and restrictions of other cyber insurance they currently offer;
    • sponsor ILS cyber cat bonds to protect their aggregate financial capacity.
  • challenge to CISOs or CSOs because the existence and expansion of systemic cyber risks will (should?) push them to find other avenues for financial remediation other than cyber insurance because an increasing number of insurers won’t offer cyber coverage and capital markets will discover even they won’t get their expected returns;
  • boon to firms that provide cyber protection advisory services (e.g. cyber loss models, outside-in and/or inside-out real-time monitoring, audits, incident response, …) driving more insurers to partner with these types of firms.

What else should insurers do?

At the least, insurers should be continually tightening the terms, conditions, and restrictions of their cyber policies to ensure that they are not offering any coverage for systemic cyber risks (regardless of how much a plaintiff’s attorney tortures contract wording to find cyber cover where none was intended or billed).

At best, insurers should be frequently monitoring their aggregate cyber risk for each client (whether stand-alone or bundled policies) for each client (inclusive of every policy in-force for each client) in each individual industry in each geographic region and simultaneously their total aggregate risk across their entire book of business.

Beyond the attributes of systemic cyber risks shown above, a key theme of cyber, and particularly, of systemic cyber risks, is the fragility it does and will continue to generate.

Ending Thoughts

As humans, we unfortunately live and work in 3-dimensional space. Even worse, too many of us have lived almost entirely with physical artifacts (e.g. pre-web or pre-being a digital native). These 2 unfortunate attributes generate a myopia concerning the understanding of the nature of the evolution of cyber attack spaces and cyber attacks.

When, and as, the cyber attack space and cyber attacks changes in (what we consider) unexpected ways and cyber attacks emerge (that we again believe are unexpected), we tend to throw out the term “Black Swan” to help us manage the situation.

Black Swans are not going to help us.

Insurance professionals and members of cyber protection and advisory firms, need to think in 4, 5, and higher dimensions of potential cyber attack spaces and cyber attacks.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.