Organisations must improve their response to cyber risks to avoid a global shock similar to the 2008 financial crisis, a study by Zurich Insurance warns. The research reveals that even cyber security professionals are not clear on how the failure of an organisation or of technology could develop to become a system-wide risk. The reliance on information technology has also created a complex web of interconnected risks.
Cyber-risk management professionals need to look beyond their internal information technology safeguards to interconnected risks which can build up relating to counterparties, outsourced suppliers, supply chains, disruptive technologies, upstream infrastructure and external shocks.
Zurich warns that a build-up in these risks could create a failure on a similar scale to the 2008 financial crisis. Such interconnected risks are compounded when a company outsources the management of its servers, information technology and cyber security to focus on its core activities. Little information may be known about the third party’s information security or business continuity safeguards and it may also in turn outsource activities to other companies.
The report calls for organisations to incorporate the best ideas from financial governance such as creating a G20+20 Cyber Stability Board to enhance cyber risk management and identifying and improving the governance of G-SIIOs (Global Significantly Important Internet Organizations).
“The Internet is the most complex system humanity has ever devised," says Axel Lehmann, Group Chief Risk Officer and Regional Chairman Europe at Zurich Insurance Group. "Although it has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can – and likely will – backfire.
Lehmann noted that organisations are unknowingly exposed to risks outside their organisation, having outsourced, interconnected or exposed themselves to an increasingly complex and unknowable web of networks.
“Few people truly understand their own computers or the Internet, or the cloud to which they connect, just as few truly understood the financial system as a whole or the parts to which they are most directly exposed.”