The Zurich Cyber Risk Report, produced in collaboration with the Atlantic Council, argues that cyber-risk management professionals need to look beyond their internal information technology safeguards to interconnected risks which can build up in relation to counterparties, outsourced suppliers, supply chains, disruptive technologies, upstream infrastructure and external shocks.
Zurich warns that a build-up in these risks could create a failure on a similar scale to the 2008 financial crisis. These interconnected risks can then be compounded when a company outsources the management of its servers, information technology and cyber security to focus on its core activities.
“The internet is the most complex system humanity has ever devised. Although it has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can – and likely will – backfire,” Axel Lehmann, Group Chief Risk Officer and Regional Chairman Europe at Zurich Insurance Group, stated.
“Organisations are unknowingly exposed to risks outside their organisation, having outsourced, interconnected or exposed themselves to an increasingly complex and unknowable web of networks.”
The report calls for organisations to incorporate the best ideas from financial governance such as creating a G20+20 Cyber Stability Board to enhance cyber risk management.
The seven interconnected risks identified by the report are:
Internal IT enterprise:
This relates to risks associated with the cumulative set of an organisation’s internal IT. Examples or risks include hardware, software, servers and related people and processes.
Counterparties and partners:
This is the risk from dependence on, or direct interconnection with an outside (usually non-contractual) organisation for example university research partnerships, corporate joint ventures and industry associations.
Outsourced and contract:
The risk here usually comes from a contractual relationship with external suppliers of services such as IT and cloud providers, HR, legal, accounting and consultancy.
There are risks to supply chains for the IT sector and cyber risks to traditional supply chains and logistics for example counterfeit or tampered products or disruption.
This is the risks from unseen effects of disruptions either to or from new technologies, those already existing but poorly understood or those due soon such as the internet of things.
These are the risks from disruptions to infrastructure relied on by economies and societies such as the internet, electricity, financial systems and telecommunications.
These are risks from incidents outside the system and the control of most organisations which are likely to cascade for example major international conflicts or malware pandemic.
To read the Zurich Cyber Risk Report in full click here
New research from Zurich Insurance Group shows that organisations need to improve their response to cyber risks to avoid a global shock similar to the 2008 financial crisis.