Cybersecurity solutions are mainly focused on mitigating specific known risks. In a DerivSource commentary, Tari Schreider, Strategic Advisor for Aite-Novarica Group argues that it is time to consider what happens when cyber risks have systemic implications.
When financial institutions think about cybersecurity, they mostly picture the organisation getting hacked and data or money being stolen. There are often strong protocols and many singular solutions in place to mitigate these types of risk.
However, what financial institutions do not think about enough is the systemic risk posed by cyber events that impact important players within the financial ecosystem. For example, cloud computing provides obvious cost and scalability advantages, but if too many financial technology vendors relied on the same cloud services provider, and that provider experienced a catastrophic outage, it would take whole swathes of the industry offline. Financial industry cloud applications, such as Fiserv, Saleforce or Twilio, that serve many of financial institutions pose a similar systemic risk. Cloud-native applications are focused on reducing customer friction, improving back-office operations, but in the event of utility failure or outage, tens of thousands of financial institutions and customers could be affected.
The risk of outage could come from a simple fire, a cable disruption, or a targeted cyber-attack from criminal groups or aggressive nation-state actors. Recent geopolitical events increase the latter risk as Russia could conceivably seek to punish the West for imposing sanctions on its economy. Ransomware is a common cyber tactic, and increasingly “wiperware” is an issue, where the attacker seeks only to cause widespread damage rather than to extract payment.
“The risk of outage could come from a simple fire, a cable disruption, or a targeted cyber-attack from criminal or aggressive State actors. Recent geopolitical events increase the latter risk as Russia could conceivably seek to punish the West for imposing sanctions on its economy.”
Systemic cyber risk thinking remains too abstract
Systemic technology risk is not a problem the cyber security industrial complex can solve – it is a collective problem rather than something that can be addressed by a particular product or solution. Instead, there is a need for highly resilient technology infrastructures. Several working papers have been produced, for example by the Depository Trust and Clearing Corporation (DTCC) or Bank for International Settlements (BIS), considering this issue and the implications for the financial industry.
Regulators are also starting to focus on the issue of technology resiliency. After focusing more on systemic liquidity and credit risk following the great financial crisis that began in 2008, regulators are increasingly looking to ensure resiliency in the financial markets. For example, the EU’s Digital Operational Resiliency Act (DORA) enables regulators to issue cease and desist orders to firms that are not following resiliency best practices.
However, warnings about what could happen are rarely enough. Risks often do not become real to people until an attack has actually happened. This unfortunately can lead to apathy in the face of a potential calamity.
Some firms have done some stress testing and regulators have begun to look at the systemic risks. Next steps might include end party risk assessments, looking at how many degrees of separation there are between the collapse of one provider and a system-wide impact. If a firm falls, how many other firms would be affected? How can firms insulate themselves?
Institutions have a plan for what happens when a hacker steals some data. They also need a plan for what happens if an internet outage takes several banks offline at the same time. They have business continuity plans, but if all firms rely on a single telco provider for these workarounds, for example, that is still a single point of failure, and they are still vulnerable to a determined cyber-attack.
Cyber experts at the board level
There is a growing need to converge physical, digital and cyber risk but at the moment these areas are often very siloed. Going forward, firms will need a cybersecurity expert at the board level. Some firms have started to add new titles such as Chief Trust Officer (CTRO), although LinkedIn currently only lists 180.
Other new C-suite titles, such as Chief Revenue Officer or Chief Growth Officer are also valuable for breaking down risk silos. They do not focus solely on systemic risks, but they have an eye on the whole organisation rather than a single business area. Getting different views and perspectives enables firms to see the bigger picture and imagine what could yet happen. Firms need to think outside the box and score potential risks to determine the priorities for spending. They do a good job on the known risks but are less focused on what may be around the corner.
More threat modelling needed
Firms need a credibly vetted threat inventory before they can apply risk models. The industry currently does not spend enough time doing threat analysis and does not take threats seriously unless they happen. The focus is too much on dealing with the financial or reputational impact of what has happened to an organisation.
Y2K was supposed to turn all the lights off but that didn’t happen. As a result, we expect technology to just always work. Systemic risk is like climate risk – we know at some level it is there and likely bad, but we don’t really believe it is imminent.
At the end of the day, more systemic risk modelling is needed. The industry has risk scales for everything except for systemic risk. The industry needs to be able to quantify degrees of systemic risk, for example, what would the level of disruption be and how long would it take to recover.
*For more insight on this topic, please go here to see reports from Tari Schreider.