Governments, private sector need a plan to address future and interconnected cyber risks

The phrase “what a difference a day makes” has never been truer than today, when the Internet permeates all aspects of life and interconnected cyber risks are far from being well-understood.

“On April 6, if you had a password on your accounts, your information was supposed to be secure and you probably felt protected. Then on April 7, Heartbleed took advantage of a fatal flaw in a safety feature that is supposed to keep our Web communication private,” Dan Riordan, CEO of Zurich Global Corporate North America, said during a press conference Monday at the RIMS 2014 Annual Conference & Exhibition in Denver.

It is not news that cyber risks are increasing, Riordan said, but emphasized the issue has the potential for much further implications than previously seen. “What is different is just how quickly the cyber risk landscape is changing,” he said in releasing risk management insights and recommendations specific to seven key industry sectors and business areas.

The sector-specific reports expand on Risk Nexus: Beyond Data Braches: Global Interconnections of Cyber Risk, the product of a year-long study by Zurich Insurance Group and international think-tank the Atlantic Council, which was released in mid-April.

From the conclusions identified in the larger report, specific implications and recommendations for automotive, construction, health care, information technology, larger corporations, small and mid-sized entities, and governments were then identified. The sector reports take a deeper dive to examine the impact of cyber risk on those business areas, Riordan said.

Jason Healey, report author and director of the Atlantic Council’s Cyber Statecraft Initiative, suggested the idea was to look beyond the usual suspects – for example, data braches, fraud and identify theft – to what the next big cyber risks will be in two, three or five years time.

“As risk managers and cyber security professionals, we tend to look at risk as if it’s self-contained within our own organization. When we do risk management, most of that focus tends to be: How good are we running password policy? How good are our servers? Are they all secure? Are we training people to do what they’re supposed to do? Is that getting up to the board?” he noted.

Although all are important issues, Heartbleed showed those measures were not enough. Waking up April 7, it was clear “that we are critically vulnerable to something that none of us had every really heard about because it was laid outside of the four walls of the company, outside of corporate control,” he said.

“A problem like Heartbleed expands outside the four walls of one actor and impacts the entire cyber community – with interactions and correlations that are hard to predict in advance,” Riordan suggested.

As such, the reports also delve into the global interconnections of risk. “Just like you’re interconnected in your supply chain for your normal business, we wanted to look at those interconnections (for cyber),” Healey said.

“It struck us that the way we look at cyber risk today is extremely similar to how we looked at financial risk prior to 2008,” he said, meaning one risk at a time, that things are not correlated, and that a cascade of effects is not possible.

The reports seek to help prepare risk managers to address cyber shocks and become more resilient, possibly helping to prevent what could be called a cyber sub-prime meltdown, notes a statement from Zurich and the Atlantic Council.

Depending on sector-specific factors, recommendations for managing risk include some combination of the following actions:

• shifting from protection to resilience;
• improving basic cyber security;
• embracing new technology, but carefully managing the risks;
• implementing incident response and business continuity planning;
• focusing on interconnection risks;
• pushing out the risk horizon and looking beyond its four walls; and
• practising board-level risk management.

“We think we’re going to be getting more cyber shocks, more cyber disruptions,” Healey said. A company facing more frequent or more intense hurricanes cannot respond by simply stacking more sandbags outside the business, he suggested. “You’ve got to focus on resilience, bouncing back more quickly. That’s good advice on storms and natural disasters; it’s good advice on cyber,” he said.

“We need a clear plan of what to do in the case of an event – both at the individual company level and also holistically,” Riordan says in the statement.

“The Internet is so complex and tightly coupled with the real world, it turns out we were all gravely exposed to a cyber risk in an obscure technology that few understand and we didn’t see coming,” Healey adds of Heartbleed. “This time it was just passwords, but what happens once the Internet is connected to the electrical grid or driverless cars?”