Cyber Security – The Next Systemic Crisis?
In the summer of 2007, an unexpected threat was on the horizon for the U.S. and global economy. August 2007 marked an opening salvo in how systemic risk can affect the global economy. As the Brookings Institute so eloquently observed in “The Origins of The Financial Crisis,” the crisis “had its origins in an asset price bubble that interacted with new kinds of financial innovations that masked risk; with companies that failed to follow their own risk management procedures; and with regulators and supervisors that failed to restrain excessive risk taking.” Many of these very elements and correlations are inflating the growing cyber security bubble and many of the same “fox watching the chicken coop” tendencies are influencing this systemically important market.
The Federal Reserve estimated that the Great Recession cost the U.S. $14 trillion in economic activity. State unemployment insurance trust funds borrowed a total of $50 billion from the Federal Government to replenish their coffers as jobless claims soared. Plummeting home values saw approximately 11.6 million households owing more than their homes were worth by the end of the recession. These types of systemic correlations exist in the fast-growing cyber security market, which encompasses a wide range of interconnected services, such as IT security, crisis response, compliance, and, perhaps most importantly, the cyber insurance market, which attaches to the balance sheets of more than 80 insurers – and through them to the economy writ large.
In the aftermath of the Great Recession, several measures were put in place to prevent such a catastrophe from occurring. However, this “Monday Morning Quarterbacking” should give us pause; what other crises are looming on the horizon where measures can be proactively implemented to prevent or mitigate the next big one? While August 2007 was a specific timeframe that can be referenced as the “beginning” of the Great Recession, an equally insidious threat has been menacing the global economy ever since, namely systemic cyber risk.
Experian, Yahoo!, Target, Sony Pictures, Evernote, the U.S. Military, the Federal Government, the Virginia Department of Health, TJ Maxx, AOL, CitiGroup, BNY Mellon, EBay, Anthem, JP Morgan Chase, the 2016 presidential election. These are but a small handful of the entities and events that have fallen prey to cyber security threats. While the causes of the Great Recession can largely be traced to greed on Wall Street, the lack of sufficient oversight by regulators, and the breakdown of risk management procedures within organizations, the causes of cyber threats are similarly the result of human behavior and poor risk management. Money, attention and inattention, fame, political influence, the promotion of ideologies, and public disclosure are some of the root causes of breaches. Critically, just like protecting vital financial systems, underinvestment can also serve to amplify cyber risks and their attendant losses of both the acute and attritional variety.
The systemic financial risks that caused the Great Recession and cyber threats share several important traits; the staggering costs they can levy on an economy, their correlations across sectors, the ability to lay dormant festering for many years and the heavy toll they can have on people. Indeed, AIG’s new personal cyber insurance policy is a gamble that this personal fear will manifest in yet another growing segment of the booming cyber insurance market, where gross written premiums are estimated to increase from $2.5 billion in 2015 to $7.5 billion in 2020. Cyber insurance is the fastest growing segment of the otherwise mature insurance industry. All the major players are jumping into the cyber fray and the race to achieve competitive differentiation may lead to the very types of financial innovations that mask risk, but do not in fact offset it. By this measure, in a catastrophic cyber loss impacting multiple sectors at once, the limited pool of IT security talent will be tantamount to the limited pool of liquid capital that all parties were clamoring for during the financial crisis.
When it comes to mitigating cyber risk, far too much energy is being placed on privacy and compliance (both are important), and far too little is being paid to business continuity and systemic risk. Insurers are aware of this market focus, which is why the majority of cyber insurance policies base their actuarial models – limited as they are – on a price-per-record approach when it comes to personally identifiable information (PII). The real exposure in the market is more akin to catastrophic losses or the type of systemic risk we saw during the financial crisis. The exponential growth of connected devices, the internet of things (IoT), along with all other points of connection across industries, economies and countries, makes cyber risk a systemic threat. Unlike managing systemic financial institutions, such as the big global banks at the center of the financial crisis, it is hard to identify the points of failure that contribute to systemic cyber risk.
The recent attack on DYN, an essential provider of internet monitoring, control and domain registration, underscores how global connectivity is at once an asset and a liability in the modern economy. DYN was taken down in a successful denial of service attack, which was carried out by employing an army of connected devices, including home webcams that directed overwhelming traffic to DYN’s servers. Large swaths of the internet were affected in this attack, including household names like Twitter, Netflix and Spotify, among others. A similar attack on financial trading platforms, systemic banks, stock exchanges or critical infrastructure would certainly have a more calamitous outcome than millions of frustrated web surfers.
Learning from our past is an intelligent way to prepare for the future, hence the importance of applying lessons learned from the financial crises to the ongoing issue of systemic cyber risk. Similar to banking regulations put in place to more effectively manage risk, regulations must be implemented to understand and combat cyber threats, while at the same time enhancing cyber resilience. Not unlike the concept of identifying systemically important financial institutions (SIFIs), when it comes to cyber resilience, examples like the DYN cyber-attack, underscore how seemingly insignificant enterprises can have broad ramifications. Should regulators develop a list of systemically important entities when it comes to managing cyber risk? Should those entities, like their financial counterparts, be required to create so called “living wills” providing disclosures on how to address their distress or failure? Is there a cyber equivalent of the “Volcker Rule” that would firewall certain activities? What hedging mechanisms can be put in place to serve as a financial back-stop to the cascading financial losses that can emanate from systemic cyber risk?
Insurance is clearly a part of this resilience equation. However, insurance that merely covers third-party risks and customer notification costs will hardly address the next trillion-dollar crisis – let alone one that can spread across sectors instantaneously. Perhaps the biggest lesson learned from the financial crisis, wherein we privatized gains and socialized losses, is that unhedged systemic risks will be borne by tax-payers. Just like the uninsured represent a heavy burden on the healthcare system, uninsured or underinsured organizations will needlessly burden the system and potentially imperil the economy.