Two big cyber outages in two months. If it’s a question of “if, not when”, the Risk and Cyber officers need to team up to minimize losses
from the next one. Ryan Dodd, Founder and CEO, Intangic, takes a look at the risks for insurance brands.
It’s no longer a question of “if” but “when” for these serious outages. Why?
We all like the productivity benefits of digital transformation. However, with increased productivity can come increases in the more your network ecosystem is digitally interdependent across all business functions. Unlike the systems risk and complexity we can visually observe in manufacturing plants, transportation grids or energy production, the latticework of cyber plumbing running our workflows is invisible. Out of sight, out of mind. There is no government oversight or safety standards regulating how our various interdependent workflow software should interconnect.
Worse, critical functions in this digital ecosystem are provided by a surprisingly few number of providers, meaning a signal error by one
can interrupt business for millions.
As we’ve seen with the most recent outages (Crowdstrike and NHS), these factors continue to demonstrate how our increased reliance on invisible, complex, and interdependent cyber systems mean more fragility to our daily workflows. his is the downside risk of digital transformation. Around 60% of the global public cloud services market is controlled by two companies 1– AWS (40%) and Azure (21%) as of end 2023. Seven companies have nearly 60% of the endpoint security market.
Crowdstrike is the second largest endpoint security vendor with a 15% share of the global market.2 Microsoft’s ~70% market share in the global operating system market for desktops and laptops that power global commerce.
As the software flaw causing the recent Microsoft outage was not the result of a company violating any law or regulation there means there is no financial disincentive to improve dangerous or faulty code. The outage is an example of the risks of placing a premium on speed over stability. US CISA Director Jen Easterly bluntly said as much in a post one day after the event.
While the cause of the disruptions to companies over the past several days was not a cyber-attack this time, the result is still business interruption losses in the billions. No easy answers to the most pressing questions for insurers and insureds alike Policymakers and regulators most likely will take action to institute regulations requiring stronger digital security standards. We’ve seen this already in the wake of the NHS breach with proposed legislation by Prime Minister Keir Starmer.
REGULATION, RISKS & VALIDATING SYSTEMS
In the US, the tech lobby has deep pockets resistant to government oversight, but the scale of impact on people’s lives from these events will move the regulatory needle over time, albeit slowly. This means for now the digital ecosystems we rely on remain fragile and future business interruption risk is a reality risk managers must navigate. The event is being considered a litmus test in the cyber insurance market by some analysts.
Carriers may determine the risk too complex to offer ‘system failure’ coverage. Insureds, on the other hand, are now more aware of business interruption (BI) and systems failure issues and will be seeking some kind of adequate cover/risk transfer. Boards and C-suites will be directing more pointed questions at risk managers and asking if they are doing enough to mitigate losses if an event like this happens again. As of right now, none of these market participants have good answers.
Companies can focus on the tech BI risks more within their control and risk managers do?
For organisations looking to avoid financial losses from technology outages or attacks, recent events show that more resources should be spent on cyber prevention and validation of risk controls. This should be a collaboration between the risk and security teams. Good prevention needs to combine both risk financing and preventative technologies.
Organizations should not ‘silo’ or separate the teams managing technology risk from other risks of the organization. Whether it’s a cyberattack or software outage, it’s up to the risk manager to manage the crisis—and therefore risk teams should have more tools and a greater role in advance of these crises, working more closely alongside the CISO and security team.
As a first step, investing in risk prevention combined with knowing what the total financial losses could be (vs. total insurable losses) puts companies and risk managers in the same value chain as the security team. Even for members of boards and C-suites of companies that woke up on Monday morning having experienced minimal disruptions from the outage, many are no doubt asking the question, ‘are we doing enough as a company to minimize the likelihood of BI or CBI events that are within our control?’
Like with other risks, having the ability to validate any early warning signs of technology problems can save on much greater losses in future.
Be the first to comment