cyber risks systemic risks and cyber insurance
play

Cyber Risks, Systemic Risks, and Cyber Insurance James E. - PDF document

Feb 07, 2024 •30 likes •350 views

Cyber Risks, Systemic Risks, and Cyber Insurance James E. Scheuermann* A BSTRACT The literature on cyber insurance is replete with statements to the effect that cyber risks are systemic risks. Through an analysis of the concept of

  1. Cyber Risks, Systemic Risks, and Cyber Insurance James E. Scheuermann* A BSTRACT The literature on cyber insurance is replete with statements to the effect that “cyber risks are systemic risks.” Through an analysis of the concept of systemic risk and the categorization of 19 principal types of cyber risk, this article discusses the extent to which this view is true and the practical implications, for risk managers and cyber insurance underwriters, of the conclusion that only some cyber risks are systemic. In the cyber context, systemic risk may be most usefully characterized as the risk that arises out of a digital network (1) that consists of standardized or functionally homogeneous, interconnected, and interdependent nodes; (2) that permits cascading adverse events throughout the nodes; and (3) in which such adverse events occur at such a high rate of speed that they cannot be contained at all or not in a timely fashion. I distinguish four types of systemic risk that satisfy this definition, depending on whether the node that is attacked in a cyber incident is “critical” or “non-critical” and whether it is internal or external to an enterprise. This article reveals that (1) some cyber risks are always or virtually always systemic, some are never systemic, and some may or may not be systemic depending on particular factual circumstances; (2) the cyber risks that are systemic represent additional risks for firms relative to a non-digitally networked world; (3) that for policyholders in particular, * James E. Scheuermann is a partner in the Pittsburgh office of K&L Gates LLP, where he represents policyholders in insurance coverage matters. He received his J.D. from the University of Pittsburgh School of Law (1989) and his Ph.D. (philosophy) from the University of Chicago (1982). This article reflects the author’s views on insurance issues, but does not necessarily reflect his views on the resolution of those issues. Moreover, this article does not necessarily reflect the views of any client of K&L Gates LLP or the firm itself. Mr. Scheuermann acknowledges the thoughtful comments and research assistance of Laura K. Veith, and the helpful comments of Carolyn M. Branthoover, John R. Hardin, and Jeffrey J. Meagher, all attorneys at K&L Gates. This article does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts without first consulting a lawyer. 613

  2. 614 P ENN S TATE L AW R EVIEW [Vol. 122:3 the inquiry into whether a particular cyber risk is systemic practically translates to the questions of whether that risk can be identified, whether it is susceptible to management at all and, if so, in what fashion (through cyber insurance, technical means, or some other means); and (4) it is not possible to state as a general rule that cyber-systemic risks are either more or less manageable than those cyber risks that are not systemic. Broad pronouncements that “all cyber risks are systemic” do not advance sound cyber risk underwriting or cyber risk management. An understanding of the types of cyber risks faced by a firm and attention to particular factual circumstances are needed to effectively underwrite and manage cyber risks, whether they are systemic or not. Table of Contents I. � I NTRODUCTION ...................................................................................... 614 � II. � � “C YBER R ISK ” AND “S YSTEMIC R ISK ” .................................................. 616 � A. � Definitions and Distinctions ......................................................... 616 � B. � Further Distinctions: The Lloyd’s Hypothetical Attack on Electric Generation Plants ............................................................ 624 � III. � � T HE V ARIETIES OF C YBER R ISKS ........................................................... 629 � A. � The Merely Semantic Answer to Our Question ............................ 629 � B. � The Classification of Cyber Risks ................................................ 630 � C. � Which Cyber Risks Are Systemic, and Not? ................................ 633 � 1. � Cyber risks that are not systemic ............................................ 634 � 2. � Cyber risks that are always or nearly always systemic ........... 634 � 3. � Cyber risks that are systemic or not depending on the circumstances .......................................................................... 634 � 4. � Cyber risks that are systemic in different ways ...................... 636 � IV. � � I NSURANCE AND R ISK M ANAGEMENT I MPLICATIONS ........................... 637 � V. � � C ONCLUSION ......................................................................................... 642 � I. I NTRODUCTION Are cyber risks systemic risks? This question is commonly answered affirmatively in the literature on cyber insurance. Lloyd’s of London (“Lloyd’s”), for example, states that a principal characteristic of cyber risk “is systemic exposure” because “[d]igital networks and shared technologies form connections that can be exploited by attackers to generate widespread impacts.” 1 In analyzing the risk associated with a cyber attack on a major cloud service provider, Lloyd’s and AIR 1. L LOYD ’ S , B USINESS B LACKOUT : T HE I NSURANCE I MPLICATIONS OF A C YBER A TTACK ON THE U.S. P OWER G RID 3 (2015), https://www.jbs.cam.ac.uk/fileadmin/ user_upload/research/centres/risk/downloads/crs-lloyds-business-blackout-scenario.pdf.

  3. 2018] C YBER R ISKS , S YSTEMIC R ISKS , AND C YBER I NSURANCE 615 Worldwide write that the “reliance on a relatively small number of [cloud service] companies has resulted in systemic risk for businesses using their services.” 2 When the term “systemic” is not expressly used, close synonyms are often used to characterize cyber risk. In the insurance trade press, one insurer’s cyber leader stated that cyber risk “stems from how everything is connected across the internet, which places everything at risk.” 3 Similarly, we are told by two scholars of cyber insurance markets that “[d]ue to [the] significant homogeneity and presence of dependencies in computer systems[,] their failure is highly correlated. [The] [r]ecent spate of Internet worms like MS-Blaster and Sasser have [sic] highlighted this very threat.” 4 The purpose of this article is (1) to analyze whether all, some, or no cyber risks are systemic, (2) for those that are, to explore the extent and ways they are systemic, and (3) to offer some reflections on why the understanding of certain cyber risks as systemic is important, or not, for participants in insurance markets. I argue that (1) only certain cyber risks are systemic, (2) there are four different ways a risk can be systemic, (3) it is more productive for policyholders and underwriters to view cyber risks in the plural, with some being systemic and some not, and to manage those risks accordingly, and (4) it is not possible to state as a general rule that cyber-systemic risks are either more or less manageable than those cyber risks that are not systemic. The conclusion that only some cyber risks are systemic may have an air of the obvious. To take an easy example, the use of a stand-alone computer presents certain cyber risks but no systemic risks, as we intuitively understand “cyber risks” and “systemic risks.” Nonetheless, the issue whether all cyber risks are systemic risks is important in itself and is useful to better understand the varieties of cyber risks and for cyber risk management guided by that understanding. At a minimum, this article is intended to dispel some of the misperceptions arising out of loose and casual claims that all cyber risks are systemic. These misperceptions may lead either to the (incorrect) view that cyber risk 2. L LOYD ’ S & AIR W ORLDWIDE , C LOUD D OWN , I MPACTS ON THE U.S. E CONOMY 5 (2018). 3. Laurie Kamaiko, Emerging Cyber Risk: Can Insurers ‘Hack’ It? , M ONDAQ B US . B RIEFING (Dec. 6, 2017), http://www.mondaq.com/unitedstates/x/653120/Security/ Emerging+Cyber+Risk+Can+Insurers+Hack+ItEmerging+Cyber+Risk+Can+Insurers+H ack+It. 4. Rainier Böhme & Gauray Kataria, On the Limits of Cyber-Insurance , in T RUST B US 2006: T RUST AND P RIVACY IN D IGITAL B USINESS 31, 33 (S. Fischer-Hübner et al. eds., 2006); M ARSH , A DDRESSING C YBER R ISK 5–7 (2017), see also https://www.treasury.gov/initiatives/fio/Documents/1-Cyber_Insurance_Market_ MarshLLC.pdf (stating, in Marsh PowerPoint slides, that cyber risk is systemic risk because of “widespread vulnerability,” “single points of failure,” and “cascading consequences”).

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

AUGUST 25, 2015 Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks Tyler Gerking, Partner David B. Smith, CPCU, ARM, Insurance & Risk Management Consultant What is Cyber Insurance?

368 views • 10 slides
on Cyber Security Presentation by Control Risks James Owen Partner, Cyber, EMEA William Brown

on Cyber Security Presentation by Control Risks James Owen Partner, Cyber, EMEA William Brown

The impact of Covid-19 on Cyber Security Presentation by Control Risks James Owen Partner, Cyber, EMEA William Brown Director, Cyber, Middle East 1 Control Risks Cyber attacks exploiting the pandemic Share of attack vector of organized

447 views • 10 slides
Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small

Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small

Evolving Cyber Risks for Small Businesses Sponsored By: Evolving Cyber Risks for Small Businesses Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording of todays webinar Corresponding

515 views • 19 slides
Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced Persistent Threats (APT) Cybercriminals, Exploits and Malware Denial of Service attacks (DDoS) Domain name hijacking Corporate

347 views • 13 slides
Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to prepare for Cyber Risk: 3 2 1 Understand the tech & Cyber insurance Focus on company interconnected risks culture 2 Policy: Protection &

774 views • 18 slides
rpliA Implantable Medical Devices Cyber Risks and Mitigation Approaches NIST Cyber Physical

rpliA Implantable Medical Devices Cyber Risks and Mitigation Approaches NIST Cyber Physical

rpliA Implantable Medical Devices Cyber Risks and Mitigation Approaches NIST Cyber Physical Systems Workshop April 23-24, 2012 Dr. Sarbari Gupta, CISSP, CISA sarbari@electrosoft-inc.com; 703-437-9451 ext 12 Agenda Overview of IMDs

553 views • 28 slides
1 Today's Speakers From Control Risks Control Risks 3 Luke Fardell James Lythe Shaun Flint

1 Today's Speakers From Control Risks Control Risks 3 Luke Fardell James Lythe Shaun Flint

Control Risks 1 Today's Speakers From Control Risks Control Risks 3 Luke Fardell James Lythe Shaun Flint Consultant Associate Director Associate Director Cyber Protect Digital Forensics Crisis Management Global Cyber Security trends

801 views • 31 slides
Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics

Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics

Introduction Systemic Risk Cyber as systemic Conclusion Cyber Risk as Systemic Risk Jon Danielsson Systemic Risk Centre London School of Economics www.systemicrisk.ac.uk June 10 th 2016 Introduction Systemic Risk Cyber as systemic

351 views • 24 slides
Risks in the U.S. Life Insurance Sector Jill Cetina Columbia University, Workshop on Systemic

Risks in the U.S. Life Insurance Sector Jill Cetina Columbia University, Workshop on Systemic

Risks in the U.S. Life Insurance Sector Jill Cetina Columbia University, Workshop on Systemic Risk in Insurance October 28, 2016 Views expressed in this presentation are those of the speaker(s) and not necessarily of the Office of Financial

439 views • 14 slides
What is Insurance? Insurance is protection against risks. We face many risks in our lives:

What is Insurance? Insurance is protection against risks. We face many risks in our lives:

What is Insurance? Insurance is protection against risks. We face many risks in our lives: Car accident Theft Disability Heart attack Etc. Consumers buy insurance to pay for the costs associated with some of these

188 views • 5 slides
GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS

GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS

GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - - - - What should the Asian market worry about? Dr. Paul Fisher, LBMA Chairman Asia Pacific Precious Metals Conference,

517 views • 9 slides
Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The Evolution of Cyber Insurance Is Cyber Risk Already Insured? Cyber And Data Protection Is Not Just An IT Issue Case Study Cyber Risk Stakeholders The

1.03k views • 8 slides
What Commercial Litigators Need to Know Protecting and Defending Against New and Emerging Cyber

What Commercial Litigators Need to Know Protecting and Defending Against New and Emerging Cyber

Presenting a live 90-minute webinar with interactive Q&A Data Breaches and Cyber Liability: What Commercial Litigators Need to Know Protecting and Defending Against New and Emerging Cyber Risks WEDNESDAY, JUNE 3, 2015 1pm Eastern |

758 views • 32 slides
Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security

Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security

Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security Security Insurance: Security Insurance: Insurance: Insurance: A Montana Perspective A Montana Perspective Presented by: d b Brett E. Dahl,

197 views • 8 slides
CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats to small businesses 3. Cyber Recovery Insurance Y our presenters Anne Jackson Sarah Morton Gary Hibberd Sales Director, Lorega Sales and

342 views • 31 slides
Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management Association Date: August 18, 2016 Agenda An Overview of Cyber Risk Exposures 1. Legal & Regulatory Trends 2. Marshs Cyber Risk Management

649 views • 31 slides
We Are Provant. 13,000+ Employees Strong Office locations in East Greenwich, RI and Olathe,

We Are Provant. 13,000+ Employees Strong Office locations in East Greenwich, RI and Olathe,

We Are Provant. 13,000+ Employees Strong Office locations in East Greenwich, RI and Olathe, KS Clinical heritage Passionate, committed, responsive team Impacting 3+ Million Lives Across America 98% participant satisfaction

302 views • 28 slides
Tucson Fire Department 2012 Awards Presentation Included in this PDF is information of the

Tucson Fire Department 2012 Awards Presentation Included in this PDF is information of the

Tucson Fire Department 2012 Awards Presentation Included in this PDF is information of the following General Information 2012 Awards Ceremony, held April 19, 2013 2012 Awards Ceremony, held April 19, 2013 2012 Awards Ceremony, held April 19, 2013

334 views • 16 slides
MILLENNIALS AND BEYOND 2017 IASFAA Conference Speaker: Raymond Yee Director of Business

MILLENNIALS AND BEYOND 2017 IASFAA Conference Speaker: Raymond Yee Director of Business

MILLENNIALS AND BEYOND 2017 IASFAA Conference Speaker: Raymond Yee Director of Business Development DEFINING THE GENERATIONS 3 Whos Who Over the Years Baby Boomer Gen X Millennial or Gen Y Gen Z or iGen (1945-1964) (1964-1980)

290 views • 28 slides
Vegesack Location- Vegesack/ Bremen Vegesack Details Inhabitants: 34 505 people Area:

Vegesack Location- Vegesack/ Bremen Vegesack Details Inhabitants: 34 505 people Area:

Vegesack Location- Vegesack/ Bremen Vegesack Details Inhabitants: 34 505 people Area: ca. 12 000 m Parts: Vegesack is divided in 5 parts: Vegesack Grohn Schnebeck Fhr- Lobbendorf Aumund- Hammersbeck

331 views • 11 slides
Happiness & Sustainability Around the Earth SDSN Hong Kong Session COVID-19, Globalisation

Happiness & Sustainability Around the Earth SDSN Hong Kong Session COVID-19, Globalisation

Happiness & Sustainability Around the Earth SDSN Hong Kong Session COVID-19, Globalisation and Philanthropy Leong Cheung Executive Director, Charities and Community The Hong Kong Jockey Club Co-Chair, SDSN Hong Kong The COVID-19 pandemic

411 views • 19 slides
Power Solutions If you can read this Click If you can read this Click on the icon to choose a on

Power Solutions If you can read this Click If you can read this Click on the icon to choose a on

Power Solutions If you can read this Click If you can read this Click on the icon to choose a on the icon to choose a Strategic Review picture or picture or Reset the slide . Reset the slide . To Reset: Right click on the slide To Reset: Right

394 views • 13 slides
Fiscal 2020 If you can read this Click If you can read this Click First Quarter on the icon to

Fiscal 2020 If you can read this Click If you can read this Click First Quarter on the icon to

Fiscal 2020 If you can read this Click If you can read this Click First Quarter on the icon to choose a on the icon to choose a picture or picture or Reset the slide . Reset the slide . Results To Reset: Right click on the slide To Reset:

1.26k views • 29 slides
Fiscal 2018 Fourth Quarter If you can read this Click If you can read this Click on the icon to

Fiscal 2018 Fourth Quarter If you can read this Click If you can read this Click on the icon to

Fiscal 2018 Fourth Quarter If you can read this Click If you can read this Click on the icon to choose a on the icon to choose a Results picture or picture or Reset the slide . Reset the slide . To Reset: Right click on the slide To Reset:

849 views • 35 slides

More recommend