Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Systemic Cyber Risk: Threatening organizations and society
Situational context of systemic cybernetic risk
In the cybersecurity landscape, navigating systemic risks requires a delicate balance between foresight and preparedness, a balance that can define survival or catastrophe for industries across the board.
In the digital age, information and communication technologies (ICTs) support complex systems used in everyday activities. They keep our economies running in key sectors and industries (agriculture, manufacturing, automotive, energy, hospitality, finance, health, education, maritime, air, space and land transportation), which are improving the functioning of the global marketplace day by day.
Increased digitization and interconnectedness also amplifies ICT-related risk, and makes society as a whole, and in sectors and industries, more vulnerable to cyber threats or ICT disruptions. While the widespread use of ICT systems and high digitization and connectivity are nowadays key features of the global socio-economic dynamics activities, there is still a need to better address and integrate their digital resilience into their operations.
Systemic cyber risk: what is it?
Taking into account this whole scenario the G10 in 2001 defines systemic cyber risk as the risk that a cyber event (attack(s) or other adverse event(s) on an individual component of a critical infrastructure ecosystem will cause significant delays, denials, failures, disruptions or losses, such that services are affected not only in the originating component, but the consequences also cascade to related (logically and/or geographically) components of the ecosystem, resulting in significant adverse effects on public health or safety, economic security, or national security.
The cascading effect refers to a process in which an initial failure or disruption in a system triggers an "equal or opposite" chain reaction of subsequent failures.
In systems where a small problem can propagate through interconnected components, cascading effect may cause widespread and often unpredictable consequences.
This concept is particularly relevant in highly interdependent environments where the malfunction of one element can compromise the entire system.
A successful strategy for cybercriminals
Cyberattacks often have a cascading effect on cybersecurity due to the intricate and interconnected nature of modern digital systems. These systems rely on a network of interdependent components, including hardware, software, networks and data storage, meaning that a breach or failure in one component can quickly affect the others. This interconnectedness creates multiple points of vulnerability, allowing a single attack to propagate through the system and cause widespread disruption.
If we take a look back, there have been cyber attacks with cascading effect and one of them is the paradigmatic WannaCry ransomware in May 2017 that exploited a vulnerability (CVE-2017-0144) in the Server Message Block (SMB) protocol of the Microsoft Windows operating system using a tool called EternalBlue, once the ransomware infected a single machine, it used this vulnerability to spread to other vulnerable systems within the same network automatically.
Within hours this attack affected more than 360,000 electronic devices in more than 180 countries around the world amplifying its global impact.
Systemic cyber risks loom as the interconnectedness of our digital ecosystems poses not only a threat, but a fundamental challenge to the resilience of global infrastructures.
According to the World Economic Forum (WEF), it is crucial to understand that systemic risk is fundamentally different from non-systemic risk because of its broader and more complex consequences. Systemic risk involves failures that affect entire systems and not just individual parts or components. These failures arise from the intricate web of connections, dependencies and interdependencies within a system, causing cascading and often unforeseen consequences.
In addition, WannaCry exposed systemic problems in cybersecurity practices, such as inadequate patch management, poor network segmentation, and insufficient incident response strategies. These systemic weaknesses contributed to the rapid and widespread spread of ransomware. The attack's ability to exploit these common weaknesses reveals how systemic cyber risks can exploit structural vulnerabilities in interconnected systems.
✅ Addressing these risks requires a holistic approach to cybersecurity, including robust management from prevention, proactive threat detection and comprehensive incident response.
The foundations of trust are challenged by systemic cyber risks
Systemic risks can occur suddenly and unexpectedly, or they can accumulate over time if there are no adequate technological or management policies in place to deal with them. In the latter case, even minor inflection points can combine to cause significant failures. For example, risks that materialize through threat vectors common to multiple enterprises and ecosystems can cause substantial aggregate effects, especially when the vulnerability is inherent in operations shared by all enterprises.
In essence, the interconnected nature of modern systems means that risks affecting one party can spread rapidly, amplifying the overall impact. This interconnectedness requires global strategies to mitigate systemic risks, as their repercussions can be far-reaching and complex, affecting numerous entities simultaneously.
In my day-to-day work managing this type of risk, I see that today's most significant risks are neither abstract nor remote, but immediate and impactful.
The real economic and security impacts of materialized systemic risks typically arise from significant disruptions to confidence or certainty in critical services and data integrity. These impacts manifest themselves through disruptions to operations and can lead to the incapacitation or destruction of physical assets.
Systemic risks challenge the very foundation of trust that underpins economic and operational stability. When stakeholders lose confidence in the reliability of critical services or data integrity, it can trigger widespread panic leading to significant economic repercussions and destabilization of security frameworks.
Amid the complexities of modern cyberwarfare, dealing with systemic risks is not just about defending data, but safeguarding the very fabric of our interconnected economies and societies.
These disruptions can cause a domino effect, where the initial loss of confidence or operational failure cascades through interconnected systems, exacerbating the overall impact. The incapacitation of physical assets further exacerbates the problem, as it not only disrupts ongoing operations, but also undermines future recovery efforts. This interconnected fragility underscores the importance of robust risk management and resilience strategies to prevent small problems from becoming large-scale failures.
In addition, the destruction or rendering unusable of critical physical assets can have long-term detrimental effects, as rebuilding and restoring these assets requires considerable time and resources. This, in turn, affects supply chains, service delivery and overall economic stability.
✅ Addressing systemic risks therefore requires a holistic approach that takes into account the interdependencies of services, data integrity and physical assets to protect against pervasive and complex threats.
Beyond mere risk minimization, it is essential to adopt proactive strategies that anticipate, adapt and respond effectively to systemic risks. This requires a robust framework focused on generating and sharing high-quality data and analytics.
By leveraging comprehensive data insights, organizations can better understand interconnected risks and vulnerabilities, enabling them to implement preventative measures and improve resilience.
In addition, investing in “just-in-case” supply chains and “friend shoring” strategies, where critical supplies and resources are diversified across reliable partners and regions, can mitigate reliance on single sources and reduce the likelihood of cascading disruptions. This approach not only strengthens operational continuity, but also fortifies the overall ecosystem against unforeseen disruptions.
✅ In addition, it is paramount to integrate resilience into all facets of planning and decision-making processes. This involves integrating resilience considerations into strategic initiatives, operational frameworks and technology investments.
By design, resilient systems are adaptable and can withstand shocks, enabling organizations to maintain essential services and operations amidst changing threats.
Emphasizing scalability ensures that resilience measures can effectively adapt to growth and changing risk scenarios, safeguarding long-term stability and sustainability. Ultimately, an anticipatory and adaptive approach enables organizations to navigate the complexities and uncertainties inherent in systemic risks, fostering agility and resilience in an increasingly interconnected global environment.
✅ The European Union (EU) has put in place several strategies and regulations to address systemic risk in organizations, focusing on improving cybersecurity, data protection and cyber resilience of critical infrastructure, we have seen them in various regulations but now there is a major focus on DORA and NIS2.
By implementing these measures, the EU aims to create a resilient digital ecosystem that can effectively mitigate systemic risks.
These initiatives improve the cybersecurity posture of organizations, ensure the protection of critical infrastructure and encourage a collaborative approach to addressing emerging threats, thereby reducing the potential for widespread disruption.
Image: rawpixel.com / Freepik.
