The European Systemic Risk Board (ESRB) has released a paper describing a conceptual model for systemic cyber risk, aiming to:
- provide a structured approach that can be used to describe cyber incidents, from genesis through to a potential systemic event;
- demonstrate the link between the crystallization of cyber risk in a firm-specific context (portraying microprudential concerns), and the possible ramifications for the financial system (applying a macroprudential focus);
- identify system-wide vulnerabilities and the unique characteristics of cyber incidents which can act as amplifiers, thereby propagating shocks through the financial system;
- support the use of historical or theoretical scenario-based analysis to demonstrate the viability of the model;
- suggest system-wide interventions that could act as systemic mitigants. Although the model is geared towards disruption arising from cyber incidents, it can also be used for any source of operational disruption (although some elements of the model may be less relevant)
Policy considerations arising from the model:
- A systemic event arising from a cyber incident is conceivable. Cyber incidents resulting in near-systemic consequences have occurred, in circumstances that can be described as “severe, but plausible”. However, a truly systemic event would require an alignment of amplifiers and a lack of effective systemic mitigants that would be “extreme, but existential” in nature.
- A cyber incident which causes only operational-to-operational contagion may have systemwide impacts. However, the current base of evidence suggests that a systemic event requires the confidence and/or financial contagion channels to be triggered.
Model overview
In order to deconstruct and describe the macro-financial implications of operational and cyber risks, the systemic cyber risk model is split into four distinct phases:
- Context – the circumstances in which a cyber incident arises, in the form of a crystallized cyber risk;
- Shock – a description of the technical and business impacts experienced at the moment the cyber incident originates;
- Amplification – the systemic amplifiers and contagion channels which exacerbate the shock through a system, increasing the magnitude of the impact experienced;
- Systemic event – the point at which a system is no longer able to absorb the shock.