James E. Scheuermann
ABSTRACT
The literature on cyber insurance is replete with statements to the effect that “cyber risks are systemic risks.” Through an analysis of the concept of systemic risk and the categorization of 19 principal types of cyber risk, this article discusses the extent to which this view is true and the practical implications, for risk managers and cyber insuranceunderwriters, of the conclusion that only some cyber risks are systemic.
In the cyber context, systemic risk may be most usefully characterized as the risk that arises out of a digital network (1) that consists of standardized or functionally homogeneous, interconnected, and interdependent nodes; (2) that permits cascading adverse events throughout the nodes; and (3) in which such adverse events occur at such a high rate of speed that they cannot be contained at all or not in a timely fashion. I distinguish four types of systemic risk that satisfy this definition, depending on whether the node that is attacked in a cyber incident is “critical” or “non-critical” and whether it is internal or external to an enterprise.
This article reveals that (1) some cyber risks are always or virtually always systemic, some are never systemic, and some may or may not be systemic depending on particular factual circumstances; (2) the cyber risks that are systemic represent additional risks for firms relative to a non-digitally networked world; (3) that for policyholders in particular, the inquiry into whether a particular cyber risk is systemic practically translates to the questions of whether that risk can be identified, whether it is susceptible to management at all and, if so, in what fashion (through cyber insurance, technical means, or some other means); and (4) it is not possible to state as a general rule that cyber-systemic risks are either more or less manageable than those cyber risks that are not systemic. Broad pronouncements that “all cyber risks are systemic” do not advance sound cyber risk underwriting or cyber risk management. An understanding of the types of cyber risks faced by a firm and attention to particular factual circumstances are needed to effectively underwrite and manage cyber risks, whether they are systemic or not.