On October 23, 2013, the Atlantic Council’s Cyber Statecraft Initiative kicked off its Cyber Risk Wednesdays, an innovative series examining the ways that the public and private sectors are addressing the pressing issue of systemic cyber risks. Presented by the Atlantic Council and Zurich Insurance Group, the series provides an opportunity for government officials, business leaders, cyber security experts, and other stakeholders to discuss cutting-edge research and explore opportunities for collaboration in an informal setting.

Cyber Risk Wednesdays Presented by Zurich Insurance

The next event in the series will be held on November 20, 2013 and focus on the role of insurance in managing cybersecurity risks. Follow, pose questions, and comment on this and future Cyber Risk Wednesdays events on Twitter using #CyberWednesdays.

“Cyber is in the same place finance was prior to 2008,” said Jason Healey, the director of the Cyber Statecraft Initiative. Each company focuses on addressing its own cyber vulnerabilities, but decision-makers do not sufficiently appreciate that information security breaches in other companies, including companies in other industries, pose a threat to the overall system. Just as banks that did not hold at-risk mortgages ended up being adversely effected by the subprime mortgage crisis, companies cannot consider themselves protected from cyberattacks even if they implement all of the necessary standards of security such as encryption. This is because companies face overlapping sources of risks, including from outsourcing and contract (poor security at the law firms they hire), supply chain (counterfeit software), and external shocks (espionage or attacks by terrorist groups).

Technical staff are the ones most knowledgeable about information security challenges facing companies, but it is the responsibility of board members and senior management to address high-level risk management, noted Jeff Schmidt,  founder and CEO of JAS Global Advisors and a Zurich Cyber Risk Fellow at the Atlantic Council. Unfortunately, these high-level decision-makers, for the most part, have little technical expertise and, more importantly, do not fully appreciate the nature of the cyber threat. “They view information security as a nerd problem—‘Go throw money at it and make it go away’—not a risk management problem, not a problem full of tradeoffs,” said Schmidt. Entry into a new foreign market, for example, may carry the risk of increased vulnerability to intellectual property theft. There is a general lack of understanding at the senior level that many business decisions have an important information risk element to them, although there has been progress in this area over the last six years.

Larry Castro, the managing director at the Chertoff Group and the former National Security Agency/Central Security Service representative to the US Department of Homeland Security, argued that government efforts to deal with information risk are generally not well coordinated and “lack transparency.” Castro lamented the lack of common standards for evaluating information security risks, which in turn deters insurers from tackling vulnerabilities of the networks. When companies turn to government for help in times of crisis, the government response is not uniform, and there is an overreliance on personal relationships to attain information. The United States needs to address these shortcomings and to develop a governance structure that would allow the country to quickly recover from a cyberattack targeting the country’s power grid, for example.

Speakers commanded the effectiveness and leadership of the private sector in responding to crises from the Morris worm in 1988 to this year’s revelations about espionage by China on US firms and government institutions. However, it remains an open question whether the private sector will be able to provide the sort of systemic response to information security crises that is expected of government in other fields. Regardless, the private and public sectors will need to find better ways to cooperate on managing cybersecurity risks, especially since it is unlikely any company will develop a fail-safe system to protect itself. “Just as we’ve had a succession of financial crises for our whole history…you may have a succession of cyber [crises],” predicted Mathew Burrows, the director of the Strategic Foresight Initiative at the Council.

Follow along, pose questions, and discuss Cyber Risk Wednesdays on Twitter.