April 16, 2014
Highly visible security breaches, like Target and Heartbleed, impact millions of companies around the world but coverage of such events often fails to highlight a fundamental shift occurring in the nature of cyber risks. While the effects of data breaches are largely assumed to be contained within each individual organization, as the Internet becomes increasingly coupled with the real world cyber incidents will begin to reach beyond any single company and impact the entire system.


Read the report

20140416 ZurichCyberReport Cover 200
Released on April 16, Beyond Data Breaches: Global Interconnections of Cyber Risk, is a year-long study by the Atlantic Council and Zurich Insurance Group that analyzes interrelated cyber hazards and underlying risks, suggesting ways to better prepare governments and businesses for the cyber shocks of the future.

"Governments and organizations need to take a holistic view and look beyond the issue of data breaches to the danger of global shocks instigated and magnified by the interconnected nature of the Internet," Frederick Kempe, president and CEO of the Atlantic Council, said underlining the relevance of the report. Kempe noted that current approaches to cybersecurity are limited in that risk managers treat cyber risks in an insular and narrow fashion while neglecting evidence of wider systemic risks. Michael Kerner, CEO of General Insurance at Zurich Insurance Group stressed that organizations must look at interconnected risks that exist beyond internal safeguards which concentrate among counterparties and external sources like customers, vendors, outsourced contractors, or parts of the supply chain.

Overall, the Internet has been resilient because of a combination of stable technology, dedicated technicians, and proven resistance to random outages. So far, the effects of cyber incidents have been either widespread but fleeting, or persistent but narrowly focused. No attacks thus far have resulted in both widespread and persistent disruption.

"The extended period of stability and prosperity we have seen from the Internet is likely to change in the future. More shocks will be initiated or amplified through the Internet," said Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council's Brent Scowcroft Center on International Security and the primary author of the report. As society becomes increasingly coupled with the real economy and society, Internet failures are more likely to have real–and increasingly precarious–consequences, going beyond effecting things made of ones and zeros.

Steven D. Crocker, one of the creators of the Internet claimed that "although knowledge of the basic technology of the Internet has improved, the possible aggregation of risks and the unforeseen coupling of risks may cause the most serious consequences." The report recommends that understanding of collective risks need to be much more comprehensive and expansive within governments and companies, and that risk managers seeing far beyond their internal IT enterprises have to better grasp their vulnerabilities. Accordingly, Dan Riordan, CEO Zurich Global Corporate North America underscored that "comprehensive understanding of cyber risks is the prerequisite to their management. In this regard, emphasizing cybersecurity, beyond risk managers to C-suite is a notable positive evolution in tackling the current challenges."

Catherine Mulligan, senior vice president of Zurich North America added that creating a culture of awareness of risks within an organization is another way of strengthening the preparedness of an organization for future cyber shocks. Because too much risk faced by companies will be external, complex, and interdependent, the main hope for companies is resilience, the ability to bounce back from disruptions or to make them as short and limited as possible.