What the sea eagle can teach us about risk

In 1939, the Swiss chemist Paul Hermann Müller discovered that Dichlordipehyltrichlorethan, otherwise known as DDT, was a potent insecticide, and from then it was widely used to kill all kinds of pests worldwide.

However, one of DDT's metabolites, DDE, accumulates in the fatty tissue of fish and other aquatic animals. Thus, it aggregates upwards in the food chain, a process known as bioaccumulation.

The birds on top of the aquatic food chain, in this case the sea eagle (Haliaeetus albicilla) accumulated high concentrations of DDE, with the effect that they laid eggs with extremely thin and fragile shells.

The result was that the eggs were squashed more often than not when the parent sea eagle sat on the nest. Squashed eggs meant no baby birds, which meant no young adults, which meant the sea eagle joined the red list of endangered species.

Accumulation in insurance

The principle of accumulation is virtually the same in an insurance context.

An insurance company assumes many risks from many different parties, and the reinsurance company assumes portfolios of risks from many different insurance companies.

In fact, this is the nature and business model of insurance and reinsurance: to assume and diversify risks.

However, the diversification works only if risks are independent of each other.

If they accumulate heavily (for example, houses in an earthquake zone), insurers usually define the maximum amount of risk they are putting on to their balance sheets and steer their portfolio that way. This ensures capital adequacy for extreme events.

If accumulation is an everyday topic in insurance, how is the sea eagle illustration relevant to cyber?

Cyber has some commonalities with DDT.

Thus, the risk of the extinction of the sea eagle due to DDT usage corresponds to the risk of financial distress of an insurer, or an economic system due to the accumulation of risks exposed to a cyber event.

There are a couple of examples from the recent past that show how cyber risks can accumulate.

Malware attacks

The first example is fast and wide-spreading general malware, not targeted to one company.

Let's look at Petya/NotPetya.

Within a couple of days in June 2017 this malware infected computers of companies in industries as diverse as shipping, banking, retail, pharma, advertising, law, postal services, oil, food manufacturing, and healthcare. It struck at businesses indiscriminately around the world.

The malware infected Microsoft Windows-based systems that were not patched for a specific vulnerability. Many machines that still ran older, unsupported versions of Windows, for which patches did not exist, were infected.

Could one have known that these risks were not independent of each other, that they had a common vulnerability that could be exploited?

Possibly, yes, if one had realized that so many organizations were running, maybe unknown to themselves, unpatched, old windows machines.

Targeted attacks

Another example of how many companies can be affected by the same cause and therefore accumulate, is a targeted attack on a vital internet service.

In October 2016, a massive Distributed Denial of Service (DDoS), attack on DNS provider Dyn, led to major websites like Paypal, Netflix, Twitter or Amazon being unavailable for several hours.

The accumulation pathway in this case was a dependency on a single service used to operate the internet.

The third example has not happened yet, at least not in the breadth described by the authors of the study, Business Blackout, published by Lloyds of London and the University of Cambridge in 2015.

It is a thought experiment of a targeted cyber-attack on critical infrastructure in the United States – the power grid.

The predicted effects on people, businesses, and the whole economy are quite frightening and show the large accumulation of losses in such an event.

Beyond insurance

These three examples show that cyber events affecting many people, companies, and public institutions are not only an insurance problem but might affect a whole economy.

Coming back to the sea eagle, what saved this magnificent species was the abandonment of DDT as a widely used insecticide.

With cyber risk, this is not so easy. Cyber risks are here to stay if we do not want to give up the benefits of digitization.

Therefore, we need to understand better how entities are interconnected, where the neuralgic points are in our digitally interconnected world, and how cyber risks accumulate.

This heightened understanding of risk accumulation needs to be combined with additional measures to increase the cyber resilience of systems. These include: increased awareness by company leaders, improved basic cyber hygiene across all industries, ubiquitous 'security by design' adoption, and a sensible exchange of data that will take us a big step forward.

Extinction is not an option.