The Federal Reserve Bank of New York’s Staff Report No. 909 explores how a cyberattack on several small or midsize banks could create an interbank funding failure. Such a failure would lead to a broader systemic liquidity crisis. Putting cybersecurity tools and policies in place at individual banks would not address the interconnectedness of the entire banking ecosystem. However, employing a thorough modeling approach that takes into account the potential points of cascading failures would help decision makers understand the interconnectedness of their risks, as Milliman’s Chris Harner, Chris Beck, and Blake Fleisher discuss in their article “Cyberattacks could cripple U.S. financial system.”
Cyber is proving itself to be the ultimate enterprise risk,
encompassing not only information technology, but also risks involving vendors,
people, legal questions, and reputation, all while moving with stealth and a
velocity that is extremely difficult to cope with.
What often flies under the radar is the risk posed to
companies that are not the direct target of cyberattacks. Who could have
predicted that an attack targeting Ukraine would simultaneously affect global
shipping, a pharmaceutical company in the U.S., and a chocolate company in
Australia? This type of risk event was unprecedented until the release of
NotPetya in June 2017.
The attack on Maersk is an example of the law of unintended
consequences when it comes to cyber. NotPetya’s impact on the shipping company
illustrates the “Three R’s” of complex risks like cyber: robustness,
resiliency, and redundancy.
In this article, Milliman’s Chris Harner, Chris Beck, and Blake Fleisher view Maersk’s experience and response to NotPetya through the lens of the Three R’s.