Cybersecurity

What the sea eagle can teach us about risk

White tailed sea eagles rest in their enclosure at the AWAP Wildlife Sanctuary in Zapresic May 3, 2012. The sanctuary, which is near Zagreb, has been struggling for a decade to get by with meager government funding. All its workers are unpaid volunteers, who nurse wounded animals back to health. Picture taken May 3, 2012.  REUTERS/Antonio Bronic (CROATIA - Tags: ANIMALS SOCIETY) - GM1E8541DHB01

Image: REUTERS/Antonio Bronic

Maya Bundt
Cyber Practice Leader, Swiss Re

In 1939, the Swiss chemist Paul Hermann Müller discovered that Dichlordipehyltrichlorethan, otherwise known as DDT, was a potent insecticide, and from then it was widely used to kill all kinds of pests worldwide.

However, one of DDT's metabolites, DDE, accumulates in the fatty tissue of fish and other aquatic animals. Thus, it aggregates upwards in the food chain, a process known as bioaccumulation.

Scheme of enrichment of pollutants in a food chain
Bioaccumulation of harmful substances Image: Wikipedia

The birds on top of the aquatic food chain, in this case the sea eagle (Haliaeetus albicilla) accumulated high concentrations of DDE, with the effect that they laid eggs with extremely thin and fragile shells.

The result was that the eggs were squashed more often than not when the parent sea eagle sat on the nest. Squashed eggs meant no baby birds, which meant no young adults, which meant the sea eagle joined the red list of endangered species.

Accumulation in insurance

The principle of accumulation is virtually the same in an insurance context.

An insurance company assumes many risks from many different parties, and the reinsurance company assumes portfolios of risks from many different insurance companies.

In fact, this is the nature and business model of insurance and reinsurance: to assume and diversify risks.

However, the diversification works only if risks are independent of each other.

If they accumulate heavily (for example, houses in an earthquake zone), insurers usually define the maximum amount of risk they are putting on to their balance sheets and steer their portfolio that way. This ensures capital adequacy for extreme events.

If accumulation is an everyday topic in insurance, how is the sea eagle illustration relevant to cyber?

Cyber has some commonalities with DDT.

  • It is a risk brought in on the back of something useful.
  • It is, or was, pretty much everywhere.
  • You cannot see, smell, hear or touch it.
  • It took years until laws and regulations were put in place to prevent its spread.
  • It requires international cooperation to counteract the threat effectively.

Thus, the risk of the extinction of the sea eagle due to DDT usage corresponds to the risk of financial distress of an insurer, or an economic system due to the accumulation of risks exposed to a cyber event.

There are a couple of examples from the recent past that show how cyber risks can accumulate.

Malware attacks

The first example is fast and wide-spreading general malware, not targeted to one company.

Let's look at Petya/NotPetya.

Within a couple of days in June 2017 this malware infected computers of companies in industries as diverse as shipping, banking, retail, pharma, advertising, law, postal services, oil, food manufacturing, and healthcare. It struck at businesses indiscriminately around the world.

The malware infected Microsoft Windows-based systems that were not patched for a specific vulnerability. Many machines that still ran older, unsupported versions of Windows, for which patches did not exist, were infected.

Could one have known that these risks were not independent of each other, that they had a common vulnerability that could be exploited?

Possibly, yes, if one had realized that so many organizations were running, maybe unknown to themselves, unpatched, old windows machines.

Targeted attacks

Another example of how many companies can be affected by the same cause and therefore accumulate, is a targeted attack on a vital internet service.

In October 2016, a massive Distributed Denial of Service (DDoS), attack on DNS provider Dyn, led to major websites like Paypal, Netflix, Twitter or Amazon being unavailable for several hours.

The accumulation pathway in this case was a dependency on a single service used to operate the internet.

The third example has not happened yet, at least not in the breadth described by the authors of the study, Business Blackout, published by Lloyds of London and the University of Cambridge in 2015.

It is a thought experiment of a targeted cyber-attack on critical infrastructure in the United States – the power grid.

The predicted effects on people, businesses, and the whole economy are quite frightening and show the large accumulation of losses in such an event.

Beyond insurance

These three examples show that cyber events affecting many people, companies, and public institutions are not only an insurance problem but might affect a whole economy.

Coming back to the sea eagle, what saved this magnificent species was the abandonment of DDT as a widely used insecticide.

With cyber risk, this is not so easy. Cyber risks are here to stay if we do not want to give up the benefits of digitization.

Therefore, we need to understand better how entities are interconnected, where the neuralgic points are in our digitally interconnected world, and how cyber risks accumulate.

This heightened understanding of risk accumulation needs to be combined with additional measures to increase the cyber resilience of systems. These include: increased awareness by company leaders, improved basic cyber hygiene across all industries, ubiquitous 'security by design' adoption, and a sensible exchange of data that will take us a big step forward.

Extinction is not an option.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Stay up to date:

Insurance

Share:
The Big Picture
Explore and monitor how Insurance is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

5 ways to achieve effective cyber resilience

Filipe Beato and Jamie Saunders

November 21, 2024

We asked 6 tech strategy leaders how they're promoting security and reliability. Here's what they said

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum