Cyber Risk is Systemic

Systemic risk is any risk where the failure of one part can affect the whole.  The most common examples of this are in the financial system and medicine.  Both finance and medicine are complicated, interconnected systems where failure in one area affects systems far away.  Unfortunately, the financial system saw this in 2008 with the failure of Lehman Brothers, and medicine sees this every day with illness. Both the financial system and the human body are a “system of systems” leading to this intricate interdependency.

The same is true of cyber risk. 

Information systems and data are more interconnected and dependent than ever before.  A mix of hybrid datacenters with on-premises and cloud resources, multiple software-as-a-service platforms, and generative AI---just to name a few---creates a greater dependence on not only these systems but the Internet to transport data among these interdependent workflows.  These dependencies---in addition to the existing servers, workstations, switches, cables, etc. required for function---form a system of systems in the modern business workforce.

Cyber risk assessments look across these interdependencies in modern business and use risk assessment to provide business leaders an understanding of the impact to the business’ strategic objectives.  Then, proper risk reduction techniques can be implemented as the business sees fit.

However, this is not the only way cyber risk is systemic.  Because everyone is responsible for cyber risk, the risk from cybersecurity is interdependent across the workforce.  For example, preventing a phishing attack on your organization not only requires technical systems to reduce potential threats, but it urgently requires phishing training for your employees.

Good cybersecurity risk decisions impact all areas of the business.  They protect the security of information systems and privacy of data throughout the organization while educating the workforce as the first line of defense.  Today, more than ever cyber risk decisions can drive business.  Conversely, bad cybersecurity decisions (or no decisions) can have a tsunami of impact that ultimately takes business away and negatively impact the business’ strategic objectives.

The mortgage industry is not immune from attack.  As part of the financial system, the mortgage industry is just one part of the systemic system.  Ensure that you’ve done your best to manage the systemic risk of cyber.

Kevin Robinson, CISSP, DDN.QTE, Associate C|CISO, is Head of Cybersecurity Services for The Commonwealth Group.  He has a 20-year career in cybersecurity, risk assessment, intelligence and counterintelligence.  His previous employers include Thornburg Investment Management, Los Alamos National Laboratory, L3Harris, and the Central Intelligence Agency.