The SolarWinds breach is getting uglier — systemically ugly. The breadth and impact of the SolarWinds breach is described as the most severe cyber-attack in history.
There have also been reports of “insider trading” by SolarWinds institutional investors before the breach going public. This all but guarantees an SEC investigation along with other litigation. Together with the third-party risk exposure of key federal government agencies along with exposure to 18,000 other entities that have been reported, this is a systemic risk disaster unfolding in real time.
Is this the wake-up call corporate boards have needed on cybersecurity risk oversight? Will this force them to now understand how systemic risk thrives throughout their complex digital business systems? Will this drive the addition of corporate directors with cybersecurity skills to the board and force boards to organize themselves more effectively on cybersecurity risk oversight to reduce litigation risk and business-related cyber risk? Will regulators force them to do this if they don’t do it on their own?
Does this also change the cybersecurity risk oversight standards for the technology industry? As the purveyors of the very digital tools that create these systemic risks, should the bar be higher for the boards and companies who are creating critical systemic risks in the larger digital system? Will regulators force systemic risk reforms and systemic risk management onto the technology industry like they did the financial sector?
When regulators stepped in after the financial crisis of 2008, they addressed systemic risk head-on with The Dodd-Frank Act. Systemic risk, which was reflected in the phrase “too big to fail” back then, became painfully apparent in the financial system as the financial crisis played out.
The Federal Stability Board (wwsw.fsb.org) was formed in April 2009 with a mandate explicitly focused on systemic risk in the global financial system. Its mandate says:
“Embedded in the FSB’s structure is a framework for the identification of systemic risk in the financial sector, for framing the policy sector policy actions that can address these risks, and for overseeing implementation of those responses.”
The FSB annually identifies those companies that represent critical systemic risks to the larger interconnected global financial system. Known as Systemically Important Financial Institutions (SIFI), these 30 companies such as State Street, Credit Suisse, Barclays, Goldman Sachs, etc., create critical and higher-order systemic risks to the larger system. In other words, if one of them goes down, it can threaten the financial system as a whole.
Systemic risk exists in complex interconnected and dependent systems and represents risk between the parts of the complex system. A small risk that starts in one part of the system can cascade and amplify to threaten the larger or entire system. That’s precisely the type of risk that we are seeing play out with the SolarWinds breach. And it’s precisely the risk that exists in every company’s complex digital business system. Equifax was a systemic risk failure, as are most cybersecurity risks — small failures that become much bigger problems in the larger system. The conventional risk management practices that were put in place after Sarbanes-Oxley and the introduction of Enterprise Risk Management policies and practices doesn’t adequately address systemic risk.
Now, systemic risk is THE critical risk of our complex world as we’re all experiencing with the Covid crisis. It’s a risk that business and public sector leaders are largely not paying attention to or are aware of. While the financial services sector has significantly improved their understanding of systemic risk, it, unfortunately, came after the fact of the financial sector meltdown of 2008.
Corporate boards are the first and last line of defense on systemic risk. Awareness will increase throughout the SolarWinds disaster but action is needed to mitigate the impacts of the next systemic risk disaster. When leaders don’t understand systemic risk, they have two options when the system starts to fail. Ignore it and let the risk play out, or shut the system down. The third option is for companies and corporate boards to understand systemic risk before disaster happens. They can then mitigate it before it spins out of control.
The growing level of systemic risk in the interconnected digital business system that every company relies upon is a disaster waiting to happen for most companies. The technology sector also must lead and understand these issues and their broader implications.
Will the Cybersecurity Disclosure Act of 2019 (formerly known as the Cybersecurity Disclosure Act of 2015 and 2017) finally become law under the Biden administration and force corporate boards to address their lack of cybersecurity skills and competencies in the boardroom?
Corporate boards don’t have to wait for legislation to act on these issues, and some aren’t. Companies like FedEx and Walmart have deep technology and cybersecurity skilled corporate directors on their boards. While SolarWinds board did as well, that’s only one part of effective risk oversight.
There are three parts to boardroom reform and effective oversight of digital and cybersecurity risk. One, the skills need to be in the boardroom to understand these issues. Two, the board needs to organize itself effectively around these issues to execute their responsibilities, e.g., with a technology and cybersecurity committee. And three, the board needs to have an understanding of systemic risk throughout their complex digital business system.
FedEx, Walmart, and a few others are already doing this and offer leading practices that any corporate board can learn from.
Systemic risk is on full display with this breach. When complex systems are weak, and there’s critical risk in one part of a complex system, that part becomes a key vulnerability and desirable target for hackers. We’ll see much more of this until corporate boards begin to lead and take action to govern systemic risks more effectively.
We’re not in Kansas anymore.