Keynote Session

Cyber risk has been a topic of research at the Cambridge Centre for Risk Studies since it was originally founded 10 years ago. Cyber was originally cited as an ’emerging risk’ – a poorly understood threat to business and the economy that featured in the first published CCRS taxonomy of threats.

The Centre’s research initially focused on developing scenarios to understand the potential for cyber attacks to cause systemic losses across multiple organisations – a poorly understood concept at the time. Over subsequent years, the Centre’s research has explored many different aspects of cyber risk, including categorising causal mechanisms, quantifying loss processes, and monitoring changes in our annual cyber risk outlooks. The Centre’s work on cyber has ranged from applications in supporting the development of the cyber insurance market, understanding risk in critical national infrastructure, potential for cyber to be used by terrorists, and how large businesses should manage their own cyber risk.

At our 10th anniversary, cyber research now forms over a third of the research programme of the Centre. Over that time, cyber risk has transformed and shifted. Loss processes have evolved, different attack technologies have been deployed, and new defence techniques have been developed. The business community has accepted that cyber risk is something that can be assessed at a particular moment in time, and that annual updates of cyber risk are the appropriate outlook for a risk that is this dynamic.

However, the 10th anniversary of the Centre for Risk Studies is also an opportunity to speculate about how the risk could potentially change over the next 10 years. Several of our research partners and community of business supporters have posed questions to us of how organisations should develop strategic multi-year business plans that can be robust against the changes in cyber risk that could potentially occur during the next decade.

This conference is our response to that challenge. We have invited speakers from many different disciplines and areas of cyber expertise. We have brought together practitioners, advisors and risk capital providers to explore the future of cyber risk. We have posed questions to all of the presenters and participants: how might cyber risk continue to change over the next decade? How should businesses plan to accommodate risks to their digital business systems, suppliers, and counterparties in the longer term?

We recently revisited our highly cited 2012 paper on “Counting the Cost of Cyber Crime” and found that in seven years the world has seen huge changes, with the smartphone replacing the PC and laptop as the consumer terminal of choice, with Android replacing Windows as the most popular operating system, and with many services moving to the cloud.

Nevertheless, the overall pattern of cyber crime is remarkably little changed with the big losses still being in tax benefit and welfare fraud and the amount we are spending to defend against all those exotic new “cyber” threats far exceeding the actual cost of the crimes. Naturally there are new cyber crimes to worry about including ransomware and Business Email Compromise (and old crimes that have almost disappeared), but perhaps the most interesting questions concern whether we view the deployment of cyber-weapons such as the NotPetya worm as crimes rather than collateral damage from undeclared wars? In this talk I gallop through what is currently going on and what is going to determine whether cyber crime becomes more or less important in the next few years.

Predictions are far too hard to do, especially of the future, but it’s reasonably easy to start to learn how to think rationally about threats, threat actors, how to avoid being a victim and what institutional changes we need to see to make us all safer.