Description:
In October 2017, the European Systemic Risk Board (ESRB) set up a group whose objective was to examine cyber security vulnerabilities within the financial sector, and their potential impact on financial stability and the real economy. In its first year, the European Systemic Cyber Group (ESCG) sought to develop a shared understanding of Common Individual Vulnerabilities (CIVs) across ESRB members, and to identify the unique characteristics of cyber risk that could contribute to a systemic event. Building on this work, this paper describes a conceptual model for systemic cyber risk, and aims to: - provide a structured approach that can be used to describe cyber incidents, from genesis through to a potential systemic event; - demonstrate the link between the crystallisation of cyber risk in a firm-specific context (portraying microprudential concerns), and the possible ramifications for the financial system (applying a macroprudential focus); - identify system-wide vulnerabilities and the unique characteristics of cyber incidents which can act as amplifiers, thereby propagating shocks through the financial system; - support the use of historical or theoretical scenario-based analysis to demonstrate the viability of the model; - suggest system-wide interventions that could act as systemic mitigants. Although the model is geared towards disruption arising from cyber incidents, it can also be used for any source of operational disruption (although some elements of the model may be less relevant).