This week we heard from the heads of the largest technology companies on the planet. What does history teach us about systemic risk?
The financial crisis of 2007-2008 was a teachable moment about the obscure risks of highly interconnected and interdependent systems. Prior to the almost complete meltdown of the world’s financial systems, few outside of bond traders and financial speculators had heard of Credit Default Swaps or Collateralized Debt Obligations.
In a recent blog post on diginomica, Kurt Marko writes that economists often use the term “too big to fail” when describing financial firms whose failure would have such catastrophic implications for the broader economy that it would be irresponsible to allow them to become insolvent. The term came into common use during the financial crisis to justify huge bailouts for firms like AIG, Citibank, and Fannie Mae.
The Tangled Web of Technology Services
RAND researchers Jonathan Welburn and Aaron Strong used the financial crisis as a cautionary example when summarizing their research findings in a recent column that questions whether some technology firms have become “Too interconnected to fail.”
There have been some lessons in systemic technology risks when highly interconnected systems like DNS, cloud infrastructure or online marketplaces fail. For example, the 2016 bonnet DNS attack interfered with name resolutions for dozens of websites including Amazon, Netflix, Paypal and Twitter. While some of these restored service by switching to backup providers, the scope and ramifications of the attacks were ominous.
“Just like CDOs, however, the cascading network effects present a much larger risk to the whole economy. A single disruption to AWS, perhaps due to a large-scale cyberattack, would instantly be a cross-sector problem, potentially shutting down swaths of the economy. And private enterprises would not be the only ones affected: GovCloud, a tailor-made version of AWS, provides cloud services for the Defense and Justice departments and the Internal Revenue Service.”
Unlike 2008, no one today is worried about Amazon, Apple or Google going out of business. Instead, the risk in the online, cloud-based economy is that sustained, wide-scale outages at one could quickly disturb businesses throughout the economy.
What are the Risks for your Association?
If the financial engineering before the 2007 crisis taught us anything, it is that any highly interconnected system designed to eliminate risks contains obscure, often unperceived threats that only manifest themselves after the damage is done.
Welburn and Strong concluded that firms in various sectors are systemically important and vulnerable to shocks, including technology (e.g., Alphabet, Amazon, Apple, Cisco), telecommunications (e.g., AT&T), and health care (e.g., UnitedHealth Group, CVS Health).
“The highly networked nature of the economy has the potential to amplify known sources of systemic risks and add new ones. After the Covid-19 pandemic, which is accelerating the transition to a virtual economy, policy makers need to broaden their definition of systemic risk.”
The conclusion? Online marketplaces, app stores, cloud services and application services could be this decade’s version of CDOs and CDSs, but with ramifications across a broader swath of the economy.
What can you do to reduce the risks of systemic failures with technology providers?
Spread the risk. Instead of waiting for a government commission to conduct a postmortem on some future cloud-based failure after the damage is done, organizations must include risk mitigation and redundancy measures into all future deployments of cloud, application and communications services.
Here are some strategies to mitigate ‘Too Big to Fail’ in your technology stack:
1. Backups are still important – ‘off-site’ backup has a new meaning. If you are using one cloud service for file storage, you should use a different cloud service provider to store your backups.
2. Understand the risks – a simple diagram can help. Make sure you include all components of your technology stack, not just the ‘network plumbing’. Perform scenario analysis to examine where an outage or failure will cause problems. Work with the technology team to define business continuity strategies.
3. Create redundancy – when it comes to technology, redundancy can be a good thing. If a primary system fails, the fail-over system can be deployed. Concentrate on geographic and platform diversity.
4. Formalize your Business Continuity Plan – make the Business Continuity Plan (BCP) a part of your overall strategic plan.
If you need help developing or updating your BCP, CIMATRI can help. Contact us at firstname.lastname@example.org