Cybersecurity

DORA: What the new European Framework for Digital Operational Resilience means for Business

Publié le 27 novembre 202227 novembre 2022 par hanswillertbleuazurconsultingeu

On 10 November 2022, the European Parliament voted to adopt a new EU regulation on digital operational resilience for the
financial sector (DORA). With obligations under DORA coming into effect late in 2024 or early 2025 at the latest, in this briefing we take a closer look at its impact and consider what the regulation will mean for firms, their senior managers and operations and what firms should be doing now in preparation for day one compliance.

What is DORA?

Aimed at harmonising national rules around operational resilience and cybersecurity regulation across the EU, DORA establishes uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide services related to information communication technologies (ICT), such as cloud platforms or data analytics services.

DORA creates a regulatory framework on digital operational resilience whereby all in-scope firms need to make sure that they can withstand, respond to, and recover from, all types of ICT-related disruptions and threats. ICT is defined broadly to include digital and data services provided through ICT systems to one or more internal or external users, on an ongoing basis.

DORA forms part of the EU’s Digital Finance Package (DFP), which aims to develop a harmonised European approach to digital finance that fosters technological development and ensures financial stability and consumer protection. The DFP also includes legislative proposals on markets in cryptoassets (MiCA), distributed ledger technology and a digital finance strategy.

Who will need to comply with DORA?

DORA will apply to financial entities, including:

credit institutions,
payment institutions,
e-money institutions,
investment firms,
cryptoasset service providers (authorised under MiCA) and issuers of asset-referenced tokens,
central securities depositories,
central counterparties,
trading venues,
trade repositories,
managers of alternative investment funds and management companies,
data reporting service providers,
insurance and reinsurance undertakings,
insurance intermediaries,
reinsurance intermediaries and ancillary insurance intermediaries,
institutions for occupational retirement pensions,
credit rating agencies,
administrators of critical benchmarks,
crowdfunding service providers and
securitisation repositories (Financial Entities).

DORA will also apply to ICT third-party service providers which the European Supervisory Authorities (the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), acting through their Joint Committee) (ESAs) designate as « critical » for Financial Entities (Critical ICT Third-Party Providers) through a newly established oversight framework.

The ESAs would make this designation based on a set of qualitative and quantitative criteria, including:

the systemic impact on the stability, continuity or quality of financial services in the event that the ICT third-party
provider faced a large-scale operational failure to provide its services;
the systemic character or importance of Financial Entities that rely on the ICT third-party service provider;
the degree of reliance of those Financial Entities on the services provided by the ICT third-party service provider in
relation to critical or important functions of those Financial Entities; and
the degree of substitutability of the ICT third-party service provider.

Any ICT third-party service provider not designated as critical would have the option to voluntarily « opt in » to the oversight. The ESAs may not make a designation in relation to certain excluded categories of ICT third–party service providers, including where Financial Entities are providing ICT services

to other Financial Entities,
to ICT third–party service providers delivering services predominantly to the entities of their own group or
to those providing ICT services solely in one Member State to financial entities that are active only in that Member State.

What are the key obligations?

DORA introduces targeted rules on ICT risk management capability, reporting and testing, in a way which enables Financial Entities to withstand, respond to and recover from ICT incidents. In principle, some of the requirements imposed by DORA, such as for ICT risk management, are already reflected to a certain extent in existing EU guidance (for example, the EBA Guidelines on ICT and security risk management).

The proposals include requirements relating to:

ICT risk management

DORA sets out key principles around internal controls and governance structures. A Financial Entity’s management body will be expected to be responsible for defining, approving, overseeing and being continuously accountable for a firm’s ICT risk management framework as part of its overall risk management framework. As part of the ICT risk management framework, Financial Entities need to maintain resilient ICT systems, revolving around specific functions in ICT risk management such as

identification of risks,
protection and prevention,
detection,
response and recovery and
stakeholder communication.

Reporting of ICT-related incidents

DORA aims to create a consistent incident reporting mechanism, including a management process to detect, manage and notify ICT-related incidents. Incidents deemed « major » would need to be reported to competent authorities within strict time frames, including initial notifications « without delay » on the same day or next day by using mandatory reporting templates. In some cases, communication to service users or customers may be required.

Testing

As part of the ICT risk management framework, DORA requires Financial Entities to adopt a robust and comprehensive digital operational resilience testing programme covering ICT tools, systems and processes. Certain Financial Entities must carry out advanced testing of their ICT tools, systems and processes at least every three years using threat-led penetration tests.

Information sharing

DORA contains provisions which should facilitate the sharing, among Financial Entities, of cyber threat information and intelligence, including

indicators of compromise,
tactics,
techniques and procedures,
cyber security alerts and
configuration tools

to strengthen digital operational resilience.

Localisation

Financial Entities will only be permitted to make use of the services of a third-country Critical ICT Third-Party Provider if such provider establishes a subsidiary in the EU within 12 months following its designation as a Critical ICT Third-Party Provider.

A simplified set of ICT risk framework requirements will apply to certain Financial Entities, including small and non-interconnected investment firms and payment institutions exempted under the Second Payment Services Directive. Such entities will need to comply with a reduced set of requirements under DORA, including the requirement to put in place and maintain a sound and documented risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of all ICT risks, including for the protection of relevant physical components and infrastructures.

What should firms be doing now to prepare?

Although it is not expected that DORA will apply to in-scope entities until late 2024 (see below), firms should now begin
considering the steps that they will need to take to ensure day one compliance. These include:

Scope out impact

Taking a risk-based approach reflective of their size, nature, scale and the complexity of their services and operations, Financial Entities should begin to scope out the impact of DORA on their business. Firms should carry out a comprehensive gap analysis of their existing ICT-risk management processes against the new requirements introduced by DORA to identify any aspects of their existing processes that will be impacted by the new requirements and develop detailed implementation plans setting out the steps that will need to be taken to effect relevant changes. As part of this, Financial Entities should ensure that they have in place appropriate:

(i) capabilities to enable a strong and effective ICT risk management environment;

(ii) mechanisms and policies for handling all ICT-related incidents and reporting major incidents; and

(iii) policies for the testing of ICT systems, controls and processes and the management of ICT third-party risk.

This process will be iterative as some of the more detailed requirements of DORA will be further developed through technical standards to be published by the ESAs in due course.

Critical ICT Third-Party Providers

Critical ICT Third-Party Providers will be required to have in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which they may pose to Financial Entities. Although DORA provides that the designation mechanism (pursuant to which the ESAs may designate an ICT third-party service provider as « critical ») must not be used until the Commission has adopted a delegated act specifying further details on the criteria to be used in making such an assessment (to be adopted within 18 months after the date on which DORA enters into force), it is expected that certain categories of providers, such as cloud computing service providers who provide ICT services to Financial Entities, will be designated as Critical Third-Party Providers.

Consequently, such providers may wish to begin the task of benchmarking their existing systems, controls and processes against existing guidelines, such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements, to the extent required, to identify areas that require further investment and maturity. They will also need to consider whether new and existing contracts give them sufficient flexibility to comply with new regulatory rules, orders and directions, even if this would otherwise be inconsistent with their contractual obligations. As set out above, certain categories of ICT third-party service providers are expressly excluded from the designation mechanism, including Financial Entities providing ICT services to other Financial Entities, ICT intra-group service providers and ICT third-party service providers providing ICT services solely in one Member State to Financial Entities that are only active in that Member State.

Third Country Critical ICT – Third-Party Providers – Subsidiarisation

The EU subsidiarisation requirement that will apply to third country Critical ICT Third-Party Providers is one that will necessitate early engagement between such providers and the Financial Entities that they serve. While it is not clear what role the EU subsidiary must play in the provision of services to the relevant Financial Entity (e.g. whether the provider must act as contractual counterparty), Recital 58 of DORA indicates that the requirement to set up a subsidiary in the EU does not prevent ICT services and related technical support from being provided from facilities and infrastructures located outside the EU. Nevertheless, where a relevant third country ICT third-party provider that is likely to be designated as « critical » indicates that it does not intend to establish a subsidiary in the EU, even following a designation as such by the ESAs, Financial Entities may wish to commence the process of identifying alternative providers, since they will not be permitted to obtain ICT services from a third country Critical ICT Third-Party Provider that fails to establish a subsidiary in the EU within 12 months following its designation as critical.

Companies that consider they are likely to be classified as Critical ICT Third-Party Providers that do not already have an establishment or subsidiary located in the EU should begin to consider now which Member State would be most appropriate to establish a new subsidiary in, taking into account their business operations and the various applicable legal requirements.

Documentation impact

As noted above, DORA sets out core contractual rights in relation to several elements in the performance and termination of contracts with a view to enshrine certain minimum safeguards underpinning the ability of Financial Entities to monitor effectively all risk emerging at ICT third-party level. Some contractual requirements set out in DORA are mandatory and will need to be included in contracts, if not already reflected. Others take the form of principles and recommendations and may require negotiation between the relevant parties. Early mapping and engagement in this respect will be important. Additionally, parties may wish to consider benchmarking their existing contractual arrangements against relevant requirements set out in DORA, as well as existing standard contractual clauses developed by EU institutions.

For example, Recital 55 of DORA notes that « the voluntary use of contractual clauses developed by the Commission for cloud computing services may provide comfort for Financial Entities and ICT third-party providers by enhancing the level of legal certainty on the use of cloud computing services in full alignment with requirements and expectations set out by the financial services regulation ».

As the industry awaits more detailed technical standards to be developed and published by the relevant ESAs, as well as DORA compromise/Level 1 text, in-scope entities may consider using existing guidelines such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements as useful benchmarking tools in preparation for day one compliance.

How does DORA interact with NIS2?

The second iteration of the Security of Network and Information Systems Directive (NIS2) aims to strengthen security requirements and provide further harmonisation of Member States’ cybersecurity laws, replacing the original NIS Directive of 2016 (NIS1). Its timeline is similar to that for DORA, with a provisional agreement among EU institutions reached in May 2022, and its adoption confirmed in a European Parliament plenary session vote on 10 November 2022. NIS2 significantly extends the scope of NIS1 by adding new sectors, including « digital providers » such as social media platforms and online marketplaces, for example, but importantly also introduces uniform size criteria for assessing whether certain financial institutions (and other entities) fall within its scope. NIS2 sets out cybersecurity risk management and reporting obligations for relevant organisations, as well as obligations on cybersecurity information sharing, so there is some overlap in coverage with DORA.

However, this has been addressed during the legislative process to ensure that financial entities will have full clarity on the different rules on digital operational resilience that they need to comply with when operating within the EU. NIS2 specifically provides that any overlap will be addressed by DORA being considered as lex specialis (ie a more specific law that will override the more general NIS2 provisions).

How does DORA compare with international developments?

The introduction of DORA in the EU reflects a global focus on operational resilience and strengthening cybersecurity standards in the wake of ever-increasing digitalisation of financial services and increasingly sophisticated cyber incidents. For example, in March 2021, the Basel Committee on Banking Supervision issued its Principles for operational resilience, as well as an updated set of Principles for the sound management of operational risk (PSMOR), which aim to make banks better able to withstand, adapt to and recover from severe adverse events.

In October 2022, following a G20 request, the Financial Stability Board (FSB) published a consultation on Achieving Greater Convergence in Cyber Incident Reporting, recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability and with a view to ensuring that financial institutions operating across borders are not subject to multiple conflicting regimes. The FSB proposals include recommendations to address the challenges to achieving greater international convergence in cyber incident reporting, work on establishing common terminologies related to cyber incidents and a proposal to develop a common format for incident reporting exchange.

Following its departure from the EU, the UK has introduced a Financial Services and Markets Bill (the UK Bill) which includes proposals to regulate cloud service providers and other critical third parties supplying services to UK regulated firms and financial market infrastructures. HM Treasury would have powers to designate service suppliers as ‘critical’ and the UK regulators would have new powers to directly oversee designated suppliers, which would be subject to new minimum resilience standards. While the proposals have the same ambitions as, and there are similarities with, the requirements under DORA, there are a number of key differences between them.

For example, the proposed enforcement regime under DORA for Critical ICT Third-Party Providers is very different from the equivalent regime proposed by the UK Bill. Under DORA, the ESAs will be designated as « Lead Overseers », but with the power only to make ‘recommendations’ to Critical ICT Third-Party Providers, in contrast to the ability for UK regulators to make rules applying to, or to give directions to, critical third parties subject to the UK Bill, with the ability to issue sanctions for non-compliance. Under DORA, non-compliance by a Critical ICT Third-Party Provider with recommendations gives the Lead Overseer the ability to notify and publicise such non-compliance and « as a last resort » the option to require Financial Entities to temporarily suspend services provided by such provider until the relevant risks identified in the recommendations have been addressed.

This means that the liability and contractual issues for Critical ICT Third-Party Providers providing services in the EU will be different than for those providing services in the UK, and that contracts for each will need to be considered and negotiated carefully.

Next steps and legislative timeline

Following adoption of DORA by the European Parliament plenary session on 10 November 2022, the regulation is now passing through the final technical stages of the formal procedure for European legislation. The text still needs to be formally approved by the Council of the EU before being published in the Official Journal, which is expected in December 2022 or January 2023.

DORA will come into effect on the twentieth day following the day on which it is published in the Official Journal. It will apply, with direct effect, 24 months from the date on which it enters into force. Therefore, it is expected that DORA will apply to in-scope firms from late 2024 or early 2025 at the latest.

click-here-to-access-clifford-chances-comments-nov-2022-3 Télécharger

EIOPA: Digital Transformation Strategy – Promoting sound progress for the benefit of the European Union economy, its citizens and businesses

Publié le 26 décembre 202127 décembre 2021 par hanswillertbleuazurconsultingeu

EIOPA’S DIGITAL TRANSFORMATION STRATEGIC PRIORITIES AND OBJECTIVES

EIOPA’s supervisory and regulatory activities are always underpinned by two overarching objectives:
promoting consumer protection and financial stability. The digital transformation strategy aims at
identifying areas where, in view of these overarching objectives, EIOPA can best commit its
resources in view of the challenges posed by digitalisation, while at the same time seeking to
identify and remove undue barriers that limit the benefits.

This strategy sits alongside EIOPA’s other forward thinking prioritisation tools –

the union-wide strategic supervisory priorities,
the Strategy on Cyber Underwriting,
the Suptech Strategy

– but its focus is less on the specific actions needed in different areas, and more on how EIOPA will support NCAs and the pensions and insurance sectors in facing digital transformations following a

technologically-neutral,
future-proof,
ethical
and secure approach

to financial innovation and digitalisation.

Five key long-term priorities have been identified, which will guide EIOPA’s contributions on
digitalisation topics:

Leveraging on the development of a sound European data ecosystem
Preparing for an increase of Artificial Intelligence while focusing on financial inclusion
Ensuring a forward looking approach to financial stability and resilience
Realising the benefits of the European single market
Enhancing the supervisory capabilities of EIOPA and NCAs.

These five long-term priorities are described in the following sections. Each relates to areas where
work is already underway or planned, whether at national or European level, by EIOPA or other
European bodies.

The aim is to focus on priority areas where EIOPA can add value so as to enhance synergies and
improve overall convergence and efficiency in our response as a supervisory community to the
digital transformation.

LEVERAGING ON THE DEVELOPMENT OF A SOUND EUROPEAN DATA ECO-SYSTEM
ACCOMPANYING THE DEVELOPMENT OF AN OPEN FINANCE AND OPEN INSURANCE FRAMEWORK
Trends in the market show that the exchange of both personal and non-personal data through
Application Programming Interfaces (APIs) is a leading factor leading to transformation and
integration in the financial sector. By enabling several stakeholders to “plug” to an API to have access
to timely and standardised data, insurance undertakings in collaboration with other service providers can timely and adequately assess the needs of consumers and develop innovative and convenient proposals for them. Indeed, there are multiple types of use cases that can be developed as a result of enhanced accessing and sharing of data in insurance.

Examples of potential use cases include pension tracking systems (see further below), public and
private comparison websites, or different forms of embedding insurance (including micro
insurances) in the channels of other actors (retailers, airlines, car sharing applications, etc.).

Another use case could consist in allowing consumers to conveniently access information about their
insurance products from different providers in an integrated platform / application and identify any
protection gaps (or overlaps) in coverage that they may have.

In addition to having access to a greater variety of products and services and enabling consumers
to make more informed decisions, the transfer of insurance-related data seamlessly from one
provider to another in real-time (data portability) could facilitate switching and enhance
competition in the market.

Supervisory authorities could also potentially connect into the relevant APIs to access anonymised market data so as to develop more pre-emptive and evidence-based supervision and regulation.

However, it is also important to take into account relevant risks such those linked to data

quality,
breaches
and misuse.

ICT/cyber risks and financial inclusion risks are also relevant, as well as issues related to a level playing field and data reciprocity.

EIOPA considers that, if the risks are handled right, several open insurance use cases can have
significant benefits for consumers, for the sector and its supervision and will use the findings of
its recent public consultation on this topic to collaborate with the European Commission on the
development of the financial data space and/or open finance initiatives respectively foreseen in
the Commission’s Data Strategy and Digital Finance Strategy, possibly focusing on specific use
cases.

ADVISING ON THE DEVELOPMENT OF PENSIONS DATA TRACKING SYSTEMS IN THE EU
European public pension systems are facing the dual challenge of remaining financially sustainable
in an aging society and being able to provide Europeans with an adequate income in retirement.
Hence, the relevance of supplementary occupational and personal pension systems is increasing.
The latter are also seeing a major trend influenced by the low interest environment consisting on
the shift from Defined Benefit (DB) plans, which guarantee citizens a certain income after
retirement, to Defined Contribution (DC) plans, where retirement income depends on how the
accumulated contributions have been invested. As a consequence of these developments, more
responsibility and financial risks are placed on individual citizens for planning for their income after
retirement.

In this context, Pensions Tracking Systems (PTS) can provide simple and understandable information
to the average citizen about his or her pension savings in an aggregated manner, typically
conveniently accessible via digital channels. PTS are linked to the concept of Open Finance, since
different providers of statutory and private pensions share pension data in a standardised manner
so that it can be aggregated so as to provide consumers with relevant information for adopting
informed decisions about their retirement planning.

EIOPA considers that it is increasingly important to provide consumers with adequate information
to make informed decisions about their retirement planning, as it is reflected in EIOPA’s technical
advice to the European Commission on best practices for the development of Pension Tracking
Systems. EIOPA remains ready to further assist on this area, as relevant.

TRANSITIONING TOWARDS A SUSTAINABLE ECONOMY WITH THE HELP OF DATA AND TECHNOLOGY
Technologies such as

AI,
Blockchain,
or the Internet of Things

can assist European insurance undertakings and pension schemes in the implementation of more sustainable business models and investments.

For example, greater insights provided by new datasets (e.g. satellite images or images taken by drones) combined with more granular AI systems may allow to better assess climate change-related risks and provide advanced insurance coverage. Indeed, as highlighted by the Commission’s strategy on adaptation to climate change, actions aimed to adapt to climate change should be informed by more and better data on climate-related risks and losses accessible to everyone as well as relevant risks assessment tools.

This would allow insurance undertakings to contribute to a wider inclusion by incentivising
customers to mitigate risks via policies whose pricing and contractual terms are based on effective
measurements, e.g. with the use of telematics-based solutions in home insurance. However, there
are also concerns about the impact on the affordability and availability of insurance for certain
consumers (e.g. consumers living in areas highly exposed to flooding) as well as regarding the
environmental impact of some technologies, notably concerning the energy consumption of certain
data centres and crypto-assets.

Promoting a sustainable economy is a core priority for EIOPA. For this purpose, EIOPA will
specifically develop a Sustainable Finance Action Plan highlighting, among other things, the
importance of improving the accessibility and availability of data and models on climate-related
risks and insured losses and the role that EIOPA can play therein, as highlighted by the
Commission’s strategy on adaptation to climate change and in line with the Green deal data space
foreseen in the Commission’s Data Strategy.

PREPARING FOR AN INCREASE OF ARTIFICIAL INTELLIGENCE WHILE FOCUSING ON FINANCIAL INCLUSION
TOWARDS AN ETHICAL AND TRUSWORTHY ARTIFICIAL INTELLIGENCE IN THE EUROPEAN INSURANCE SECTOR
The take-up of AI in all the areas of the insurance value chain raises specific opportunities and
challenges; the variety of use cases is fast moving, while the technical, ethical and supervisory issues
thrown up in ensuring appropriate governance, oversight, and transparency are wide ranging.
Indeed, while the benefits of AI in terms of prediction accuracy, cost efficiency and automation are
very relevant, the challenges raised by

the limited explainability of some AI systems
and the potential impact on some AI use cases on the fair treatment of consumers and the financial inclusion of vulnerable consumers and protected classes

is also significant.

A coordinated and coherent approach across markets, insurance undertakings and intermediaries,
and between supervisors is therefore of particular importance, also given the potential costs of
addressing divergences in the future. EIOPA acknowledges that AI can play a pivotal role in the digital transformation of the insurance and pension markets in the years to come and therefore the importance of establishing adequate governance frameworks to ensure ethical and trustworthy AI systems. EIOPA will seek to leverage the AI governance principles recently developed by its consultative expert group on digital ethics, to develop further sectorial work on specific AI use cases in insurance.

PROMOTING FINANCIAL INCLUSION IN THE DIGITAL AGE
On the one hand, new technologies and business models could be used to improve the financial
inclusion of European citizens. For example, young drivers using telematics devices installed in their
cars or diabetes patients using health wearable devices reportedly have access to more affordable
insurance products. In addition to the incentives arising from advanced risk-based pricing, insurance
undertakings could provide consumers loss prevention / risk mitigation services (e.g. suggestions to
drive safely or to adopt healthier lifestyles) to help them understand and mitigate their risk
exposure.

From a different perspective, digital communication channels, new identity solutions and
onboarding options could also facilitate access to insurance to certain customer segments.
On the other hand, certain categories of consumers or consumers not willing to share personal data
could encounter difficulties in accessing affordable insurance as a result of more granular risk
assessments. This would be for instance the case of consumers having difficulties to access
affordable flood insurance as a result detailed risk-based pricing enabled by satellite imagery
processed by AI systems. In addition,

other groups of potentially vulnerable consumers deserve special attention due to their personal characteristics (e.g. elderly people or in poverty),
life-time events (e.g. car accident),
health conditions (e.g. undergoing therapy)
or people with difficulties to access digital services.

Furthermore, the trend towards increasingly data-driven business models can be compromised if adequate governance measures are not put in place to deal with biases in datasets used in order to avoid discriminatory outcomes.

EIOPA will assess the topic of financial inclusion from a broader perspective i.e. not only from a
digitalisation angle, seeking to promote the fair and ethical treatment of consumers, in particular
in front-desk applications and in insurance lines of businesses that are particularly important due
to their social impact.

EIOPA will routinely assess its consumer protection supervisory and policy work in view of
impacts on financial inclusion, and ensuring its work on digitalisation takes into account
accessibility or inclusion impacts.

ENSURING A FORWARD LOOKING APPROACH TO FINANCIAL STABILITY AND RESILIENCE
ENSURING A RESILIENT AND SECURE DIGITALISATION
Similar to other sectors of the economy, incumbent undertakings as well as InsurTech start-ups
increasingly rely on information and communication technology (ICT) systems in the provision of
insurance and pensions services. Among other benefits, the increasing adoption of innovative ICT
allow undertakings to implement more efficient processes and reduce operational costs, enable
data tracking and data backups in case of incidents, as well as greater accessibility and collaboration
within the organisation (e.g. via cloud computing systems).

However, undertakings’ operations are also increasingly vulnerable to ICT security incidents,
including cyberattacks. Furthermore, the complexity of some ICT or a different governance applied
to new technologies (e.g. cloud computing) is increasing as well as the frequency of ICT related
incidents (e.g. cyber incidents), which can have a considerable impact on undertakings’ operational
functioning. Moreover, relevance of larger ICT service providers could also lead to concentration
and contagion risks. Supervisory authorities need to take into account these developments and
adapt their supervisory skills and competences accordingly.

Early on, EIOPA identified cyber security and ICT resilience as a key policy priority and in the years to come will focus on the implementation of those priorities, including the recently adopted cloud computing and ICT guidelines, and on the upcoming implementation of the Digital Operational Resilience Act (DORA).

ASSESSING THE PRUDENTIAL FRAMEWORK IN THE LIGHT OF DIGITALISATION
The Solvency II Directive sets out requirements applicable to insurance and reinsurance undertakings in the EU with the aim to ensure their financial soundness and provide adequate protection to policyholders and beneficiaries. The Solvency II Directive follows a proportional, risk-based and technology-neutral approach and therefore it remains fully relevant in the context of digitalisation. Under this approach, all undertakings, including start-ups that wish to obtain a licence to benefit from Solvency II’s pass-porting rights to access the Internal Market via digital (and non-digital) distribution channels need to meet the requirements foreseen in the Directive, including minimal capital.

A prudential evaluation respective digital transformation processes should consider that insurance undertakings are incurring in high IT-related costs, to be appropriately reflected in their balance sheet. Furthermore, Solvency II requirement on outsourcing and the system of governance requirements are also relevant, in light of the increasing collaboration with third-party service providers (including BigTechs) and the use of new technologies such as AI. Investments on novel assets such as crypto-assets as well as the trend towards the “platformisation” of the economy are also relevant from a prudential perspective and the type of activities developed by insurance undertakings.

EIOPA considers that it is important to assess the prudential framework in light of the digital transformation that is taking place in the sector, seeking to ensure its financial soundness, promote greater supervisory convergence and also assess whether digital activities and related risks are adequately captured and if there are any undue regulatory barriers to digitalisation in this area.

REALISING THE BENEFITS OF THE EUROPEAN SINGLE MARKET
SUPPORTING THE DIGITAL SINGLE MARKET FOR INSURANCE AND PENSION PRODUCTS
Digital distribution can readily cross borders and reduce linguistic and other barriers; economies of scale linked to offering products to a wider market, increased competition, and greater variety of products and services for consumers are some of the benefits arising from the European Internal Market.

However, the scaling up the scope and speed of distribution of products and services across the Internal Market is an area where there is still a major untapped potential. Indeed, while legislative initiatives such as the

Insurance Distribution Directive (IDD),
Solvency II Directive,
Packaged Retail and Insurance-based Investment Products (PRIIPs) Regulation,
or the Directive on the activities and supervision of institutions for occupational retirement provision (IORP II)16

have made considerable progress towards the convergence of national regimes in Europe, considerable supervisory and regulatory divergences still persist amongst EU Member States.

For example, the IDD is a minimum harmonisation Directive. Existing regulation does not always allows for a fully digital approach. For instance, the need to use non-digital signatures or paper-based requirements as established by Article 23 (1) (a) IDD and Article 14 (2) (a) PRIIPs Regulation can limit end-to-end digital workflows. It is critical that the opportunities – and risks, for instance in relation to financial inclusion and accessibility – that come with digital transformations are fully integrated into future policy work. In this context, the so-called 28th regime used in Regulation on a pan-European Personal Pension Product (PEPP)17, which does not replace or harmonise national systems but coexists with them, is an approach that could eventually be explored taking into account the lessons learned.

EIOPA supports the development of the Internal Market in times of transformation, through the recalibration where needed of the IDD, Solvency II, PRIIPS and IORP II from a digital single market
perspective. EIOPA will also explore what a digital single market for insurance might look like from
a regulatory and supervisory perspective. Furthermore, EIOPA will integrate a digital ‘sense check’
into all of its policy work, where relevant.

SUPPORTING INNOVATION FACILITATORS IN EUROPE
In recent years many NCAsin the EU have adopted initiatives to facilitate financial innovation. These
initiatives include the establishment of innovation facilitators such as ‘innovation hubs’ and ‘regulatory sandboxes’ to exchange views and experience concerning Fintech-related regulatory issues and enable the testing and development of innovative solutions in a controlled environment and to learn more as to supervisory expectations. These initiatives also allow supervisory authorities to gather a better understanding of the new technologies and business models taking place in the market.

At European level, the European Forum for Innovation Facilitators (EFIF), created in 2019, has
become an important forum where European supervisors share experiences from their national
innovation facilitators and discuss with stakeholders topics such as Artificial Intelligence,
Platformisation, RegTech or crypto-assets. The EFIF will soon be complemented with the Commission’s Digital Finance platform; a new digital interface where stakeholders of the digital
finance ecosystem will be able to interact.

Innovation facilitators can play a key role in the implementation and adoption of innovative
technologies and business models in Europe and EIOPA will continue to support them through its
work in the EFIF and the upcoming Digital Finance Platform. EIOPA will work to further facilitate
cross-border / cross-sector cooperation and information exchanges on emergent business models.

ADDRESSING THE OPPORTUNITIES AND CHALLENGES OF FRAGMENTED VALUE CHAINS AND THE PLATFORM ECONOMY
New actors including InsurTech start-ups and BigTech companies are entering the insurance market,
both as competitors as well as cooperation partners of incumbent insurance undertakings.

Concerning the latter, incumbent undertakings reportedly increasingly revert to third-party service
providers to gain quick and efficient access to new technologies and business models. For example,
based on in EIOPA’s Big Data Analytics thematic review, while the majority of the participating
insurance undertakings using BDA solutions in the area of claims management developed these
tools in-house, two thirds of the undertakings reverted to outsourcing arrangements in order to
implement AI-powered chatbots.

This trend is reinforced by the platformisation of the economy, which in the insurance sector goes
beyond traditional comparison websites and is reflected in the development of complex ecosystems
integrating different stakeholders. They often share data via Application Programming Interfaces
(APIs) and cooperate in the distribution of insurance products via platforms (including those of BigTechs) embedded (bundled) with other financial and non-financial services. In addition, in a
broader context of Decentralised Finance (DEFI), Peer-to-Peer (P2P) insurance business models
using digital platforms and different levels of decentralisation to interact with members with similar
risks profiles have also emerged in several jurisdiction; although their significance in terms of gross
written premiums is very limited to date, it is a matter that needs to be monitored.

EIOPA notes the opportunities and challenges arising from increasingly fragmented value chains and the platformisation of economy which will be reflected in the ESAs upcoming technical advice on digital finance to the European Commission, and will subsequently support any measures within its remit that may be needed to

encourage innovation and competition,
protect consumers,
safeguard financial stability
and ensure a level playing field.

ENHANCING THE SUPERVISORY CAPABILITIES OF EIOPA AND NCAS
LEVERAGING ON TECHNOLOGY AND DATA FOR MORE EFFICIENT SUPERVISION AND REGULATORY COMPLIANCE
Digital technologies can also help supervisors to implement more agile and efficient supervisory
processes (commonly known as Suptech). They can support a continuous improvement of internal
processes as well as business intelligence capabilities, including enhancing the analytical framework, the development of risk assessments and the publication of statistics. This can also include new capabilities for identifying and assessing conduct risks.

With its European perspective, EIOPA can play a key role by enhancing NCAs data analysis capabilities based on extensive and rich datasets and appropriate processing tools.

As outlined in its SupTech strategy and Data and IT strategy, EIOPA has the objective to promote its own transformation to become a digital, user-focused and data driven organisation that meets its strategic objectives effectively and efficiently. Several on-going projects are already in place to achieve this objective.

INCREASING THE UNDERSTANDING OF NEW TECHNOLOGIES BY SUPERVISORS IN CLOSE COOPERATION WITH STAKEHOLDERS
Building supervisory capacity and convergence is a critical enabler for other benefits of digitalisation; without strong and convergent supervision, other benefits may be compromised. With the use of different tools available (innovation hubs, regulatory sandboxes, market monitoring, public consultations, desk-based reports etc.), supervisors seek to understand, engage and supervise increasingly technology-driven undertakings.

Closely cooperating with stakeholders with hands-on experience on the use of innovative tools has proofed to be useful tool to improve the knowledge by supervisors, and also for the stakeholders it is important to understand what are the supervisory expectations.

Certainly, the profile of the supervisors needs to evolve and they need to extend their knowledge into new areas and understand how new business models and value chains may impact undertakings and intermediaries both from a conduct and from a prudential perspective. Moreover, in view of the growing importance of new technologies and business models for insurance undertakings and pensions schemes, it is important to ensure that supervisors have access to relevant data about these developments in order to enable an evidence-based supervision.

EIOPA aims to continue incentivising the sharing of knowledge and experience amongst NCAs by organising InsurTech roundtables, workshops and seminars for supervisors as well as pursuing further potential deep-dive analysis on certain financial innovation topics. EIOPA will also further emphasise an evidence-based supervisory approach by developing a regular collection of harmonised data on digitalisation topics. EIOPA will also develop a stakeholder engagement strategy on digitalisation topics to identify those actors and areas where the cooperation should be reinforced.

click-here-to-access-eiopas-detailed-report-on-digital-transformation-strategy Télécharger

EIOPA Financial Stability Report July 2020

Publié le 1 août 20201 août 2020 par hanswillertbleuazurconsultingeu

The unexpected COVID-19 virus outbreak led European countries to shut down major part of their economies aiming at containing the outbreak. Financial markets experienced huge losses and flight-to-quality investment behaviour. Governments and central banks committed to the provision of significant emergency packages to support the economy, as the economic shock, caused by demand and supply disruptions accompanied by its reflection to the financial markets, is expected to challenge economic growth, labour market and the consumer sentiment across Europe for an uncertain period of time.

Amid an unprecedented downward shift of interest rate curves during March, reflecting the flight-to-quality behaviour, credit spreads of corporates and sovereigns increased for riskier assets, leading effectively to a double-hit scenario. Equity markets dramatically dropped showing extreme levels of volatility responding to the uncertainties on virus effects and on the status of government and central banks support programs and their effectiveness. Despite the stressed market environment, there were signs of improvement following the announcements of the support packages and during the course of the initiatives of gradually reopening the economies. The virus outbreak also led to extraordinary working conditions, with part of the services sector working from home, which rises the potential of those conditions being preserved after the virus outbreak, which could decrease demand and market value for commercial real estate investments.

Within this challenging environment, insurers are exposed in terms of solvency risk, profitability risk and reinvestment risk. The sudden reassessment of risk premia and the increase of default risk could trigger large-scale rating downgrades and result in decreased investments’ value for insurers and IORPs, especially for exposures to highly indebted corporates and sovereigns. On the other hand, the risk of ultra-low interest rates for long has further increased. Factoring in the knock on effects of the weakening macro economy, future own funds position of the insurers could be further challenged, due to potential lower levels of profitable new business written accompanied by increased volume of profitable in-force policies being surrendered or lapsed.

Finally, liquidity risk has resurfaced, due to the potential of mass lapse type of events and higher than expected virus and litigation related claims accompanied by the decreased inflows of premiums.

EIOPA1

For the European occupational pension sector, the negative impact of COVID-19 on the asset side is mainly driven by deteriorating equity market prices, as, in a number of Member States, IORPs allocate significant proportions of the asset portfolio (up to nearly 60%) in equity investments. However, the investment allocation is highly divergent amongst Member States, so that IORPs in other Member States hold up to 70% of their investments in bonds, mostly sovereign bonds, where the widening of credit spreads impair their market value. The liability side is already pressured due to low interest rates and, where market-consistent valuation is applied, due to low discount rates. The funding and solvency ratios of IORPs are determined by national law and, as could be seen in the 2019 IORP stress test results, have been under pressure and are certainly negatively impacted by this crisis. The current situation may lead to benefit cuts for members and may require sponsoring undertakings to finance funding gaps, which may lead to additional pressure on the real economy and on entities sponsoring an IORP.

EIOPA2

Climate risks remain one of the focal points for the insurance and pension industry, with Environmental, Social and Governance (ESG) factors increasingly shaping investment decisions of insurers and pension funds but also affecting their underwriting. In response to climate related risks, the EU presented in mid-December the European Green Deal, a roadmap for making the EU climate neutral by 2050, providing actions meant to boost the efficient use of resources by

moving to a clean, circular economy and stop climate change,
revert biodiversity loss
and cut pollution.

At the same time, natural catastrophe related losses were milder than previous year, but asymmetrically shifted towards poorer countries lacking relevant insurance coverages.

Cyber risks have become increasingly relevant across the financial system in particular during the virus outbreak due to the new working conditions that the confinement measures imposed. Amid the extraordinary en masse remote working arrangements an increased number of cyber-attacks has been reported on both individuals and healthcare systems. With increasing attention for cyber risks both at national and European level, EIOPA contributed to building a strong, reliable, cyber insurance market by publishing its strategy for cyber underwriting and has also been actively involved in promoting cyber resilience in the insurance and pensions sectors.

Click here to access EIOPA’s detailed Financial Stability Report July 2020

Fintech, regtech and the role of compliance in 2020

Publié le 22 mai 202022 mai 2020 par hanswillertbleuazurconsultingeu

The ebb and flow of attitudes on the adoption and use of technology has evolving ramifications for financial services firms and their compliance functions, according to the findings of the Thomson Reuters Regulatory Intelligence’s fourth annual survey on fintech, regtech and the role of compliance. This year’s survey results represent the views and experiences of almost 400 compliance and risk practitioners worldwide.

During the lifetime of the report it has had nearly 2,000 responses and been downloaded nearly 10,000 times by firms, risk and compliance practitioners, regulators, consultancies, law firms and global systemically-important financial institutions (G-SIFIs). The report also highlights the shifting role of the regulator and concerns about best or better practice approaches to tackle the rise of cyber risk. The findings have become a trusted source of insight for firms, regulators and their advisers alike. They are intended to help regulated firms with planning, resourcing and direction, and to allow them to benchmark whether their resources, skills, strategy and expectations are in line with those of the wider industry. As with previous reports, regional and G-SIFI results are split out where they highlight any particular trend. One challenge for firms is the need to acquire the skill sets which are essential if they are to reap the expected benefits of technological solutions. Equally, regulators and policymakers need to have the appropriate up-todate skillsets to enable consistent oversight of the use of technology in financial services. Firms themselves, and G-SIFIs in particular, have made substantial investments in skills and the upgrading of legacy systems.

Key findings

The involvement of risk and compliance functions in their firm’s approach to fintech, regtech and insurtech continues to evolve. Some 65% of firms reported their risk and compliance function was either fully engaged and consulted or had some involvement (59% in prior year). In the G-SIFI population 69% reported at least some involvement with those reporting their compliance function as being fully engaged and consulted almost doubling from 13% in 2018, to 25% in 2019. There is an even more positive picture presented on increasing board involvement in the firm’s approach to fintech, regtech and insurtech. A total of 62% of firms reported their board being fully engaged and consulted or having some involvement, up from 54% in the prior year. For G-SIFIs 85% reported their board being fully engaged and consulted or having some involvement, up from 56% in the prior year. In particular, 37% of G-SIFIs reported their board was fully engaged with and consulted on the firm’s approach to fintech, regtech and insurtech, up from 13% in the prior year.
Opinion on technological innovation and digital disruption has fluctuated in the past couple of years. Overall, the level of positivity about fintech innovation and digital disruption has increased, after a slight dip in 2018. In 2019, 83% of firms have a positive view of fintech innovation (23% extremely positive, 60% mostly positive), compared with 74% in 2018 and 83% in 2017. In the G-SIFI population the positivity rises to 92%. There are regional variations, with the UK and Europe reporting a 97% positive view at one end going down to a 75% positive view in the United States.
There has been a similar ebb and flow of opinion about regtech innovation and digital disruption although at lower levels. A total of 77% reported either an extremely or mostly positive view, up from 71% in the prior year. For G-SIFIs 81% had a positive view, up from 76% in the prior year.
G-SIFIs have reported a significant investment in specialist skills for both risk and compliance functions and at board level. Some 21% of G-SIFIs reported they had invested in and/or appointed people with specialist skills to the board to accommodate developments in fintech, insurtech and regtech, up from 2% in the prior year. This means in turn 79% of G-SIFIs have not completed their work in this area, which is potentially disturbing. Similarly, 25% of G-SIFIs have invested in specialist skills for the risk and compliance functions, up from 9% in the prior year. In the wider population 10% reported investing in specialist skills at board level and 16% reported investing in specialist skills for the risk and compliance function. A quarter (26%) reported they have yet to invest in specialist skills for the risk and compliance function, but they know it is needed (32% for board-level specialist skills). Again, these figures suggest 75% of G-SIFIs have not fully upgraded their risk and compliance functions, rising to 84% in the wider population.
The greatest financial technology challenge firms expect to face in the next 12 months have changed in nature since the previous survey, with the top three challenges cited as keeping up with technological advancements; budgetary limitations, lack of investment and cost; and data security. In prior years, the biggest challenges related to the need to upgrade legacy systems and processes as well as budgetary limitations, the adequacy and availability of skilled resources together with the need for cyber resilience. In terms of the greatest benefits expected to be seen from financial technology in the next 12 months the top three are a strengthening of operational efficiency, improved services for customers and greater business opportunities.
G-SIFIs are leading the way on the implementation of regtech solutions. Some 14% of G-SIFIs have implemented a regtech solution, up from 9% in the prior year with 75% (52% in the prior year) reporting they have either fully or partially implemented a regtech solution to help manage compliance. In the wider population, 17% reported implementing a regtech solution, up from 8% in the prior year. The 2018 numbers overall showed a profound dip from 2017 when 29% of G-SIFIs and 30% of firms reported implementing a regtech solution, perhaps highlighting that early adoption of regtech solutions was less than smooth.
Where firms have not yet deployed fintech or regtech solutions various reasons were cited as to what was holding them back. Significantly, one third of firms cited lack of investment; a similar number of firms pointed to a lack of in-house skills and information security/data protection concerns. Some 14% of firms and 12% of G-SIFIs reported they had taken a deliberate strategic decision not to deploy fintech or regtech solutions yet.
There continues to be substantial variation in the overall budget available for regtech solutions. A total of 38% of firms (31% in prior year) reported that the expected budget would grow in the coming year, however, 31% said they lack a budget for regtech (25% in the prior year). For G-SIFIs 48% expected the budget to grow (36% in prior year), with 12% reporting no budget for regtech solutions (6% in the prior year).

Focus : Challenges for firms

Technological challenges for firms come in all shapes and sizes. There is the potential, marketplace changing, challenge posed by the rise of bigtech. There is also the evolving approach of regulators and the need to invest in specialist skill sets. Lastly, there is the emerging need to keep up with technological advances themselves.

TR10

The challenges for firms have moved on. In the first three years of the report the biggest financial technology challenge facing firms was that of the need to upgrade legacy systems and processes. This year the top three challenges are expected to be the need to keep up with technology advancements; perceived budgetary limitations, lack of investment and cost, and then data security.

Focus : Cyber risk

Cyber risk and the need to be cyber-resilient is a major challenge for financial services firms which are targets for hackers. They must be prepared and be able to respond to any kind of cyber incident. Good customer outcomes will be under threat if cyber resilience fails.

One of the most prevalent forms of cyber attack is ransomware. There are different types of ransomware, all of which will seek to prevent a firm or an individual from using their IT systems and will ask for something (usually payment of a ransom) to be done before access will be restored. Even then, there is no guarantee that paying the fine or acceding to the ransomware attacker’s demands will restore full access to all IT systems, data or files. Many firms have found that critical files often containing client data have been encrypted as part of an attack and large amounts of money are demanded for restoration. Encryption is in this instance used as a weapon and it can be practically impossible to reverse-engineer the encryption or “crack” the files without the original encryption key – which cyber attackers deliberately withhold. What was previously viewed often as an IT problem has become a significant issue for risk and compliance functions. The regulatory stance is typified by the UK Financial Conduct Authority (FCA) which has said its goal is to “help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld”. Regulators do not expect firms to be impervious but do expect cyber risk management to become a core competency.

Good and better practice on defending against ransomware attacks Risk and compliance officers do not need to become technological experts overnight but must ensure cyber risks are effectively managed and reported on within their firm’s corporate governance framework. For some compliance officers, cyber risk may be well outside their comfort zone but there is evidence that simple steps implemented rigorously can go a long way towards protecting a firm and its customers. Any basic cyber-security hygiene aimed at protecting businesses from ransomware attacks should make full use of the wide range of resources available on cyber resilience, IT security and protecting against malware attacks. The UK National Cyber Security Centre has produced some practical guidance on how organizations can protect themselves in cyberspace, which it updates regularly. Indeed, the NCSC’s 10 steps to cyber security have now been adopted by most of the FTSE350.

TR11

Closing thoughts

The financial services industry has much to gain from the effective implementation of fintech, regtech and insurtech but practical reality is there are numerous challenges to overcome before the potential benefits can be realised. Investment continues to be needed in skill sets, systems upgrades and cyber resilience before firms can deliver technological innovation without endangering good customer outcomes.

An added complication is the business need to innovate while looking over one shoulder at the threat posed by bigtech. There are also concerns for solution providers. The last year has seen many technology start-ups going bust and far fewer new start-ups getting off the ground – an apparent parallel, at least on the surface, to the bubble that was around dotcom. Solutions need to be practical, providers need to be careful not to over promise and under deliver and above all developments should be aimed at genuine problems and not be solutions looking for a problem. There are nevertheless potentially substantive benefits to be gained from implementing fintech, regtech and insurtech solutions. For risk and compliance functions much of the benefit may come from the ability to automate rote processes with increasing accuracy and speed. Indeed, when 900 respondents to the 10th annual cost of compliance survey report were asked to look into their crystal balls and predict the biggest change for compliance in the next 10 years, the largest response was automation.

Technology and its failure or misuse is increasingly being linked to the personal liability and accountability of senior managers. Chief executives, board members and other senior individuals will be held accountable for failures in technology and should therefore ensure their skill set is up-to-date. Regulators and politicians alike have shown themselves to be increasingly intolerant of senior managers who fail to take the expected reasonable steps with regards to any lack of resilience in their firm’s technology.

This year’s findings suggest firms may find it beneficial to consider:

Is fintech (and regtech) properly considered as part of the firm’s strategy? It is important for regtech especially not to be forgotten about in strategic terms: a systemic failure arising from a regtech solution has great capacity to cause problems for the firm – the UK FCA’s actions on regulatory reporting, among other things, are an indicator of this.
Not all firms seem to have fully tackled the governance challenge fintech implies: greater specialist skills may be needed at board level and in risk and compliance functions.
Lack of in-house skills was given as a main reason for failing to develop fintech or regtech solutions. It is heartening that firms understand the need for those skills. As fintech/regtech becomes mainstream, however, firms may be pressed into developing such solutions. Is there a plan in place to plug the skills gap?
Only 22% of firms reported that they need more resources to evaluate, understand and deploy fintech/ regtech solutions. This suggests 78% of firms are unduly relaxed about the resources needed in the second line of defence to ensure fintech/regtech solutions are properly monitored. This may be a correct conclusion, but seems potentially bullish.

Click here to access Thomson Reuters’ Survey Results

Benchmarking digital risk factors facing financial service firms

Publié le 22 mai 202022 mai 2020 par hanswillertbleuazurconsultingeu

Risk management is the foundation upon which financial institutions are built. Recognizing risk in all its forms—measuring it, managing it, mitigating it—are all critical to success. But has every firm achieved that goal? It doesn’t take indepth research beyond the myriad of breach headlines to answer that question.

But many important questions remain: What are key dimensions of the financial sector Internet risk surface? How does that surface compare to other sectors? Which specific industries within Financial Services appear to be managing that risk better than others? We take up these questions and more in this report.

The financial sector boasts the lowest rate of high and critical security exposures among all sectors. This indicates they’re doing a good job managing risk overall.
But not all types of financial service firms appear to be managing risk equally well. For example, the rate of severe findings in the smallest commercial banks is 4x higher than that of the largest banks.
It’s not just small community banks struggling, however. Securities and Commodities firms show a disconcerting combination of having the largest deployment of high-value assets AND the highest rate of critical security exposures.
Others appear to be exceeding the norm. Take credit card issuers: they typically have the largest Internet footprint but balance that by maintaining the lowest rate of security exposures.
Many other challenges and risk factors exist. For instance, the industry average rate of severe security findings in critical cloud-based assets is 3.5x that of assets hosted on-premises.

Dimensions of the Financial Sector Risk Surface

As Digital Transformation ushers in a plethora of changes, critical areas of risk exposure are also changing and expanding. We view the risk surface as anywhere an organization’s ability to operate, reputation, assets, legal obligations, or regulatory compliance is at risk. The aspects of a firm’s risk exposure that are associated with or observable from the internet are considered its internet risk surface. In Figure 1, we compare five key dimensions of the internet risk surface across different industries and highlight where the financial sector ranks among them.

Hosts: Number of internet-facing assets associated with an organization.
Providers: Number of external service providers used across hosts.
Geography: Measure of the geographic distribution of a firm’s hosts.
Asset Value: Rating of the data sensitivity and business criticality of hosts based on multiple observed indicators. High value systems that include those that collect GDPR and CCPA regulated information.
Findings: Security-relevant issues that expose hosts to various threats, following the CVSS rating scale.

TR1

The values recorded in Figure 1 for these dimensions represent what’s “typical” (as measured by the mean or median) among organizations within each sector. There’s a huge amount of variation, meaning not all financial institutions operate more external hosts than all realtors, but what you see here is the general pattern. The blue highlights trace the ranking of Finance along each dimension.

Financial firms are undoubtedly aware of these tendencies and the need to protect those valuable assets. What’s more, that awareness appears to translate fairly effectively into action. Finance boasts the lowest rate of high and critical security exposures among all sectors. We also ran the numbers specific to high-value assets, and financial institutions show the lowest exposure rates there too. All of this aligns pretty well with expectations—financial firms keep a tight rein on their valuable Internet-exposed assets.

This control tendency becomes even more apparent when examining the distribution of hosts with severe findings in Figure 2. Blue dots mark the average exposure rate for the entire sector (and correspond to values in Figure 1), while the grey bars indicate the amount of variation among individual organizations within each sector. The fact that Finance exhibits the least variation shows that even rotten apples don’t fall as far from the Finance tree as they often do in other sectors. Perhaps a rising tide lifts all boats?

TR2

Security Exposures in Financial Cloud Deployments

We now know financial institutions do well minimizing security findings, but does that record stand equally strong across all infrastructure? Figure 3 answers that question by featuring four of the five key risk surface dimensions:

the proportion of hosts (square size),
asset value (columns),
hosting location (rows),
and the rate of severe security findings (color scale and value label).

This view facilitates a range of comparisons, including the relative proportion of assets hosted internally vs. in the cloud, how asset value distributes across hosting locales, and where high-severity issues accumulate.

TR3

From Figure 3, box sizes indicate that organizations in the financial sector host a majority of their Internet-facing systems on-premises, but do leverage the cloud to a greater degree for low-value assets. The bright red box makes it apparent that security exposures concentrate more acutely in high-value assets hosted in the cloud. Overall, the rate of severe findings in cloud-based assets is 3.5x that of on-prem. This suggests the angst many financial firms have over moving to the cloud does indeed have some merit. But when we examine the Finance sector relative to others in Figure 4 the intensity of exposures in critical cloud assets appears much less drastic.

In Figure 3, we can see that the largest number of hosts are on-prem and of medium value. But high-value assets in the cloud exhibit the highest rate of findings.

Given that cloud vs. on-prem exposure disparity, we feel the need to caution against jumping to conclusions. We could interpret these results to proclaim that the cloud isn’t ready for financial applications and should be avoided. Another interpretation could suggest that it’s more about organizational readiness for the cloud than the inherent insecurity of the cloud. Either way, it appears that many financial institutions migrating to the cloud are handling that paradigm shift better than others.

It must also be noted that not all cloud environments are the same. Our Cloud Risk Surface report discovered an average 12X difference between cloud providers with the highest and lowest exposure rates. We still believe this says more about the typical users and use cases of the various cloud platforms than any intrinsic security inequalities. But at the same time, we recommend evaluating cloud providers based on internal features as well as tools and guidance they make available to assist customers in securing their environments. Certain clouds are undoubtedly a better match for financial services use cases while others less so.

TR4

Risk Surface of Subsectors within Financial Services

Having compared Finance to other sectors at a high level, we now examine the risk surface of major subsectors of financial services according to the following NAICS designations:

Insurance Carriers: Institutions engaged in underwriting and selling annuities, insurance policies, and benefits.
Credit Intermediation: Includes banks, savings institutions, credit card issuers, loan brokers, and processors, etc.
Securities & Commodities: Investment banks, brokerages, securities exchanges, portfolio management, etc.
Central Banks: Monetary authorities that issue currency, manage national money supply and reserves, etc.
Funds & Trusts: Funds and programs that pool securities or other assets on behalf of shareholders or beneficiaries.

TR5

Figure 5 compares these Finance subsectors along the same dimensions used in Figure 1. At the top, we see that Insurance Carriers generally maintain a large Internet surface area (hosts, providers, countries), but a comparatively lower ranking for asset value and security findings. The Credit Intermediation subsector (the NAICS designation that includes banks, brokers, creditors, and processors) follows a similar pattern. This indicates that such organizations are, by and large, able to maintain some level of control over their expanding risk surface.

A leading percentage of high-value assets and a leading percentage of highly critical security findings for the Securities and Commodities subsector is a disconcerting combination. It suggests either unusually high risk tolerance or ineffective risk management (or both), leaving those valuable assets overexposed. The Funds and Trusts subsector exhibits a more riskaverse approach to minimizing exposures across its relatively small digital footprint of valuable assets.

Risk Surface across Banking Institutions

Given that the financial sector is so broad, we thought a closer examination of the risk surface particular to banking institutions was in order. Banks have long concerned themselves with risk. Well before the rise of the Internet or mobile technologies, banks made their profits by determining how to gauge the risk of potential borrowers or loans, plotting the risk and reward of offering various deposit and investment products, or entering different markets, allowing access through several delivery channels. It could be said that the successful management and measurement of risk throughout an organization is perhaps the key factor that has always determined the relative success or failure of any bank.

As a highly-regulated industry in most countries, banking institutions must also consider risk from more than a business or operational perspective. They must take into account the compliance requirements to limit risk in various areas, and ensure that they are properly securing their systems and services in a way that meets regulatory standards. Such pressures undoubtedly affect the risk surface and Figure 6 hints at those effects on different types of banking institutions.

Credit card issuers earn the honored distinction of having the largest average number of Internet-facing hosts (by far) while achieving the lowest prevalence of severe security findings. Credit unions flip this trend with the fewest hosts and most prevalent findings. This likely reflects the perennial struggle of credit unions to get the most bang from their buck.

Traditionally well-resourced commercial banks leverage the most third party providers and have a presence in more countries, all with a better-than-average exposure rate. Our previous research revealed that commercial banks were among the top two generators and receivers of multi-party cyber incidents, possibly due to the size and spread of their risk surface.

TR6

Two Things to Consider

In this interconnected world, third-party and fourth-party risk is your risk. If you are a financial institution, particularly a commercial bank, take a moment to congratulate yourself on managing risk well – but only for a moment. Why? Because every enterprise is critically dependent on a wide array of vendors and partners that span a broad spectrum of industries. Their risk is your risk. The work of your third-party risk team is critically important in holding your vendors accountable to managing your risk interests well.
Managing risk—whether internal or third-party—requires focus. There are simply too many things to do, giving rise to the endless “hamster wheel of risk management.” A better approach starts with obtaining an accurate picture of your risk surface and the critical exposures across it. This includes third-party relationships, and now fourth-party risk, which bank regulators are now requiring. Do you have the resources to sufficiently manage this? Do you know your risk surface?

Click here to access Riskrecon Cyentia’s Study

Cyber Risk Management – From Security to Resilience

Publié le 30 juin 2019 par hanswillertbleuazurconsultingeu

Rapidly evolving threats and infiltration techniques have rendered traditional cyber defense strategies insufficient and ineffective. The emerging threat vectors and speed of change amplified by the digital transformation cannot be addressed by traditional means. Globally, laws are also changing to keep pace as cybercrime evolves, knowing no
boundaries. Therefore, organizations must be nimble and agile to keep pace with policy changes, especially when expanding across different jurisdictions.

This report highlights three strategic imperatives to strengthen cyber resilience:

Understand (know your threats): Identify organization and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
Measure (know yourself): Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
Manage (know what you can do): Proactively manage cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.

It is inefficient and impractical to expect organizations to be ahead of every threat, but organizations should at least be on par with the evolution of cyber threats while ensuring compliance with changing laws and regulations. While cyber attacks are inevitable, proper preparation is the essential element that sets resilient organizations apart from the rest in managing risk, minimizing damage, and recovering quickly from any incidents.

Cyber Risk: A Top Concern

Technology continues to play a profound role in shaping the global risk landscape for individuals, businesses, and governments. Risk experts around the world continue to rank massive data fraud and theft and cyber attacks as their greatest and most likely risks over the next decade, a pattern that is consistent with previous years. Most risk experts also expect cyber attacks to have a much greater impact through business disruption and the targeted theft of money, data and intellectual property. Our increased dependence on pervasive, integrated digital technologies also increases anxiety around cyber security.

Rapid Innovation

The pace of business innovation has been driven by technology and connectivity megatrends such as mobile, the Internet of Things (IoT), big data and cloud solutions. The adoption and use of mobile devices have surpassed that of desktops since the last quarter of 2016, with mobile traffic accounting for 52 percent of total internet traffic in 2018. While business benefits include greater convenience and productivity, the use of mobile devices for both work and personal reasons has blurred the lines between sensitive corporate and confidential personal data, which are increasingly exposed to weaker application security features, mobile malware and other vulnerabilities.

Pervasive, Sophisticated Technologies

A recent study by FireEye Mandiant revealed that cyber attackers have followed cloud-reliant organizations, such as software-as-a-service and cloud computing, into the cloud. Mandiant researchers observed an increased volume of attacks against organizations with access to vast amounts of personal and confidential data, such as cloud providers, telecommunications, and retail and hospitality. More than 730 investigations were performed by Mandiant experts globally in 2018, a higher volume than any year before and an increase of more than 30 percent over 2017.

Devious, Organized Threat Actors

The modern cyber risk landscape is rapidly evolving and populated by threat actors with a myriad of motivations and attack sophistication levels. The methodologies can vary from highly-targeted and deliberate, to mass-scale with self-distributing malware. Different threat actors also have different motivations and ambitions that can be uniquely destructive.

Motivations and methodologies of threat actors can also overlap with one another. In many cases, similar tools and techniques are used by different groups since those may be the only tools available. In some cases, state-sponsored actors may even work with hacktivists to carry out an attack. Some threat groups demonstrate increased determination by maintaining persistence in victims’ networks. Some APT attackers plan out their modus operandi and patiently pursue their goals over a long period of time—months or years—before they launch their attack. They rapidly adapt to a victim organization’s attempts to remove them from the network and frequently target the same victim again if access is lost.

After an organization has been successfully attacked, there is a higher probability of re-compromise. According to FireEye, globally two in three (64 percent) compromised organizations were successfully attacked again within a year. It is more significant in APAC where almost eight in 10 (78 percent) of compromised organizations are likely to face at least one additional significant attack over the next year.

Organizations that have been attacked should strengthen their cyber security defenses and close any identified gaps to mitigate risks; unfortunately, this doesn’t always happen.

MMC1

Data Sharing Economies

Data sharing is inevitable as we accelerate into the digital economy. Our growing interconnectedness is combined with a massive increase in velocity, volume, and variety of data shared across boundaries and jurisdictions. The accelerated digitalization of countries and industries amplifies the systemic effects from cyber attacks and increases the severity of successful cyber attacks.

With the advent of digital and transformative technologies that change the nature of business, policymakers are challenged to maintain the robustness of cyber laws and legislations. The anonymity of the Internet further ensures little or no risk of repercussion for cyber criminals.

According to FireEye CEO Kevin Mandia, ”We are on a slippery slope in terms of frequency and seriousness of cyber attacks” and it is likely to get worse unless serious consequences can be put in place for criminal behavior.

Although cyber regulations have lagged behind evolving cyber threats, the past years have seen a substantial increase in new cyber laws and other regulatory schemes, and this is expected to continue. Most regulatory schemes aim to protect data and privacy and fulfil notification obligations by breached organizations, but disclosures and notifications are critical first steps to reveal the volume, frequency and complexity of breaches before data protection and privacy can be further improved.

Complications That Impact Cyber Resilience

In an increasingly complex business and cyber landscape, organizations encounter greater challenges when trying to balance their business resilience and cyber security priorities.

Between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially. The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cyber security defenses much more challenging since every employee or web-connected device now represents a potential vulnerability.

Underlying Trends Impose Additional Layers of Fiduciary Responsibilities

Rapid digitalization amplifies the systemic effect of cyber threats, which leads to more cyber regulations and policies. In addition to safeguarding the interests of individuals and businesses, governments and policymakers also aim provide a conducive and well-regulated environment to develop transformative technologies to spearhead their respective digital economies.

Unsurprisingly, their business models are impacted by new cyber laws and regulations. As these laws are introduced, revised and enacted, companies can find themselves in a continually reactive state when attempting to comply with changing policies. Organizations with operations across national boundaries face additional compliance costs as they attempt to navigate diverse regulations in different jurisdictions. While GDPR has led to the convergence of cyber security and data protection laws in the EU, cyber regulations in other parts of the world remain largely localized and diverse.

Re-Thinking a Cyber Resilient Culture

To reduce our growing vulnerability to humanenabled cyber threats, workplace culture needs to change. The outlook, attitudes, values, moral goals and legacy systems shared within an organization have a direct impact on how cyber threats are perceived and managed. While cyber security involves many different technical and information solutions, necessary defenses and resilience cannot be fully achieved without the right mindset.

To establish a cyber resilient culture, everyone in the organization—from executive leadership and management to data analysts and salespeople—have an equal and important role to play in defense.

Through social engineering, threat actors increasingly exploit individuals as the weakest link of the cyber security chain. Therefore, cyber security and resilience must begin with the individual. Although Finance or HR departments may be primary targets for potential access to sensitive information, other executives and employees may also be targeted to gain network access.

How To Line Up Your Defense

Given the reality of the cyber threat landscape, you need to determine the tools you need to mitigate and respond to inevitable cyber attacks. Unfortunately, while both the aggressiveness and sophistication of cyber attacks have accelerated, defensive capabilities have been relatively slow to evolve and respond.

MMC2

Darren Thayre, Partner in the Digital, Technology and Analytics Practice for Asia Pacific at Oliver Wyman, mentioned that typical cyber security discussions are often absent when organizations initially strategize on cloud implementation, a process normally driven by developers or infrastructure demands.

Many victim organizations and those working diligently on defensive improvements still lack the fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Based on trend observations, Kelly Butler, Head of Cyber Practice, Pacific, Marsh, stated that while security remains important in the 2019 cyber landscape, it is becoming more about resilience.

Organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks. Otherwise, they risk facing significant gaps in both basic security controls and—more critically—visibility and detection of targeted attacks. The saying goes, “what gets measured, gets managed,” but you can only measure what you understand.

Understand Cyber Risks from a Business Perspective

Cyber risk is now at the forefront of most corporate risk agendas. Organizations are increasingly looking to understand and assess the nature and extent of their potential cyber-related losses—a necessary first step to mitigate those losses.

A cyber defense strategy delivers substantial benefits for both the senior management and the organization, especially when the strategy and associated action plans are mandated from the top and prioritized with the necessary investments and budgets. A proactive cyber defense strategy demonstrates to regulators that the organization takes cyber risk management seriously and has clear priorities in place.

A cyber security strategy is how you direct and focus the creation of an actionable roadmap and build a comprehensive cyber security program. This process allows you to clearly link gaps identified in the program assessment to your organization’s cyber security investments. However, developing a fit-for-purpose strategy and obtaining buy-in for the cyber security program from senior management can be difficult.

MMC3

After you understand cyber risks from a business perspective, you need to identify how much cyber risk is acceptable (to be absorbed) across your entire organization. This baseline helps make decisions related to cyber risk and implement controls.

For example, you can use a structured methodology to determine your organization’s cyber risk appetite. Ideally, you should break down and prioritize your cyber risk appetite, and the metrics you need to inform and measure the risk appetite. Later, you can develop recommendations regarding governance and operating model requirements, which in turn will determine and influence corporate decisions with respect to cyber security investments.

MMC4

After you assess the amount of acceptable cyber risk, work to quantify your potential cyber risk exposure. Measure its financial impact to inform the business case for cyber security investments as well as cyber insurance that can mitigate or transfer risk.

Quantification determines nature and extent of risk impacts for different threats and scenarios. However, boards and senior executives often struggle to clearly and comprehensively gain a current understanding of their organization’s cyber risk profile.

MMC5

The increase in awareness, cyber data breaches and adoption of cloud-based services are a few of the factors that drive the growth of the cyber insurance market, while high costs inhibit growth. High premiums can be effectively overcome by systematically and clearly understanding organization-specific cyber risks to lower risk exposure and enhance risk profile. For example, the use of data analytics to quantify risk exposure and underwrite cyber risks has proved to drive more efficient and effective risk profiling and provide more accurate policy coverage.

MMC6

With an internally aligned cyber risk strategy and adequately measured risk exposure around expected losses due to cyber attacks, organizations can better insure and secure stronger financials to respond and recover from an incident. An incident response plan requires the support of proper security technologies and expertise. At a minimum, a response plan requires full view of IT assets, strong detection capabilities, clear roles and responsibilities and fast reaction times. The plan must also be regularly practiced through drills to ensure that personnel know their roles and to track and record various metrics that measure their performance. Frequent testing can help identify areas for improvement and provide opportunities to continually refine processes and protocols.

Click here to access MMC-FireEye’s Report

Perspectives on the next wave of cyber

Publié le 27 janvier 2019 par hanswillertbleuazurconsultingeu

Financial institutions are acutely aware that cyber risk is one of the most significant perils they face and one of the most challenging to manage. The perceived intensity of the threats, and Board level concern about the effectiveness of defensive measures, ramp up continually as bad actors increase the sophistication, number, and frequency of their attacks.

Cyber risk management is high on or at the top of the agenda for financial institutions across the sector globally. Highly visible attacks of increasing insidiousness and sophistication are headline news on an almost daily basis. The line between criminal and political bad actors is increasingly blurred with each faction learning from the other. In addition, with cyberattack tools and techniques becoming more available via the dark web and other sources, the population of attackers continues to increase, with recent estimates putting the number of cyberattackers globally in the hundreds of thousands.

Cyber offenses against banks, clearers, insurers, and other major financial services sector participants will not abate any time soon. Looking at the velocity and frequency of attacks, the motivation for cyberattack upon financial services institutions can be several hundred times higher than for non-financial services organizations.

Observing these developments, regulators are prescribing increasingly stringent requirements for cyber risk management. New and emerging regulation will force changes on many fronts and will compel firms to demonstrate that they are taking cyber seriously in all that they do. However, compliance with these regulations will only be one step towards assuring effective governance and control of institutions’ Cyber Risk.

We explore the underlying challenges with regard to cyber risk management and analyze the nature of increasingly stringent regulatory demands. Putting these pieces together, we frame five strategic moves which we believe will enable businesses to satisfy business needs, their fiduciary responsibilities with regard to cyber risk, and regulatory requirements:

Seek to quantify cyber risk in terms of capital and earnings at risk.
Anchor all cyber risk governance through risk appetite.
Ensure effectiveness of independent cyber risk oversight using specialized skills.
Comprehensively map and test controls, especially for third-party interactions.
Develop and exercise major incident management playbooks.

These points are consistent with global trends for cyber risk management. Further, we believe that our observations on industry challenges and the steps we recommend to address them are applicable across geographies, especially when considering prioritization of cyber risk investments.

FIVE STRATEGIC MOVES

The current environment poses major challenges for Boards and management. Leadership has to fully understand the cyber risk profile the organization faces to simultaneously protect the institution against everchanging threats and be on the front foot with regard to increasing regulatory pressures, while prioritizing the deployment of scarce resources. This is especially important given that regulation is still maturing and it is not yet clear how high the compliance bars will be set and what resources will need to be committed to achieve passing grades.

With this in mind, we propose five strategic moves which we believe, based on our experience, will help institutions position themselves well to address existing cyber risk management challenges.

1) Seek to quantify cyber risk in terms of capital and earnings at risk

Boards of Directors and all levels of management intuitively relate to risks that are quantified in economic terms. Explaining any type of risk, opportunity, or tradeoff relative to the bottom line brings sharper focus to the debate.

For all financial and many non-financial risks, institutions have developed methods for quantifying expected and unexpected losses in dollar terms that can readily be compared to earnings and capital. Further, regulators have expected this as a component of regulatory and economic capital, CCAR, and/or resolution and recovery planning. Predicting losses due to Cyber is particularly difficult because it consists of a combination of direct, indirect, and reputational elements which are not easy to quantify. In addition, there is limited historical cyber loss exposure data available to support robust cyber risk quantification.

Nevertheless, institutions still need to develop a view of their financial exposures of cyber risk with different levels of confidence and understand how this varies by business line, process, or platform. In some cases, these views may be more expert based, using scenario analysis approaches as opposed to raw statistical modeling outputs. The objectives are still the same – to challenge perspectives as to

how much risk exposure exists,
how it could manifest within the organization,
and how specific response strategies are reducing the institution’s inherent cyber risk.

2) Anchor all cyber risk governance through risk appetite

Regulators are specifically insisting on the establishment of a cyber risk strategy, which is typically shaped by a cyber risk appetite. This should represent an effective governance anchor to help address the Board’s concerns about whether appropriate risks are being considered and managed effectively.

Setting a risk appetite enables the Board and senior management to more deeply understand exposure to specific cyber risks, establish clarity on the Cyber imperatives for the organization, work out tradeoffs, and determine priorities.

Considering cyber risk in this way also enables it to be brought into a common framework with all other risks and provides a starting point to discuss whether the exposure is affordable (given capital and earnings) and strategically acceptable.

Cyber risk appetite should be cascaded down through the organization and provide a coherent management and monitoring framework consisting of

metrics,
assessments,
and practical tests or exercises

at multiple levels of granularity. Such cascading establishes a relatable chain of information at each management level across business lines and functions. Each management layer can hold the next layer more specifically accountable. Parallel business units and operations can have common standards for comparing results and sharing best practices.

Finally, Second and Third Line can have focal points to review and assure compliance. A risk appetite chain further provides a means for the attestation of the effectiveness of controls and adherence to governance directives and standards.

Where it can be demonstrated that risk appetite is being upheld to procedural levels, management will be more confident in providing the attestations that regulators require.

cyber1

3) Ensure effectiveness of independent cyber risk oversight using specialized skills

From our perspective, firms face challenges when attempting to practically fit cyber risk management into a “Three Lines of Defense” model and align cyber risk holistically within an enterprise risk management framework.

CROs and risk management functions have traditionally developed specialized skills for many risk types, but often have not evolved as much depth on IT and cyber risks. Organizations have overcome this challenge by weaving risk management into the IT organization as a First Line function.

In order to more clearly segregate the roles between IT, business, and Information Security (IS), the Chief Information Security Officer (CISO) and the IS team will typically need to be positioned as a « 1.5 Line of Defense » position. This allows an Information Security group to provide more formal oversight and guidance on the cyber requirements and to monitor day-today compliance across business and technology teams.

Further independent risk oversight and audit is clearly needed as part of the Third Line of Defense. Defining what oversight and audit means becomes more traceable and tractable when specific governance mandates and metrics from the Board down are established.

Institutions will also need to deal with the practical challenge of building and maintaining Cyber talent that can understand the business imperatives, compliance requirements, and associated cyber risk exposures.

At the leadership level, some organizations have introduced the concept of a Risk Technology Officer who interfaces with the CISO and is responsible for integration of cyber risk with operational risk.

4) Comprehensively map and test controls, especially for the third party interactions

Institutions need to undertake more rigorous and more frequent assessments of cyber risks across operations, technology, and people. These assessments need to test

the efficacy of surveillance,
the effectiveness of protection and defensive controls,
the responsiveness of the organization,
and the ability to recover

in a manner consistent with expectations of the Board.

Given the new and emerging regulatory requirements, firms will need to pay closer attention to the ongoing assessment and management of third parties. Third parties need to be tiered based on their access and interaction with the institution’s high value assets. Through this assessment of process, institutions need to obtain a more practical understanding of their ability to get early warning signals against cyber threats. In a number of cases, a firm may choose to outsource more IT or data services to third party providers (e.g., Cloud) where they consider that this option represents a more attractive and acceptable solution relative to the cost or talent demands associated with maintaining Information Security in-house for certain capabilities. At the same time, the risk of third party compromise needs to be fully understood with respect to the overall risk appetite.

cyber3

5) Develop and exercise incident management playbooks

A critical test of an institution’s cyber risk readiness is its ability to quickly and effectively respond when a cyberattack occurs.

As part of raising the bar on cyber resilience, institutions need to ensure that they have clearly documented and proven cyber incident response plans that include

a comprehensive array of attack scenarios,
clear identification of accountabilities across the organization,
response strategies,
and associated internal and external communication scenarios.

Institutions need to thoroughly test their incident response plan on an ongoing basis via table top exercises and practical drills. As part of a table top exercise, key stakeholders walk through specific attack scenarios to test their knowledge of response strategies. This exercise provides an avenue for exposing key stakeholders to more tangible aspects of cyber risk and their respective roles in the event of a cyberattack. It also can reveal gaps in specific response processes, roles, and communications that the institution will need to address.

Last but not least, incident management plans need to be reviewed and refined based on changes in the overall threat landscape and an assessment of the institution’s cyber threat profile; on a yearly or more frequent basis depending on the nature and volatility of the risk for a given business line or platform.

CONCLUSION

Cyber adversaries are increasingly sophisticated, innovative, organized, and relentless in developing new and nefarious ways to attack institutions. Cyber risk represents a relatively new class of risk which brings with it the need to grasp the often complex technological aspects, social engineering factors, and changing nature of Operational Risk as a consequence of cyber.

Leadership has to understand the threat landscape and be fully prepared to address the associated challenges. It would be impractical to have zero tolerance to cyber risk, so institutions will need to determine their risk appetite with regard to cyber, and consequently, make direct governance, investment, and operational design decisions.

The new and emerging regulations are a clear directive to financial institutions to keep cyber risk at the center of their enterprise-wide business strategy, raising the overall bar for cyber resilience. The associated directives and requirements across the many regulatory bodies represent a good and often strong basis for cyber management practices but each institution will need to further ensure that they are tackling cyber risk in a manner fully aligned with the risk management strategy and principles of their firm. In this context, we believe the five moves represent multiple strategically important advances almost all financial services firms will need to make to meet business security, resiliency, and regulatory requirements.

cyber2

click here to access mmc’s cyber handbook

The Global Risks Landscape 2019

Publié le 27 janvier 201927 janvier 2019 par hanswillertbleuazurconsultingeu

Is the world sleepwalking into a crisis? Global risks are intensifying but the collective will to tackle them appears to be lacking. Instead, divisions are hardening. The world’s move into a new phase of strongly state-centred politics, noted in last year’s Global Risks Report, continued throughout 2018. The idea of “taking back control”— whether domestically from political rivals or externally from multilateral or supranational organizations — resonates across many countries and many issues. The energy now expended on consolidating or recovering national control risks weakening collective responses to emerging global challenges. We are drifting deeper into global problems from which we will struggle to extricate ourselves.

During 2018, macroeconomic risks moved into sharper focus. Financial market volatility increased and the headwinds facing the global economy intensified. The rate of global growth appears to have peaked: the latest International Monetary Fund (IMF) forecasts point to a gradual slowdown over the next few years. This is mainly the result of developments in advanced economies, but projections of a slowdown in China—from 6.6% growth in 2018 to 6.2% this year and 5.8% by 2022—are a source of concern. So too is the global debt burden, which is significantly higher than before the global financial crisis, at around 225% of GDP. In addition, a tightening of global financial conditions has placed particular strain on countries that built up dollar-denominated liabilities while interest rates were low.

Geopolitical and geo-economic tensions are rising among the world’s major powers. These tensions represent the most urgent global risks at present. The world is evolving into a period of divergence following a period of globalization that profoundly altered the global political economy. Reconfiguring the relations of deeply integrated countries is fraught with potential risks, and trade and investment relations among many of the world’s powers were difficult during 2018.

Against this backdrop, it is likely to become more difficult to make collective progress on other global challenges—from protecting the environment to responding to the ethical challenges of the Fourth Industrial Revolution. Deepening fissures in the international system suggest that systemic risks may be building. If another global crisis were to hit, would the necessary levels of cooperation and support be forthcoming? Probably, but the tension between the globalization of the world economy and the growing nationalism of world politics is a deepening risk.

Environmental risks continue to dominate the results of our annual Global Risks Perception Survey (GRPS). This year, they accounted for three of the top five risks by likelihood and four by impact. Extreme weather was the risk of greatest concern, but our survey respondents are increasingly worried about environmental policy failure: having fallen in the rankings after Paris, “failure of climate-change mitigation and adaptation” jumped back to number two in terms of impact this year. The results of climate inaction are becoming increasingly clear. The accelerating pace of biodiversity loss is a particular concern. Species abundance is down by 60% since 1970. In the human food chain, biodiversity loss is affecting health and socioeconomic development, with implications for well-being, productivity, and even regional security.

Technology continues to play a profound role in shaping the global risks landscape. Concerns about data fraud and cyber-attacks were prominent again in the GRPS, which also highlighted a number of other technological vulnerabilities: around two-thirds of respondents expect the risks associated with fake news and identity theft to increase in 2019, while three-fifths said the same about loss of privacy to companies and governments. There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyberattacks. Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national grounds.

The importance of the various structural changes that are under way should not distract us from the human side of global risks. For many people, this is an increasingly anxious, unhappy and lonely world. Worldwide, mental health problems now affect an estimated 700 million people. Complex transformations— societal, technological and work-related—are having a profound impact on people’s lived experiences. A common theme is psychological stress related to a feeling of lack of control in the face of uncertainty. These issues deserve more attention: declining psychological and emotional wellbeing is a risk in itself—and one that also affects the wider global risks landscape, notably via impacts on social cohesion and politics.

Another set of risks being amplified by global transformations relate to biological pathogens. Changes in how we live have increased the risk of a devastating outbreak occurring naturally, and emerging technologies are making it increasingly easy for new biological threats to be manufactured and released either deliberately or by accident. The world is badly under-prepared for even modest biological threats, leaving us vulnerable to potentially huge impacts on individual lives, societal well-being, economic activity and national security. Revolutionary new biotechnologies promise miraculous advances, but also create daunting challenges of oversight and control—as demonstrated by claims in 2018 that the world’s first genemodified babies had been created.

Rapidly growing cities and ongoing effects of climate change are making more people vulnerable to rising sea levels. Two-thirds of the global population is expected to live in cities by 2050 and already an estimated 800 million people live in more than 570 coastal cities vulnerable to a sea-level rise of 0.5 metres by 2050. In a vicious circle, urbanization not only concentrates people and property in areas of potential damage and disruption, it also exacerbates those risks— for example by destroying natural sources of resilience such as coastal mangroves and increasing the strain on groundwater reserves. Intensifying impacts will render an increasing amount of land uninhabitable. There are three main strategies for adapting to rising sea-levels:

engineering projects to keep water out,
naturebased defences,
and peoplebased strategies, such as moving households and businesses to safer ground or investing in social capital

to make flood-risk communities more resilient.

In this year’s Future Shocks section, we focus again on the potential for threshold effects that could trigger dramatic deteriorations and cause cascading risks to crystallize with dizzying speed. Each of the 10 shocks we present is a “what-if” scenario—not a prediction, but a reminder of the need to think creatively about risk and to expect the unexpected. Among the topics covered this year are

quantum cryptography,
monetary populism,
affective computing
and the death of human rights.

In the Risk Reassessment section, experts share their insights about how to manage risks. John Graham writes about weighing the trade-offs between different risks, and András Tilcsik and Chris Clearfield write about how managers can minimize the risk of systemic failures in their organizations.

And in the Hindsight section, we revisit three of the topics covered in previous reports:

food security,
civil society
and infrastructure investment.

wef1

wef2

click here to access wef-mmc-zurich’s global risks report 2019

Global Governance Insights on Emerging Risks

Publié le 17 juin 201817 juin 2018 par hanswillertbleuazurconsultingeu

A HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

high-profile data breaches,
distributed denial of services (DDoS) attacks,
and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

the EU GDPR,
China’s new Cyber Security Law,
and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

financial services,
telecommunications
and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

aw enforcement,
regulatory agencies and recovery service providers
including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

How good is our security program?
How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

unique business model,
legacy IT,
supplier and partner relationships,
and geographical scope.”

CR Ex 1

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

CR Ex 2

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

THE ROLE OF CYBER INSURANCE

Although the perception of many directors is that cyber insurance provides for limited coverage, the insurance is increasingly viewed as an important component of a cyber risk management framework and can support response and recovery plans. Echoing this sentiment, Geeta Mathur, Director, Motherson Sumi Ltd, IIFL Holdings Ltd, and Tata Communication Transformation Services Ltd., commented, « There is a lack of information and discussion on risk transfer options at the board level. The perception is that it doesn’t cover much particularly relating to business interruption on account of cyber threats.” Cristina Finocchi Mahne also noted, “Currently, management teams may not have a positive awareness of cyber insurance, but we expect this to rapidly evolve over the short-term.”

Insurance does not release the board or management from the development and execution of a robust risk management plan but it can provide a financial safeguard against costs associated with a cyber event. Cyber insurance coverage should be considered in the context of an overall cyber risk management process and cyber risk appetite.

With a robust analysis, the organization can

quantify the price of cyber risk,
develop effective risk mitigation,
transfer and risk financing strategy,
and decide if – and how much – cyber insurance to purchase.

This allows the board to have a robust conversation on the relationship between risk, reward and the cost of mitigation and can also prompt an evaluation of potential consequences by using statistical modeling to assess different damage scenarios.

CYBER INSURANCE ADOPTION IS INCREASING

The role of insurance in enhancing cyber resilience is increasingly being recognized by policymakers around the world, and the Organisation of Economic Co-operation and Development (OECD) is recommending actions to stimulate cyber insurance adoption.

Globally, it is expected the level of future demand for cyber insurance will depend on the frequency of high-profile cyber incidents as well as the evolving legislative and regulatory environment for privacy protections in many countries. In India, for example, there was a 50% increase in companies buying cybersecurity coverage 2016 to 2017. Research suggests that only 40% of US boards have reviewed their organization’s cyber insurance coverage in the past 12 months.

LIMITING FINANCIAL LOSSES

In the event of a debilitating attack, cyber insurance and associated services can limit an organization’s financial damage from direct and indirect costs and help accelerate its recovery. (See Exhibit 3: Direct and Indirect Costs Associated with a Cyber Attack.) For example, as a result of the NotPetya attack, one global company reported a decline in operating margins and income, with losses in excess of US$500 million in the last fiscal year. The company noted the costs were driven by

investments in enhanced systems in order to prevent future attacks;
cost of incentives offered to customers to restore confidence and maintain business relationships;
additional costs due to claims for service failures; costs associated with data breach or data loss due to third-parties;
and “other consequences of which we are not currently aware but may subsequently discover.”

Indeed, the very process of assessing and purchasing cyber insurance can bolster cyber resilience by creating important incentives that drive behavioral change, including:

Raising awareness inside the organization on the importance of information security.
Fostering a broader dialogue among the cyber risk stakeholders within an organization.
Generating an organization-wide approach to ongoing cyber risk management by all aspects of the organization.
Assessing the strength of cyber defenses, particularly amid a rapidly changing cyber environment.

CR Ex 3

Click here to access Marsh’s and WCD’s detailed report

Targeting A Technology Dividend In Risk Management

Publié le 1 juin 2018 par hanswillertbleuazurconsultingeu

Many drivers are shaping the context of risk management today. Macroeconomic headwinds, global geopolitical uncertainty, and ever more frequent and damaging cyber events have been in the vanguard of the challenges leading to heightened risk perceptions.

MACROECONOMIC HEADWINDS

Macroeconomic headwinds driven by global and Asian debt levels, low growth, anti-globalization sentiments, increasing policy uncertainty and the expected hike in US interest rates, all represent significant challenges. As Andrew Glenister, Regional Risk Advisor at BT Hong Kong, notes: “Macroeconomic and geopolitical risks are an increasing part of our internal discussions, particularly across Asia and Africa, and recent surprises on the world’s political scene have demonstrated that nothing can be taken for granted, and that the experts aren’t always right! At the same time our business is facing new challenges from the changing regulatory and global environment and can be impacted by a far greater range and variety of events from across the world.”

These challenges are particularly pronounced for export-dependent economies, which comprise most of Asia. Concurrently, many leading economies in Asia-Pacific such as China, Singapore, and Australia are struggling to maintain labor productivity and productivity growth. Productivity-enhancing policies are required, including capital investments in new technology and workforce development. These new technologypowered productivity strategies will inevitably bring modifications to risk management and the role of the risk function. Risk teams will need to use their established capabilities to anticipate potential implications of this context, and develop new capabilities for managing risks using emerging technologies.

HIDDEN RISKS ARISING FROM NEW TECHNOLOGIES

Global perceptions of risk, as measured in Marsh & McLennan Company’s annual work with the World Economic Forum, are more elevated than ever. Technological advancements, for example, are increasingly exposing organizations to emerging risks such as data fraud and cybersecurity threats. Indeed, the WannaCry and Petya ransomware attacks were a harsh reminder of this for firms across the globe. This point of view is well echoed in our survey, in which 51 percent of respondents state that cybersecurity risk is the second-most impactful risk for their firms, following strategic risk.

In fact, two of the three most pressing global risks identified by risk managers relate to technology and cybersecurity. Moreover, as reflected in the MMC Asia Pacific Risk Center’s annual Evolving Risk Concern in Asia-Pacific report, the interconnectedness of risks – which may not be apparent to businesses – compounds the impacts of risk events. For example, the effects of advancement in automation may lead to rising economic inequality as it threatens to displace manufacturing jobs that have been the main livelihood of millions of lower-income Asians. As Susan Valdez, Senior Vice President and Chief Corporate Services Officer of Aboitiz Equity Ventures (and a PARIMA Philippines board member) points out, “Corporate digital transformation creates a whole new set of risks and could alter the context of cyber risk and information security risk. Because of the evolving nature of threats from hacking, malware, phishing and other forms of attacks, existing mitigations are constantly challenged and need to be continually updated to address vulnerabilities.” The confluence of risks facing Asia-Pacific is posing significant challenges to businesses.

THE EVOLVING REGULATORY LANDSCAPE

A “deluge of regulation” has followed the dramatic events of the Global Financial Crisis, especially in financial service industries. Non-financial service industries also face a rising tide of regulation, motivated by trends such as cybersecurity concerns, rising anti-globalization sentiments and climate change, just to name a few. Asia-Pacific regulators are following international precedent by increasing oversight of multiple areas including stress testing, recovery and resolution planning, as well as in required capital estimation regulation.

An increasing number of Asia-Pacific countries including China, Singapore, and Australia have recently introduced cybersecurity laws to be in line with the global best practice. Moreover, rising protectionism including sudden changes in trade policies, taxes or tariff regulations have been witnessed in other regions, which also create increased pressure on risk management.

RM Function.png

Click here to access Marsh Parima study