2019 was no picnic for anyone involved with the management of risk and as we enter into a new decade, the issues firms must mitigate against are diverse and extremely complex. Climate risk is no longer just a concern for Business Continuity, but instead needs to be considered from a reputational and potentially regulatory perspective. The growth of mafia-like cybercriminal gangs, increased political unrest and implementation of GDPR are making things increasingly challenging for those tasked with managing cyber and IT risk. And in a post-‘Me Too’ world, firms need to ensure they are doing everything they can to ensure employees feel safe at work.
Cyber attacks will always be included in any report looking at future business risks; the evolutionary nature of technology guarantees this. But ‘cyber risk’ comes in many guises – and more so now than ever before. Recent geopolitical developments have had a marked impact on rates of ransomware attacks across the globe – perhaps unsurprisingly in the US. According to The State of Ransomware in the US: Report and Statistics 2019 released by cyber security software firm Emsisoft, the US saw its highest ever number of ransomware attacks in 2019, with at least 966 municipal government agencies, healthcare providers and educational institutions targeted by cybercriminals. Though it’s difficult to determine the exact financial impact of these attacks, Emsisoft suggests it could be in the region of US$7.5bn. Some argue the cost of the US government’s inertia on the matter could have been far worse though: “The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck and that luck may not continue into 2020,” said Emsisoft chief technology officer, Fabian Wosar. “Governments and the health and education sectors must do better.”
In the first half of 2019 alone, ransomware attacks increased by 195% in the UK, according to the SonicWall 2019 Cyber Threat Report – despite a 59% decline in this type of attack in 2018. High-profile breaches continue to hit the headlines on a regular basis; London-based foreign exchange company Travelex was attacked on New Year’s Eve by cyber criminals who stole customer data including credit card details, dates of birth and national insurance numbers. Sodinokibi, the ransomware gang responsible for the attack, has demanded £4.6m for the safe return of the data. Travelex was forced to suspend its online services to prevent the malignant software from spreading further into the network, and at the time of writing, its website had been down for more than three weeks. This has meant customers are unable to order currency online, either from Travelex or any bank that uses its service, including Barclays, Lloyds, RBS, Sainsbury’s and Tesco. This is just one example of millions of ransomware attacks happening across the globe every month. Silicon Valley-based cybersecurity firm, SonicWall, has attributed this growth to the development of ransomware as a service (RaaS); basically software as a service (SaaS) for criminals. This means “attack kits” can be purchased on the Dark Web as a subscription, allowing individuals to wreak havoc at the click of a mouse.
Data privacy breach
The impact of GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) is finally being felt, with companies scrambling at the beginning of last year to update their data privacy policies and ensure opt-in from consumer databases. But despite the dawn of these two important pieces of legislation, data breaches were worse than ever in 2019, with the average cost of a breach reaching a new high of US$3.92m, according to IBM. “Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services. “With organisations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line – and focus on how they can reduce these costs.”
The cloud presents another data security challenge for financial institutions as they grapple with the conflicting needs of the organisation to become more agile, whilst keeping data safe. In a recent blog on the topic, Ian Robotham, client technical leader for IBM Global Markets, highlighted some of the key conflicts responsible for the delay in uptake of cloud services in finance. “It’s become clear that the larger banks have a more cautious risk appetite to the emerging challengers, as well as a more complex existing infrastructure environment which drives a fractured approach to public cloud adoption,” he wrote. “In addition, the higher the risk and their exposure to regulatory oversight, the lower the propensity to adopt…Resiliency is of key importance and especially given the current regulator focus in this area.” He suggests multi-site or even multi-cloud options might be most appropriate for firms looking to bite the bullet and adopt in 2020.
But data breaches can occur regardless of where your data is stored, if you hand it over willingly. Business email compromise (BEC) or ‘whaling attacks’ as they are also known are on the rise and are using increasingly sophisticated methodology, combining social engineering and ‘deep fakes’ to convince high-level executives they are talking to a colleague via email. A deep fake is a video or image that makes use of artificial neural networks – in basic terms, computer models that imitate human learning – to create an extremely convincing, fabricated image or video of a person the recipient knows and trusts. This is then used to get access to funds or data. The FBI’s latest Internet Crime Report found that the cost of BEC attacks to businesses in the US in the five years between 2013 and 2018 increased from US$60m to US$1.3bn. As criminals develop new, more-complex methods of accessing data, firms will need to counter it with increased expertise, tighter governance and a proactive (rather than reactive) approach to technology uptake.
Operational resilience was a topic raised by a number of risk managers consulted in the process of writing this report. With the Financial Conduct Authority (FCA) and Prudential Regulation Authority’s (PRA) separate proposals to overhaul how firms approach operational
resilience, this will be a key issue for UK financial institutions in 2020. New rules are still
at the consultation stage, but if and when implemented, will require firms to be much more outward looking; taking into consideration not just their own exposures, but the impact they may have on the UK’s financial system as a whole. Firms will need to identify important business services that, if disrupted, could cause harm to consumers or market integrity. From this, they will be required to set “impact tolerances”, or thresholds for the maximum level of disruption the firm could withstand. The proposals focus particularly on the use of third parties, with firms required to “identify and document the people, processes, technology, facilities and information that support a firm’s important business services.” They will also be expected to test the resilience of those third parties, which could prove difficult to do accurately.
It’s worth noting that the two consultation papers (CPs) don’t necessarily complement each other, as highlighted in an FT Advisor piece by Angela Greenough and Ian Stevens: “There is an inherent tension within the CPs; on the one hand firms are encouraged to invest in new solutions to fix out-dated infrastructure, but then, on the other hand, they are challenged on their ability to oversee third-party suppliers.” Finding the right balance between third-party investment and management of that risk will be key. Employing and retaining the right highly skilled people to manage this will be a mammoth task in itself.
Pandemics and contagion are another key consideration for firms when it comes to operational resilience. At the time of writing, the coronavirus had infected more than 5,000 people in 16 countries including the US, and claimed 132 lives in China, with 12 cities on lockdown. Wuhan, the Chinese city that is believed to have been the source of the outbreak, is densely populated, a major transport hub and has markets selling animals – making it the perfect breeding ground for the disease. The virus is what is known as a novel coronavirus, which means that it is a brand new strain; and is passed from person to person, not simply from animals to people, as all previous coronaviruses have been. The travel industry has been hit particularly hard by the outbreak, with 400 million people having planned to go away
for Chinese New Year. As cities become increasingly densely populated and the demand for
meat/livestock grows, these types of outbreaks could become more and more commonplace. This highlights the importance of ensuring infrastructure for remote working and online banking services are up to scratch, particularly for operations in areas of dense population and rapid economic growth. Locations for disaster recovery sites should also be chosen in the context of pandemics, i.e. in areas that are sparsely populated with fewer links for transport. Firms might also need to consider their exposure to EM equities.
According to the World Economic Forum (WEF), over 50% of the world’s GDP is highly or moderately dependent on nature, equating to around US$44tn. It was high on the agenda in Davos, with severe threats to our climate accounting for all of the top long-term risks listed in the WEF’s Global Risks Report 2020.
Could 2020 be the year businesses finally get serious about climate change? And what does this mean from a risk management perspective? “There is mounting pressure on companies from investors, regulators, customers and employees to demonstrate their resilience to rising climate volatility,” says John Drzik, chairman of Marsh & McLennan Insights. “Scientific advances mean that climate risks can now be modelled with greater accuracy and incorporated into risk management and business plans. High-profile events, like recent wildfires in Australia and California, are adding pressure on companies to take action on climate risk at a time when they also face greater geopolitical and cyber-risk challenges.”
BlackRock, the world’s largest fund manager, made its stance on climate risk clear earlier this year, when CEO Harry Fink published an open letter to CEOs. The letter highlighted the potential impact of climate change on the market for municipal bonds, questioning the future of the 30-year mortgage if lenders can’t estimate the impact of floods, drought and other extreme weather events: “What happens to inflation, and in turn interest rates, if the cost of food climbs from drought and flooding? How can we model economic growth if emerging markets see their productivity decline due to extreme heat and other climate impacts?… Investors are increasingly reckoning with these questions and recognising that climate risk is investment risk. Indeed, climate change is almost invariably the top issue that clients around the world raise with BlackRock…They are seeking to understand both the physical risks associated with climate change as well as the ways that climate policy will impact prices, costs and demand across the entire economy.” This, argues Fink, will see a significant relocation of capital, reshaping finance as we know it.
This is part of a larger issue for firms; one that involves reputation and perception of integrity as a business. Fink suggests companies cannot expect to achieve long-term profits if they do not consider the bigger picture and the ethical impact of their actions. “A pharmaceutical company that hikes prices ruthlessly, a mining company that short changes safety, a bank that fails to respect its clients – these companies may maximise returns in the short term…But, as we have seen again and again, these actions that damage society will catch up with a company and destroy shareholder value.”
BlackRock has announced several initiatives to place sustainability at the centre of its approach to investment recently, including exiting investments that present a high sustainability-related risk, such as thermal coal producers. Going forward, companies will need to be far more transparent and demonstrate they can deliver on their promises to address climate risk. The Bank of England continues to discuss what the regulatory impact of climate change should be and will use its 2021 biennial exploratory scenario to help define some of the risks posed by this issue.
Another side effect of increased public engagement with climate change is the potential for business disruption from activists and activist shareholders. BlackRock has been a target for climate change demonstrations in recent months, with protestors gluing themselves to the doors of the firm’s London office and dumping ash outside to represent the destruction of the Amazonian rainforest. Despite Fink’s announcement, BlackRock has faced calls from shareholders to do more to address climate change, including from activist investor, Chris Hohn. Critics suggest the fund manager has failed to live up to the promises it made in a landmark report it published on climate change risk in 2016, with the Government Pension Investment Fund of Japan withdrawing US$1.5tn of investment because of this.
Banks must also think not just about the actions of the companies and sectors they do business with, but whether their own actions are sustainable too, says Mike Finlay, chief executive of RiskBusiness: “Many risk management practices, such as redundant hot standby disaster recovery sites, multiple business continuity exercises requiring parallel running of live and backup locations, hot standby generators, powered security doors…never mind the unthinking use of private executive jets, continuous travel between locations, keeping electric lighting in enormous head offices ablaze all night…all contribute to global warming, the depletion of natural resources and escalating environmental damage. It’s time to wake up and recognise that environmental risk, or the green swan, is the risk of the next decade.”
Non-compliance with regulatory change
Regulatory change is a recurring challenge for businesses, but is perhaps more relevant right now than ever before. New regulation on operational resilience in the UK (as mentioned above) will be a key issue for financial institutions in 2020, along with numerous other directives in the pipeline. But the added (seemingly unending) uncertainty around Brexit gives
the perennial regulatory challenge an extra kick. Despite Brexit, the UK has promised to abide by all new and existing EU legislation and the UK government has made a commitment to leave the EU with a withdrawal agreement on 31st January. If this is successful, the UK will enter an implementation period until 31st December, when it will negotiate its future relationship with the EU. EU law will continue to apply in the UK during this time and the FCA has said it “expects firms to consider how the end of the implementation period will affect them and their customers, as well as what action firms will need to take to be ready for January 1, 2021.” The growth of anti-globalisation in politics, increasing trade tension between the US and China, plus recent developments in Iran, are likely to continue to reshape international financial regulation for some time.
Technological advances are also a key focus for regulatory bodies for 2020, including the impact of artificial intelligence (AI) on corporate governance. The UK’s Financial Reporting Council is to be replaced in 2020 by a new regulatory entity called the Audit, Reporting and Governance Authority (ARGA). One of ARGA’s likely focusses will be to implement a new corporate governance code for the use of AI – though uptake in financial services is much slower than other sectors. Siloed data, out-dated IT infrastructures and regulatory compliance are holding banks back from adopting this technology. “Consumers will demand it. Technology competition will necessitate it. The challenge is: banks aren’t built to deliver those capabilities,” said Richard Fairbank, CEO of Capital One, on the issue last year. As consumers demand more personalised, streamlined services from financial institutions, banks will inevitably begin to tap into this trend in 2020, presenting more regulatory challenges.
Failure to detect or report money laundering
The EU’s Fifth Money Laundering Directive, more commonly known as 5AMLD came into play on the 10th January this year and will tighten existing UK rules with the hope of stemming the flow of an estimated £90bn of illegal funds laundered through UK financial institutions each year. The UK likes to see itself as something of a leader in the fight against money laundering and corruption; so much time and resource has been dedicated to ensuring AML rules remain appropriate. These latest reforms equate to increased customer due diligence obligations and more detailed reporting and risk assessment requirements, with the onus on senior management to ensure the new rules are implemented.
Standard Chartered was hit hard last year for AML failures, receiving £842m of fines from UK and US authorities for inadequate money laundering controls and sanctions breaches with countries including Iran. The bank laid much of the blame on two former employees who were “aware of certain customers’ Iranian connections and conspired with them to break the law, deceive the group and violate its policies”; highlighting the importance of internal controls in the context of AML.
Several other banks were burnt by AML failures last year. According to the Association of Certified Financial Crime Specialists (CFCS), 2019 saw 58 AML penalties issued globally. Firms in the UK, US, Belgium, Bermuda, France, Germany, Hong Kong, India, Ireland, Latvia, Lithuania, the Netherlands, Norway and Tanzania, were fined a collective total of US$8.14bn – almost double the amount issued in 2018. Some of the highest fines went to ABN Amro, ING, Danske Bank and Westpac. “Penalties were handed out by 14 countries, compared to just three a decade ago in 2009,” said CFCS. “We are not expecting the spotlight on money laundering to dim.”
Independent research and advisory firm, Aite Group, conducted a study into the key trends driving AML compliance transformation in 2020 and beyond. It found that the top two “pain points” faced by financial institutions when it came to AML compliance were: keeping up with new products, services and technology; and harnessing internal data to feed analytics/detection. Other key challenges included a lack of sufficient qualified AML staff and keeping up with new AML requirements and regulatory scrutiny.
Rules surrounding the use of offshore tax havens have been tightened under 5AMLD, meaning firms must “include new additional high-risk factors when assessing the need for enhanced due diligence, and seek additional information and monitoring in certain cases.” This includes transactions between parties in high-risk third countries. Firms will also be required to update any records relating to the beneficial ownership of corporate clients as part of a move to tighten KYC measures: “Firms also need to understand the ownership and control structure of their corporate customers and record any difficulties encountered in identifying beneficial ownership,” says the FCA. The cost impact of this to correspondent banks could be considerable. According to Thomson Reuters, firms already spend up to US$500m per year on KYC and customer due diligence.
Major technology failure/outage
As technology advances to keep up with consumer demand, it seems that many firms are struggling to manage this change. An IT outage study by SaaS-based performance monitoring platform, LogicMonitor, found that human error was the leading cause of IT outages in the US and Canada and the third largest cause globally. 96% of respondents claimed their organisations had suffered at least one outage during the previous three years and according to global IT decision makers, 51% of these outages were avoidable. Companies that have frequent outages and brownouts (an intentional or unintentional drop in electricity voltage) experience up to 16 times higher costs than companies who have fewer instances of downtime, according to the study. It listed the following as the top reported business impacts of downtime: lost revenue; compliance failure; damage to the brand; lowered stock price; mitigation costs; lost productivity; costs to mitigate and recover from a brownout; career negatively impacted; and business failure.
An increased regulatory focus on IT resilience in 2020 as a result of large-scale outages across the industry, was inevitable. The FCA and PRA’s proposals relating to operational resilience were brought about largely as a reaction to the growth in technology uptake in the sector – and the resultant rise in outages. Megan Butler, executive director of supervision at the FCA said in a speech about the proposals on operational resilience rules last year: “When we launched the discussion paper, we referred to the increasingly interconnected and technology-driven operating environment. We are concerned that these complex interdependencies increase the likelihood of a major disruptive event spreading quickly. It could be the failure of a shared piece of connectivity used in wholesale markets, or loss of access to a major cloud provider.” She stressed that the guidelines were not a box-ticking exercise: “This is not about what you are willing to, or think you can, get away with, because you think the worst is unlikely to happen. We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen.”
The Australian Prudential Regulatory Authority (APRA) has expressed concerns about the state of IT resilience in Australian insurance firms, too. In its annual report, the regulator highlighted the risks associated with outsourcing critical business systems to third parties: “APRA’s expectation is that entities adopt sound prudential practices in managing these outsourcing arrangements and demonstrate the ability to understand and manage the associated risks,” it said. In October 2019, APRA carried out an investigation into private health insurance firms’ IT security and will be using the information gleaned from this exercise to create benchmarking and self-assessment guidelines. Firms are already implementing APRA’s Prudential Standard CPS 234, Information Security, which came into play in July last year, so IT and cyber risk will require a lot of resource going forward.
Sexual discrimination, bullying and harassment of staff
Toxic masculinity, gender discrimination and a culture of misconduct in the City and Wall Street have been well documented over the years. But as we enter 2020, the legacy of the ‘Me Too’ and ‘Times Up’ campaigns has trickled down from Hollywood and will force firms to take real action on this issue. A Lloyd’s of London culture survey last year found that 8% of 6,000 respondents had witnessed sexual harassment over the previous 12 months, while less than half of respondents (45%) said they would feel comfortable raising a concern. 22% said they had seen people in their organisation turn a blind eye to inappropriate behaviour and 40% felt under excessive pressure to perform at work. Lloyd’s has implemented a series of
actions designed to make the market “a place where everyone can feel safe, valued and respected”, off the back of the survey, which also looked at employee wellbeing and adequate leadership.
The tribunal case brought by female banker Stacey Macken last year against BNP Paribas illustrated just how far the City still has to go with respect to sexual discrimination and gender inequality. Macken claimed she was discriminated against because of her gender and paid hundreds of thousands of pounds less than her male counterparts who had the same job title. She also claims she was harassed, bullied and repeatedly told “not now Stacey” by
one of her bosses in response to questions. The judge upheld her complaints over unequal pay, but dismissed her harassment claims. “No one really understands the scale of the issue because the majority of people are too afraid to report discrimination and harassment,”
Macken told The Guardian. “If you are brave enough to raise an issue to your employer, then it might not be investigated properly and you could be blamed, gagged and lose your job as a result.”
All types of discrimination, whether it be sexual, racial or otherwise, have risen up the corporate agenda considerably in recent years and victories like Macken’s will become more common. The FCA has made clear its stance on sexual harassment and firm’s need to ensure there are frameworks in place to allow proper reporting of these issues under the Senior Managers and Certification Regime implemented last year. As increasing numbers of victims feel empowered to speak out thanks to greater media coverage, firms should be prepared to handle this appropriately.
Most (if not all) of the above challenges are interconnected. Technology outages feed into cyber and data risk, which feeds into fraud and even geopolitical risk and employee discrimination (disgruntled employees are not who you want in charge of your data.) All of this impacts on future regulation, creating governance and compliance risks. The above list is by no means exhaustive and is simply a snapshot of what may lie ahead. Perhaps, as one contributor to this report suggested, using the term “risk” at all in this context is no longer appropriate as it is ill-defined and can be unhelpfully negative: “Although the term ‘risk’ is in very common usage, no one agrees what it means…From my perspective the most challenging issue for businesses in the year ahead is the same as it was for last year and, indeed, for all the years preceding. That is, to make good decisions that allow them to achieve their purpose.”