Global Governance Insights on Emerging Risks

Share

Bleu Azur Consulting | June 17, 2018

A HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

  • high-profile data breaches,
  • distributed denial of services (DDoS) attacks,
  • and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

  • the EU GDPR,
  • China’s new Cyber Security Law,
  • and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

  • financial services,
  • telecommunications
  • and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

See:  Bithumb $31 Million Crypto Exchange Hack: What We Know (And Don’t)

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

  • aw enforcement,
  • regulatory agencies and recovery service providers
  • including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

More:  The growing cost of cybersecurity

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

  • How good is our security program?
  • How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

  • unique business model,
  • legacy IT,
  • supplier and partner relationships,
  • and geographical scope.”

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

See:  FSB warns of third-party FinTech risk

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

Continue to the full article --> here

 

Click for News:

 

Bloomberg | By Michael Patterson and Andrea Tan | Jul 16, 2018 It might be the definitive sign that cryptocurrencies have arrived on Wall Street. CFA Institute, whose grueling three-level program has helped train more than 150,000 financial professionals, is adding topics on cryptocurrencies and blockchain to its Level I and II curriculums for the first time next year. Material for the 2019 exams will be released in August, giving candidates their first opportunity to start logging a recommended 300 hours of study time. CFA added the topics, part of a new reading called Fintech in Investment Management, after industry participants showed surging interest in surveys and focus groups. The worlds of finance and crypto have become increasingly intertwined after last year’s Bitcoin boom, with regulated futures now trading in Chicago, blue-chip firms like Goldman Sachs Group Inc. dabbling in digital assets, and scores of Wall Streeters joining crypto-related startups. More:  Traders With Pockets Full of Crypto Quit Wall Street While digital coins have tumbled in 2018 and the real-world impact of blockchain ventures has thus far been limited, some observers say the technology could ultimately transform swathes of the global financial system. “We saw the field advancing more quickly ...
Read More
‘This Is Not a Passing Fad’: CFA Exam Adds Crypto, Blockchain Topics
Oracle Times | Andreas Townsend | Jul 9, 2018 The crypto world and the technology behind it are still intriguing for traders and investors as well from all over the world. A token burn is a common occurrence, and some crypto companies may decide to burn some of their tokens from the circulating supply for more reasons. This is known as coin burning, and it has been conducted by various token developers as a tool to increase demand. Binance coin burning is approaching Binance is on the verge of its quarterly coin buyback and burn of its Ethereum-based token Binance Coin (BNB). The company’s whitepaper explained how the coin burn works and states that “every quarter, we will use 20% of our profits to buy back BNB and destroy them until we buy 50% of all the BNB (100MM) back. All buy-back transactions will be announced on the blockchain. We eventually will destroy 100MM BNB, leaving 100MM BNB remaining.” The structure will make the coin more attractive to investors Binance has initially created 200 million BNB, and they promised that no more coins will be generated ever again. This structure is designed to make the coin more attractive to investors ...
Read More
Binance Coin Burn Is Around The Corner – How The Coin Burn Works
North American Clean Energy | Jul 15, 2018 Blockchain is coming to the energy world and its impact will be massive. It will accelerate the transition to renewables and give us real and immediate ways to combat global warming, incentivize the production of renewable energy, and replace fossil fuels. What is blockchain? If you’ve heard of Bitcoin, blockchain is the technology that powers it. Blockchain allows data to be recorded on a distributed ledger in a way that cannot be changed. Why does it matter? The key benefit of blockchain as a technology is that it enables parties that do not know each other or trust each other to do business together and still feel secure.  Applications running on the blockchain can take advantage of smart contracts that trigger certain events (for example, payment) when particular milestones are met – so long as some form of proof is presented that a particular milestone has been met. More:  Blockchain has the potential to do amazing things, but it needs a reboot Together, blockchain as a technology, and the advent of smart contracts running on it, have the potential to change everything, much the same way that internet technology changed everything in the ...
Read More
Blockchain and the Future of Energy
BNN Bloomberg | Nisha Gopalan and Andy Mukherjee | Jul 14, 2018 (Bloomberg Opinion) -- Can’t code, or speak Bahasa? Didn’t go to school with a CEO’s son or daughter? A robot will take your trading seat. Read on if you want to save your job. The threat from automation is in the flows part of banks’ global markets business, the most important chunk of the biggest division of investment banking. Investment banks garner 70 percent of their revenue from global markets, made up of trading stocks and bonds, as well as structuring derivatives products and financing; the remaining 30 percent comes from advisory services like shepherding M&As or helping companies raise equity and debt. The higher-margin areas within markets — from structuring to swaps — is relationship-oriented, and therefore (relatively) safe from robot overlords. And it happens to be a big contributor to the 70 percent pie, especially in Asia, where commissions on equities and fixed-income trades are sinking fast, and language and client connections play a big role. Good news? Read on. With the flows business comprising 51 percent of banks’ global markets revenue of $109.8 billion last year, according to Coalition data, automation of even vanilla trades is no small threat. Besides, the 30 percent ...
Read More
Lifehacks for When a Robot Wants Your Job
Crowdfund Insider | Cali Haan | Jul 9, 2018 The Ontario Securities Commission (OSC) published its 2018-2019 “Statement of Priorities” June 5th, but the document provides zero helpful guidance to Ontario companies trying to engage with cutting-edge blockchain-based financial technologies, says Toronto-based blockchain lawyer Amy ter Haar. The “OSC…Statement of Priorities for the Financial Year to End March 31, 2019” restates the commission’s ongoing commitment to investor protection, reduction of regulatory burden and the enhancement of staffing diversity. But according to ter Haar, when it comes to areas like ICOs (Initial Coin Offerings), “tokenized securities” and blockchain for fintech, the agency is painfully vague. “The entire investment community is looking to the OSC and CSA for guidance around blockchain and cryptocurrencies and it is disappointing that this hasn’t been highlighted as a priority,” wrote a frustrated Ter Haar via LinkedIN. While it is clear from the “Statement of Priorities” that the OSC has many concerns in its purview, the document’s reliance on fuzzy platitudes regarding Fintech suggests sluggishness at commission and the downright neglect of a growth industry supercharging across the globe: “There are two sides to industry health. Investor protection is just one side of it…However we categorize cryptocurrencies ...
Read More
Ontario Securities Commission “Doesn’t Really Know What’s Going On” in Blockchain Fintech, Says Lawyer
About NCFA Canada | C. Asano | July 9, 2018 TORONTO, JUL 9, 2018 – The National Crowdfunding & Fintech Association of Canada (NCFA) today announced that Charlene Cieslik, Chief Anti-Money Laundering Officer (CAMLO) of Coinsquare, has joined the Association`s growing Advisory Group to advise on the areas Compliance and Anti-Money Laundering (view). Charlene Cieslik is the Chief Anti Money Laundering Officer of Coinsquare, Canada's most secure digital asset exchange for buying bitcoin, ethereum, and other digital currencies.  During her 20-year career, Charlene has held roles as the Chief Compliance Officer, Chief Anti-Money Laundering Officer, Chief Anti-Bribery Officer, and Chief Privacy Officer at several Canadian and Foreign scheduled banks, where she was responsible for the development, remediation, and execution of AML/ATF, anti-bribery, regulatory, and privacy programs. Charlene has worked with several “Big 4” accounting firms and a Canadian fintech company, where she has assisted global financial institutions with AML/ATF program development, particularly with post-regulatory exam remediation and AML/ATF investigations. Charlene holds a Master’s degree in Criminology from the University of Toronto, is a Certified Anti-Money Laundering Specialist, and was an original founder of the Toronto ACAMS Chapter.  She has lectured as a Professor at Seneca College and currently teaches in ...
Read More
Charlene Cieslik, Chief Anti-Money Laundering Officer of Coinsquare, Joins the National Crowdfunding & Fintech Association of Canada’s Advisory Group
Crowdfund Insider | JD Alois | Jul 2, 2018 In a significant policy move by the UK government, the threshold for investment crowdfunding has been upped to €8 million thus matching the recent change by Germany which announced the same funding limit. This increase is due to a change in the Prospectus Directive. In the UK, there is no limit on how much a crowdfunding platform may raise online. But a rule requiring a full blown prospectus at €5 million has, in effect, created a significant speed bump for investment crowdfunding platforms – one that has rarely been breached due to the cost of creating and complying with a prospectus requirement. The change announced today, should have an important impact on UK crowdfunding platforms as it will help make the online capital formation industry far more viable as issuers seek larger funding amounts raised via the issuance of securities online. In the early days of UK crowdfunding most issuers raised smaller seed round amounts. Today, issuers span a far wider range of funding requirements from seed stage to scale up. Frequently, these offerings are done in partnership with professional investors such as VCs or experienced angels. See:  Competition Bureau weighs in on ...
Read More
UK Government Ups Crowdfunding without Prospectus to €8 Million – Matching Germany
Betakit | By Amira Zubairi | Jul 4, 2018 Several Canadian FinTechs have made announcements on the growth of their companies, launching new features and partnerships. Here’s the latest on these company updates. Skrumble Network raises $19.96 million Toronto-based Skrumble Network, which aims to create secure connections for communication, raised $19.96 million ($15 million USD) through its token crowd-sale. Skrumble Network said it raised the funding for its communication-centric blockchain network that will provide developers the infrastructure to build messaging apps. The company wants to help developers build messaging apps that feature secure connections, real-time voice and video calling, wallet integrations for in-context money transfers, and the ability to edit, save, and unsend messages. Skrumble Network said its broader goal is to address data privacy concerns and allow users to take back ownership of their personal data. The company uses a consensus-based algorithm derived from unique session IDs, which enable private peer-to-peer connections. “Social media has completely changed the face of communication, and now, data privacy and ownership is one of the biggest concerns of this time. 2.2 billion users around the world have trusted Facebook with their information; 87 million of those users received a wake-up call…when they got ...
Read More
Today in FinTech: Skrumble Network raises $19 million CAD in ICO, Goldmoney partners with Malbex Resources
SmartCompany | Dominic Powell | Jul 2, 2018 A raft of Australian fintechs have signed a newly minted code of practice to improve transparency and bolster confidence in the small business lending space. Released on Friday, the code was formulated and backed by Australia’s Small Business Ombudsman Kate Carnell, the Australian Finance Industry Association (AFIA), FinTech Australia, and lending advisory and SME advocate thebankdoctor.org, operated by Neil Slonim. Leading small business lending fintechs Capify, GetCapital, Moula, OnDeck, Prospa and Spotcap were all signatories to the code, which will require them to comply with a series of best practice principles when dealing with SME customers. Alongside pledging to meet all current legal and regulatory requirements for small business lending, the signatories have also agreed to introduce an easy to understand loan summary and contribute to a price comparison document being produced by the code’s organisers. See:  Peer-to-peer lending will help small businesses stay afloat This document will simply lay out all costs and fees associated with the fintech’s loans, including the total repayment amount, annual percentage rate, and the simple annual interest rate. Failure to comply with the code will see the offending fintech lender subject to an independent Code Compliance ...
Read More
Six Aussie fintech lenders sign on to code of practice to help SMEs get better loans
WiredGov UK | FCA | Jun 28, 2018 The Financial Conduct Authority (FCA) yesterday published an update on its Strategic Review of Retail Banking Business Models. The Review is an in-depth and wide-ranging piece of work to give the FCA a greater understanding of retail banks’ business models, and how these may change in the future. This includes looking at how personal current accounts (PCAs) are paid for, the possible impact of technological and regulatory developments such as Open Banking and changes to payment services due to the revised Payment Services Directive (PSD2). It sets out the progress made on the analysis of the issues and planned next steps. See:  New matchmaking service for small businesses looking for finance The review is also critical to the FCA’s work on overdrafts. The FCA has already expressed concerns that some potentially vulnerable people are paying significantly more for their current accounts through unarranged overdraft charges and fees. In May this year, the FCA proposed a set of potential changes on overdrafts for discussion as part of its high cost credit work and will consult on any changes later this year. The review shows that most current account customers contribute to their bank’s profits, but ...
Read More
FCA publishes update on wide-ranging review of retail banking sector

 


The National Crowdfunding & Fintech Association of Canada (NCFA Canada) is a cross-Canada non-profit actively engaged with cryptocurrency, blockchain, crowdfunding, alternative finance, fintech, P2P, ICO, STO, and online investing stakeholders globally. NCFA Canada provides education, research, industry stewardship, services, and networking opportunities to thousands of members and subscribers and works closely with industry, government, academia, community and eco-system partners and affiliates to create a strong and vibrant crowdfunding and fintech industry. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit: www.ncfacanada.org

Share