Global Governance Insights on Emerging Risks

Bleu Azur Consulting | June 17, 2018

Direct and indirect costs of cyberattacks - Global Governance Insights on Emerging RisksA HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

  • high-profile data breaches,
  • distributed denial of services (DDoS) attacks,
  • and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

  • the EU GDPR,
  • China’s new Cyber Security Law,
  • and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

  • financial services,
  • telecommunications
  • and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

See:  Bithumb $31 Million Crypto Exchange Hack: What We Know (And Don’t)

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

  • aw enforcement,
  • regulatory agencies and recovery service providers
  • including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

More:  The growing cost of cybersecurity

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

  • How good is our security program?
  • How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

  • unique business model,
  • legacy IT,
  • supplier and partner relationships,
  • and geographical scope.”

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

Cyber risk management process - Global Governance Insights on Emerging Risks

See:  FSB warns of third-party FinTech risk

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

Continue to the full article --> here

 

Click for News:

latest news - Global Governance Insights on Emerging Risks

 

Wharton University | Nov 12, 2019 Mark Zuckerberg and Bill Gates founded their pathbreaking companies when they were still in their teens. Steve Jobs founded Apple at 21. Their stories, which get a lot of media attention, have many believing that younger entrepreneurs are the most successful. However, research from Wharton management professor Daniel Kim shows they are exceptions to the rule, and that the average age of successful entrepreneurs is actually a lot older. The study, “Age and High-growth Entrepreneurship,” determined the most successful founders in the United States are in their 40s. Javier Miranda, principal economist at the U.S. Census Bureau; Benjamin Jones, professor at the Kellogg School of Management at Northwestern University; and Pierre Azoulay, professor at MIT’s Sloan School of Management and research associate at the National Bureau of Economic Research, co-authored the study. Kim sat down with Knowledge@Wharton to talk about why middle-aged entrepreneurs bring the benefit of experience to the founder’s table. (Listen to the podcast at the top of this page.) An edited transcript of the conversation follows. See:  Bringing Good Ideas to Life: 13 Modern Ways to Innovate Knowledge@Wharton: If “age ain’t nothing but a number,” as the Aaliyah song goes, why ...
Read More
lightbulb entrepreneurship - Global Governance Insights on Emerging Risks
Cointelegraph | Justin O’Connell | Apr 9, 2019 The promise is great for so-called smart cities, which will deploy a network of interactive sensors to achieve efficiency and innovation. The smart city vision includes driverless cars, renewable energy to aid a city’s power consumption, energy-efficient buildings, and communications systems that work with the location’s infrastructure to avoid waste, among other features. A report by the International Data Corporation (IDC) indicates that spending on smart city technology is expected to grow to $135 billion by 2021. That may be changing. Google is creating a smart city in Toronto, and, with the vast resources of the technology giant, the first widespread implementation of the promises of smart cities may be at hand. But there are still concerns over certain aspects of implementing the smart cities program. Canadian Prime Minister Justin Trudeau appeared at the October 2017 kickoff for the smart city being designed by Google for Toronto. “We know the world is changing,” said Trudeau, as he stood alongside senior Google executive Eric Schmidt. “The choice we have is to either resist it and be frightened by it, or to say we can step up and shape it.” Are we being over-promised? One ...
Read More
Toronto smart city - Global Governance Insights on Emerging Risks
Reuters | Nov 20, 2019 HONG KONG (Reuters) - Singapore’s central bank plans to bring bitcoin and other similar cryptocurrency futures traded on approved exchanges under its regulation in response to interest from international institutional investors, it said on Wednesday. Market watchdogs worldwide have been debating whether and how they should regulate the cryptocurrency industry. Many have focused their attention initially on investor protection issues given concerns about market manipulation and cryptocurrencies’ volatility. See: Singapore Fintech Week: Data, technology and policy coordination – BIS Speech Singapore overtakes the US to become world’s most competitive country, WEF says In a consultation document, the Monetary Authority of Singapore (MAS) said that it had seen interest from institutional investors in trading “payment tokens” like bitcoin and ether, who “have a need for a regulated product to gain and hedge their exposure to the payment tokens.” The consultation will close on Dec. 20. MAS only proposes to regulate futures traded on exchanges it already regulates. It warned investors it did not regulate token derivatives not traded on approved exchanges. “The inclusion of these products in the approved exchanges will certainly provide new opportunities for all regulated exchanges. This may create liquidity for these products,” ...
Read More
Monetary authority of Singapore - Global Governance Insights on Emerging Risks
Crowdfund Insider | JD Alois | Nov 18, 2019 Periodically, Crowdfund Insider revisits the Reg CF sector of online capital formation. Reg CF or “Regulation Crowdfunding” may have garnered most of the attention from popular media but really there are three individual crowdfunding exemptions including Reg A+ and Reg D 506c. Under Reg A+ you must file an extensive offering circular with the entire offering process costing around $300,000, according to one estimate. But Reg A+ enables an issuer to raise up to $50 million from both accredited and non-accredited investors. Under Reg D 506c, you may raise an unlimited amount of money but only from accredited investors. This is the most popular crowdfunding exemption and Reg D (5o6c and 5o06b) is a trillion-dollar market. Issuers using Reg CF may only raise $1.07 million and must utilize a FINRA regulated Funding Portal or a broker-dealer. Due to the low cap on funding, frequently issuers will do a side-by-side Reg D 506c offering to circumvent the extremely low amount you may raise. Last time CI revisited the number of approved Funding Portals was in July. Since that time, several new funding portals have joined the approved list and several have exited ...
Read More
US funding - Global Governance Insights on Emerging Risks
Highline Beta | Nov 19 ,2019 With RBC as the lead private investor, Highline Beta’s inaugural fund forms part of the Government of Canada’s Venture Capital Catalyst Initiative. TORONTO, November 19, 2019 - Highline Beta, a leading new venture development and venture capital firm known for its unique corporate innovation model, today announced the first close of its inaugural investment fund, Highline Beta Fund 2019 (“The Fund”). This predominantly Pan-Canadian fund will make up to 30 investments in startups co-created or partnered alongside corporations, and is one of only seven funds selected by the Government of Canada’s Venture Capital Catalyst Initiative, with Royal Bank of Canada (RBC) as the lead private investor. Highline Beta believes it can improve upon the features of traditional startup accelerators and corporate-startup engagement programs to achieve more meaningful win-win relationships. Highline Beta has spent years collaborating with a roster of global corporations such as RBC, Anheuser Busch InBev, Aviva Canada and American Family on growth mandates beyond their core businesses to reimagine the industries we live in through startup innovation. See:  Why venture capital firms need more women partners and entrepreneurs “Almost four years ago, we pioneered a hybrid corporate venture studio and venture capital model ...
Read More
highline beta closes first fund - Global Governance Insights on Emerging Risks
OSC | Release | Nov 19, 2019 TORONTO, Nov. 19, 2019 /CNW/ - The Ontario Securities Commission (OSC) is moving forward with more than 100 specific actions to reduce burden for market participants doing business in Ontario's capital markets. As these changes are made, individuals and businesses regulated by the OSC can expect to see enhanced service levels, less duplication and a more tailored regulatory approach. "The OSC has made major progress in reducing the burden for Ontario's market participants," says the Honourable Rod Phillips, Ontario Minister of Finance. "I want to commend Chair Maureen Jensen and her entire team for moving in short order to streamline regulations without compromising investor protection." The changes will make it easier to start, fund and grow a business in Ontario, and make Ontario's markets more competitive. While these initiatives will benefit businesses of all sizes, the OSC has carefully considered opportunities to benefit small and medium-sized companies, which make up nearly 70 per cent of those regulated by the OSC, and smaller registrant firms, which make up nearly a third of Ontario registrants. NCFA Advocacy on Burden Reduction: March 1, 2019: NCFA Submission to the Ontario Securities Commission on Regulatory Burden NCFA Letter to ...
Read More
OSC burden reduction Nov 2019 - Global Governance Insights on Emerging Risks
Bitcoinist | Christina Comben | Nov 13, 2019 Top 10 Crypto Trends This Year As CoinShares states at the start of the report, “knowledge is best when shared.” In order for the crypto industry to grow, “participants and outside analysts have to be able to identify, gather, and analyze data to tell the story of why this industry matters.” So, here’s what’s going on right now. 1. Macro Trends Are Setting the Stage for Bitcoin The report starts out by taking a look at the background of how we got to where we are today. It seems that a whole host of macro trends are combining to create the perfect storm for Bitcoin. In 2019, there is a growing disparity between rich and poor. Warren Buffet, Bill Gates, and Jeff Bezos own more than the bottom half of Americans. At the same time, there is increased automation in the workplace, rising political tensions and unrest in countries like Iran, Venezuela, and Hong Kong, and increasing social backlash against capitalism and big tech companies. See:  Lock BTC, Get DAI: Lending Firm Bridges Bitcoin-DeFi Divide in Latin America This is accompanied by diminishing trust in banks and governments. More than 90% of people ...
Read More
MELTEM DEMIRORS - Global Governance Insights on Emerging Risks
Coindesk |Nathan DiCamillo | Nov 18, 2019 The Takeaway The research arm of payment card giant Visa has published a paper describing the development of LucidiTEE, a blockchain system for orchestrating sensitive data among multiple parties. For example, the paper outlines a system that would allow banks and fintech applications to share data without relying on intermediary data aggregators. While Europe has relied on legislation like GDPR to set standards for securely sharing customer data, US banks had to develop agreements with data aggregators. Visa, the world’s largest card payment network, has been quietly developing a blockchain system that could upend how banks transfer customer transaction data to consumer financial applications like Mint and Credit Karma. In a paper published by Visa’s research and development arm, researchers describe a system called LucidiTEE. It outlines a system for sharing sensitive personal data on a blockchain, crunching that data within a trusted execution environment (TEE) and using history-based policies to ensure that each of the parties receive an output of the computation. (The system’s name is a combination of TEE and the word lucidity). See:  Visa Makes Its Second Investment Into a Crypto Startup The first application of LucidiTEE is sharing data ...
Read More
Visa blockchain R and D - Global Governance Insights on Emerging Risks
Investment Executive | James Langton | November 7, 2019 Vancity Community Investment Bank to acquire CoPower investment platform Toronto-based Vancity Community Investment Bank (VCIB),  a subsidiary of Vancouver City Savings Credit Union, will bolster the bank’s impact investing capabilities by buying Montreal-based green investment platform CoPower Inc., VCIB announced Thursday. The transaction brings together a bank devoted to financing affordable housing with a platform that finances environmentally friendly projects through green bonds that are available to retail investors. Financial terms of the deal were not disclosed. VCIB says that the deal will enable it to expand its loan offerings to include clean energy and green building initiatives. At the same time, CoPower’s focus on creating impact investment products for retail investors will enable new funding sources for the bank. “Our mission has always been to move money for the clean energy transition. As a subsidiary of VCIB, we’ll be able to better serve the needs of clean energy developers while delivering a powerful range of investment products for investors looking to earn a strong return, and supporting projects that are green, inclusive and affordable,” said David Berliner, founder of CoPower, in a statement. See: Unlocking the Potential of Frontier Finance The deal, which has been approved ...
Read More
clean energy - Global Governance Insights on Emerging Risks
Green Biz | Joel Makower | Nov 18, 2019 "Smart beta." It’s a term of art on Wall Street, a blend of active and passive investing strategies that typically combine an underlying stock index with an investment manager’s savvy about a potential stock’s liquidity, volatility, momentum and other factors. The strategy is said to provide a risk/return profile that is more attractive than a singularly active or passive investment product. That nerdy financial term will be among those increasingly relevant to corporate sustainability execs — CSOs, for short — as the astonishing rise of environmental, social and governance, or ESG, factors takes hold in the mainstream investing world. ESG assets under management have grown the fastest among smart beta strategies — a compound annual growth rate of more than 70 percent over the past five years, according to a recent report from Bank of America Merrill Lynch. "The opportunity is also too big to ignore," the report's authors wrote. "Bank of America estimates that over the next few decades, equity investments aligned with ESG criteria could attract assets equal to the size of the Standard & Poor’s 500 index today." The S&P 500 in October had a market capitalization of ...
Read More
ESG meets wallstreet - Global Governance Insights on Emerging Risks

 


NCFA Jan 2018 resize - Global Governance Insights on Emerging RisksThe National Crowdfunding & Fintech Association of Canada (NCFA Canada) is a cross-Canada non-profit actively engaged with cryptocurrency, blockchain, crowdfunding, alternative finance, fintech, P2P, ICO, STO, and online investing stakeholders globally. NCFA Canada provides education, research, industry stewardship, services, and networking opportunities to thousands of members and subscribers and works closely with industry, government, academia, community and eco-system partners and affiliates to create a strong and vibrant crowdfunding and fintech industry. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit: ncfacanada.org