Global Governance Insights on Emerging Risks

Share

Bleu Azur Consulting | June 17, 2018

A HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

  • high-profile data breaches,
  • distributed denial of services (DDoS) attacks,
  • and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

  • the EU GDPR,
  • China’s new Cyber Security Law,
  • and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

  • financial services,
  • telecommunications
  • and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

See:  Bithumb $31 Million Crypto Exchange Hack: What We Know (And Don’t)

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

  • aw enforcement,
  • regulatory agencies and recovery service providers
  • including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

More:  The growing cost of cybersecurity

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

  • How good is our security program?
  • How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

  • unique business model,
  • legacy IT,
  • supplier and partner relationships,
  • and geographical scope.”

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

See:  FSB warns of third-party FinTech risk

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

Continue to the full article --> here

 

Click for News:

 

NCFA Canada | Sep 21, 2018 Ep10-Sep 21: A Regtech-based Blockchain KYC Solution for Document Custody About this episode: On this episode, our host Manseeb Khan sits down with the CEO of Commercial Passport Brice Penaud. They chat about what KYC looks like in blockchain, how fintech and regtech can work alongside with governments, and the benefits of creating a digital identity. Enjoy! Host: Manseeb Khan, NCFA, Fintech Fridays show host Guest: Brice Penaud, CEO, Commercial Passport Bio: Commercial Passport provides global digital KYC solutions, helping financial institutions reduce the time to on-board clients by automating beneficial ownership analysis and client document maintenance. Based in Toronto, Canada, Commercial Passport’s Universal KYC Solution is a paradigm shift in KYC collection, providing senders and receivers a clear chain of custody for KYC documents through blockchain technology. Subscribe and tune in each Friday to check out the latest movers and shakers in fintech. Listen to more Fintech Fridays podcasts here Transcription of Interview Manseeb Khan: Hey Everybody how are you doing today Manseeb Khan here . And you tuning in to Fintech Friday's today. I have. OK. I know I see this every episode. But I do have a really incredible guest today ...
Read More
FINTECH FRIDAY$ (EP.10-Sep 21):  A Regtech-based Blockchain KYC Solution for Document Custody with Brice Penaud, CEO Commercial Passport
The Globe and Mail | Clare O’Hara | Sep 20, 2018 Cryptocurrency trading platform Coinsquare is moving into the exchange-traded fund business as its investment management division launches two new technology funds. Coin Capital Investment Management Inc., a portfolio management subsidiary established in July, has become the 30th ETF provider in Canada with the launch of two new ETFs focused on global emerging technologies. With a management fee of 0.64 per cent, the Coincapital STOXX Blockchain Patents Innovation Index Fund (LDGR) and the Coincapital STOXX B.R.AI.N. Index Fund (THNK) began trading Thursday morning on the Toronto Stock Exchange. “Canadians know technologies like AI and the blockchain are going to change the way we live and work, but it can be difficult to access high-quality investments in these sectors without deep domain expertise,” said Coin Capital CEO Lewis Bateman. Blockchain is an online digital ledger. Once a transaction is completed, it goes into a blockchain database and is kept as a permanent, secure record. It is most commonly known as the technology behind the booming cryptocurrency bitcoin, which soared above US$18,000 last December. See:  Coinsquare launches Coin Capital Investment Management Inc. to help Canadians invest in emerging technology LDGR will aim ...
Read More
Coinsquare moves into ETF business with two new funds
FastCompany | By Lydia Dishman | Sep 20, 2018 When you have a technology that’s only 10 years old, women and underrepresented minorities have the chance to change this corner of the tech industry. Yael Rozencwajg recently had an experience that was unusual for a woman in tech. Speaking at a conference for executives in the blockchain and Internet of Things (IoT) space, Rozencwajg found herself explaining the digital ledger system that forms the basis of blockchain technology to about 200 people, most of whom were white, male CEOs. “There was a lot they didn’t know,” the founder of startup Blockchain Israel tells Fast Company. The difference was that the audience was respectful and deferential, despite the prevailing reality that when women are outnumbered in a work setting like this, several studies show that they are talked over, interrupted, or simply ignored. Rozencwajg chalks it up to the relative newness of the blockchain space. The technology is only 10 years old and was initially used to record bitcoin transactions. But its applications have since moved from solely recording bitcoin and other digital currency transfers to smart contracts and other transactions that need the security that an immutable record can provide ...
Read More
Meet the women who are making sure blockchain is inclusive
Blockchain is here – so what next? The Blockchain Developer Opportunity If you are a software engineer interested in emerging high growth project opportunities, you’ll want to ensure your technical skills are polished and you have access to proper training and resources. There is a significant shortage of skilled Blockchain developers unable to meet the demand of emerging projects! NCFA is pleased to announce an inaugural educational partnership with the Blockchain Learning Group offering a special introductory rate to attend an immersive, 2-day Blockchain developer training course on decentralized application development to help fill the gap of skilled engineers while connecting graduates to project opportunities. According to a recent 2018 PwC survey, 84% of 600 executive responders confirmed some involvement with Blockchain technology from proof of concepts to well capitalized international scale-ups and incumbents looking to modernize legacy systems. Distributed and immutable ledger applications are evolving rapidly with uses cases that improve trust and transparency for many business processes while distributing transactions to a decentralized network in a way that reduces costs and eliminates intermediaries. While crypto markets have exceeded $200 billion in just the last 2 years alone, the underlying technology is forecasted to disrupt almost every vertical with ...
Read More
Immersive 2-day Blockchain Developer Training Course (Nov 10-11, Toronto): Decentralized Application Development
Incipient Industries | Steven Dryall | Sep 19, 2018 Incipient Industries Releases Whitepaper Describing How Cryptocommodities  Are Created and Used As The Basis For A Stable Cryptocurrency Toronto, ON, Canada, September 17, 2018 - Incipient Industries Inc. announces the release of the definitive whitepaper on the subject of cryptocommodities. Following years of development combined with the dissemination of information related to cryptocurrency viability and asset- based cryptocurrencies, an actual description of how to deploy a cryptocommodity  is now available. This is a first in the burgeoning cryptocurrency industry and represents a significant step towards a stabilized digital economy. The cryptocurrency industry is still developing and discovering ways to integrate with traditional financial systems or to replace them altogether. The introduction of cryptocoomodities into the cryptosphere creates a new category of opportunities for pioneers in the space. For those seeking a solution to a stable cryptocurrency, this is the best path to success. See:  3 Clever Ways To Reach Crypto Price Stability, And One Giant Leap Of Faith “This is a perfect use case for cryptocurrency and also follows the Three Pillars of a Viable Cryptocurrency framework.” says Steven Dryall, CEO of Incipient Industries, who has pioneered several key concepts of ...
Read More
Whitepaper Provides Information About Cryptocommodities As The Basis For A Stable Cryptocurrency
Bloomberg | Joshua Brustein | Sep 4, 2018 With fewer than 100 residents, Ocean Falls is looking for a revival after almost four decades of industrial false starts. In 1971, an 11th grader named Greg Strebel wrote the introduction to a book about Ocean Falls, the tiny town in the British Columbian hinterlands where he lived. Strebel mentioned the odd fact that many of the town’s roads were made of wood, said the weather wasn’t as bad as some people made it out to be and noted that it had just gotten a new school building. But the one thing that mattered above all, according to Strebel, was the paper mill. “To most, 'the mill’ imparts a sense of security by its presence,” he wrote. “A low throb of power is audible throughout most of the town as long as the mill runs, accompanied by voluminous exhalations of steam.” The security provided by the mill turned out to be fleeting. It went silent when Strebel was in his 20s. Most of the buildings in Ocean Falls that haven’t been demolished over the decades are crumbling in place, and Strebel, along with most everyone who once lived there, is long gone. A ...
Read More
The Bitcoin Boom Reaches a Canadian Ghost Town
Australian Financial Review | Michael Bailey | Sep 12, 2018 Businesses wishing to raise money from retail investors will no longer have to convert to an unlisted public company structure, after an amendment to 2017's equity crowdfunding legislation passed federal Parliament. The legislation, which takes effect in 28 days from Wednesday, allows proprietary companies or unlisted public companies with annual turnover or gross assets of up to $25 million to advertise their business plans on ASIC-licensed crowdfunding portals, and raise up to $5 million a year to carry them out. Investors can put up to $10,000 a year each into an unlimited number of ideas. Australian private companies are typically limited to a maximum of 50 non-employee shareholders. However, under these reforms, investors acquiring shares through a crowdfunding portal are excluded from this cap, allowing private companies to raise funds from potentially hundreds or thousands of investors. See:  Australia and UK set up FinTech Bridge to deepen collaboration between governments, regulators, and industry bodies Proprietary companies with crowdfunded shareholders will have to prepare annual financial and directors' reports in accordance with accounting standards. Only large proprietary companies, defined as those with any two of either $25 million turnover or above, $12.5 million of gross ...
Read More
$5 million Equity crowdfunding extended to private companies
NCFA Sponsored guest post | Sep 18, 2018 “You are such a worry-wart.” This is the common reaction I get whenever I tell people about how I like to plan ahead. They tell me that I’m too overreacting, that I live too much for the future and not for the present, and that I really don’t get the concept of YOLO. I really don’t give a darn about what these people say. They’re impractically wasting their time, breath, and energy trying to change how I live my life. What if I’m so gung-ho about planning for the future? What if I’m too overly prepared even my future dogs and cats will be feasting every single day? It’s still better than having no insurance. It’s still better than having my children carry my weight. Lastly, it’s still better than being ill-prepared. See:  What Can Traditional Banks Learn From Fintech? If I were to choose between too much and too little, I’d choose too much any day. After all, what’s wrong with having so much you could spare a ton? It’s a thousand times better than having to ask for financial aid because you have so little. Do you get me? I ...
Read More
Why Life Insurance Policies Matter
Forbes | Michael del Castillo | Sep 17, 2018 People keep asking me, what’s the deal with stablecoins? With two prominent regulatory approvals to issue the blockchain-based tokens, many have heralded them as the next evolution of cryptocurrency, while others say they’re perfect evidence of why no one ever needed cryptocurrency in the first place. On a basic level, a stablecoin is a token that has a mechanism in place to minimize its price fluctuations. Unlike traditional cryptocurrencies such as bitcoin and ether, which are directly tied to their wildly fluctuating demand, a stablecoin can rely on four methods to constrain its fluctuations. See:  One SEC commissioner is establishing herself as the voice of innovation for the crypto market The first and by far most popular way to achieve this stability is to peg the price of the token to a more stable asset like the U.S. dollar. This is what both the Gemini and Paxos cryptocurrency exchanges received permission to do from the New York Department of Financial Services last week. Unlike bitcoin and ethereum, which are created through a mining process that also ensures the blockchain’s accuracy, these stablecoins are only created when someone buys them with U.S. dollars. Gemini and Paxos ...
Read More
3 Clever Ways To Reach Crypto Price Stability, And One Giant Leap Of Faith
NCFA Canada | Sep 14, 2018 Ep9-Sep 14: Curexe's New SmartPay Product & Front-line of Global Digital Payments About this episode:  On this episode our host Manseeb Khan sits down with the CEO And founder of Curexe, so chat about their new product called SmartPay! They also talked about how A.I is going to touch the payments and every other industry, regulations that could be in place when accepting crypto and many more. Enjoy! Host: Manseeb Khan, NCFA, Fintech Fridays show host Guest: Johnathan Holland, Founder and CEO, Curexe Bio:  Johnathan Holland's experience comes from a decade of learning about capital markets and a relentless pursuit of providing better customer experiences in the payments and currency exchange industry. Johnathan’s advantage has been to look at the currency exchange industry in a new light, which enabled him to create a new, better way to empower the businesses that are underserved by their current solutions.  Johnathan graduated from the 2016 cohort of the Next 36 accelerator program that helps young entrepreneurs build high impact businesses and is currently running the company out of the DMZ.  LinkedIn profile Join NCFA's weekly Podcast series 'FINTECH FRIDAY$' where we sit down with the incredible people ...
Read More
FINTECH FRIDAY$ (EP.9-Sep 14):  Curexe's New SmartPay Product & Front-line of Global Digital Payments with Johnathan Holland, Founder of Curexe

 


The National Crowdfunding & Fintech Association of Canada (NCFA Canada) is a cross-Canada non-profit actively engaged with cryptocurrency, blockchain, crowdfunding, alternative finance, fintech, P2P, ICO, STO, and online investing stakeholders globally. NCFA Canada provides education, research, industry stewardship, services, and networking opportunities to thousands of members and subscribers and works closely with industry, government, academia, community and eco-system partners and affiliates to create a strong and vibrant crowdfunding and fintech industry. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit: ncfacanada.org

Share