riskspotlight insight · against vijay mallya (link) 4. singapore banks to share data with...
TRANSCRIPT
RiskSpotlight Insight Insights on Operational Risks
May 2018
1
About RiskSpotlight Insight
The objective of RiskSpotlight Insight is to provide
analysis to operational risk practitioners on emerging
operational risk topics that should be on their
organisation’s radar. This is part of the Platinum
offering.
There is significant volume of information being
published on the internet in connection with operational
risk topics. However, the operational risk practitioners
do not have bandwidth to review this vast amount of
information and structure it in a format which can be
easily utilised for prioritising their risk management
efforts.
RiskSpotlight Insight aims to address the above
business challenge through detailed analysis of news
articles covered within the RiskSpotlight Portal and
then extracting key insights and presenting these to the
practitioners.
2
About the Sections
• Key OpRisk Topics – Level 1: In this section, the key
topics which should be on your operational risk radar
are presented by Risk Category & Region. The listed
topics have been covered in the media over the last
2 months and/or are expected to stay on the radar
over the next 12 months.
• Key OpRisk Topics – Level 2: In this section,
additional details about the topics covered in the
Level 1 section are covered. Additionally, recent key
operational risk loss incidents are also covered in
this section.
• Deep Dive: In this section, the RiskSpotlight team
highlights key aspects of TSB System Failure, Cyber
Insurance & Vendor Risk Management. The
presented topics are selected from extensive
research on news articles related to these topics.
3
Business Process
Execution Failures
Damage to Tangible
& Intangible Assets
Employment
Practices &
Workplace Safety
External Theft &
Fraud
Improper Business
Practices
Internal Theft &
Fraud
Technology Failures
& Damages
Vendor Failures &
Damages
Global Europe N. America S. America Asia Pacific Africa Middle East
- FM Index of resilient
countries. Switzerland,
Luxembourg &
Sweden are most
resilient.
- Failures of legacy
systems at large firms
- Regulatory focus on
operational resilience
in UK
- Failures of legacy
systems at large firms
- $632 mn error in
Swaziland
Government’s bank
account
- More frequent extreme
weather events
- Hackers targeting
critical infrastructure
- Terrorism
- Regulatory focus on
operational resilience
- Increase in flooding
risks in Europe due to
climate change
- Social unrest in Brazil
- Increase in bank thefts
using explosives
- North & South Korea
peace talks
- Natural disaster could
cost region $160bn
per year
- Floods in Kenya kill
132
- ATM robberies using
explosives
- Syrian crisis
- Missile attack on
Saudi Arabia
- Oil infrastructure target
of cyber attacks
- ♯MeToo movement
going global
- Bill Gates warns of 30
mn deaths in 6 months
from pandemic
- EC proposes
whistleblower
protection law
- Focus on gender pay
gap in UK
- Increased reporting on
sexual harassment
- BoA says 151
employees affected by
mass shootings
- Threat to employees
during bank robberies
using explosives
- Pollution levels in
Indian cities
- Japan addresses
“death by overwork’
problem
- Ebola case found in
urban area in Congo
- Death toll from Listeria
outbreak in S Africa
rises to 200
- Phishing as top threat
- Rise in ransomware
- AI for controls
- Money laundering &
terrorism financing
- Sanctions on Russia &
Iran
- UK & Latvia as money
laundering hubs
- Sanctions on Russia &
Iran
- FINRA focus on senior
investor fraud
- AML tops FINRA fines
- Theft of ATM using
explosives
- Large cash withdrawal
from 5 Mexican banks
by cyber criminals
- Large scale loan
frauds in India
- Banks & regulators
agree standard data
format (Singapore)
- Mobile money fraud
- Fines + name &
shame for breach of
regulation in
Mozambique
- Misuse of information
by Facebook. Banks
need to consider their
usage and sharing of
customer data.
- GDPR enforcement
- Barclays boss fined for
‘conduct breach’
- PPI deadline
announced
- GDPR enforcement
- Spotlight on Wells
Fargo
- FINRA focus on sales
of complex products
- New overdraft rules in
Brazil
- Royal Commission
(Aus) probe on
misconduct
- Indian banks under
spotlight for conduct
- Fines + name &
shame for breach of
regulation in
Mozambique
- Regulatory focus on
financial mis-selling in
UAE
- Qatar investigates
market manipulation
- Continued focus on
bribery
- New IMF Anti-
Corruption Framework
- Rise of senior
executive fraud in UK
- London in IMF
spotlight for money
laundering
- Significant increase in
anti-corruption
enforcement in Brazil
- Region No.1 in FCPA
enforcement
- Staff and audit
collusion on loan fraud
in India
- China No.2 in FCPA
enforcements
- Political corruption
- Large fraud at VBS
Mutual Bank
- Internal fraud rises by
56.30% in Nigeria
- Anti-corruption drive in
Saudi Arabia
- Region No.3 in FCPA
enforcements
- Supply chain attacks
- AI for controls
- Theft of processing
power for coin mining
- Cyber attack by state
- New BOE cyber
standard in UK
- GDPR enforcement
- New ECB framework
to test cyber resilience
- US top target for cyber
attacks
- GDPR enforcement
- New guidance on
cyber insurance in US
- China 2nd and India 3rd
most targeted for
cyber attacks
- Asia is largest target
for ransomware
- Lack of skills to deal
with cyber risks
- Warning on impending
cyber attack on
Nigerian banks
- Cyber attacks to
sabotage oil
infrastructure
- Most firms using basic
security measures
- Third-party data
breaches
- Currency fluctuations
and impact on supply
chain costs
- Regulatory focus
supply chain &
outsourcing
- Brexit impact on
supply chain
- Regulatory focus on
third-party risks
- H1B visa restrictions
- Few focus on 4th & 5th
parties
- Concentration of IT
vendors in India
Key OpRisk Topics – Level 1
- Regulatory probe of
stock market systems
in South Korea
- Failure of legacy
systems in large firms
- Card fraud over
$45mn (UAE, Oman)
- Implementation of
blockchain to prevent
check fraud
- Fidelity fires 200
employees for misuse
of benefits
- Wells Fargo settle
shareholder suit
- Cyber attackers target
5 Mexican banks
- FINRA focus on BCP
- California more prone
to extreme weather in
future
- Omani women raise
awareness on
workplace
discrimination
- No topics for this
reporting period
- No topics for this
reporting period
- No topics for this
reporting period
- No topics for this
reporting period
- No topics for this
reporting period
4
External Theft &
Fraud
Internal Theft &
Fraud
Global Europe N. America S. America Asia Pacific Africa Middle East
1. Phishing as top
threat (Link)
2. Rise in ransomware
(Link)
3. Organisations
looking for applying
AI for controls
4. Money laundering &
terrorism financing
5. 53% of thefts of
consumer’s identify
data are “non-digital”
(Link)
6. 1.5bn sensitive files
are visible on the
open internet (Link)
1. Implementing
additional sanctions
against Russia
2. Impact on European
firms of US
sanctions on Iran
(Link)
3. Danish regulator
finds serious
weaknesses in
Danske Bank’s
money-laundering
controls (Link)
4. Overhaul of banks in
Latvia to address
money laundering
(Link)
5. Over £90bn a year is
laundered through
UK (Link)
6. Data of 15,000
customers stolen
from Sheffield Credit
Union using cyber
attack (Link)
Key OpRisk Topics – Level 2
1. Continued focus on
bribery
2. IMF publishes new
Anti-Corruption
Framework (Link)
3. EY Survey – 91% of
respondents said
they will be using
advanced
technology regularly
within the next 2
years (Link)
4. $11bn of fines
issued globally under
the FCPA by US,
and UK Serious
Fraud Office since
2012 (Link)
1. EY Survey – 34% of
UK respondents
stated corrupt
practices happen
widely. Increase
from18% in 2014
(Link)
2. Rise of senior
executive fraud (UK)
(Link)
3. Ex-CFO of
Autonomy found
guilty of accounting
fraud (Link)
4. National Crime
Agency considers
fresh criminal
investigation into
HBOS fraud (Link)
5. City of London
comes under
spotlight of IMF
crackdown on
corruption (Link)
6. Britain reviews
powers of its
accounting watchdog
(Link)
1. Implementing
additional sanctions
against Russia
2. 2018 FINRA
priorities – fraud
targeting senior
investors (Link)
3. US experienced
record high 1,579
data breaches in
2017 exposing 179
mn records –
increase of 44.7%
over 2016. 134
breaches in financial
services sector
(Link)
4. AML cases resulted
in the most FINRA
fines in 2017 (Link)
1. CEO of New York’s
Oldest Credit Union
Faces Fraud and
Embezzlement
charges (Link)
2. Wells Fargo agrees
to pay $480mn to
settle shareholder
suits (Link)
3. Wells Fargo
launches new
marketing campaign
to rebuild trust after
fake account scandal
(Link)
4. EY Survey – 18% of
US respondents
stated corrupt
practices happen
widely. Decrease
from 22% in 2014
(Link)
5. Fidelity fired 200
employees for
misuse of workplace-
benefit programs
(Link)
1. Wave of bank
robberies in Brazil
using explosives
(Link)
2. 5 Mexican banks
experienced large
cash withdrawals
(Link)
3. Brazilian
investigators conduct
the biggest anti graft
operation targeting
money laundering
(Link)
1. EY Survey –
Significant increase
in anti-corruption
enforcement in last 3
years in Brazil (Link)
2. EY Survey – 96%
respondents from
Brazil state that
bribery/corrupt
practices occur
widely in business.
Increase from 70%in
2014 (Link)
3. EY Survey – Latin
America No.1 in
FCPA enforcement
in last 4 years (Link)
4. Political corruption
5. Senior executive
corruption
1. Large scale loan
frauds in India
2. PNB loan fraud
involving $2bn in
India (Link)
3. 13 Indian banks win
$1.55 bn case
against Vijay Mallya
(Link)
4. Singapore banks to
share data with
regulators in
standard format to
identify transactions
involving money
laundering and
terrorism financing
(Link)
1. Staff and audit
collusion on loan
fraud in India
2. Indian watchdog
focus on senior
retired bank officials
accused of
corruption (Link)
3. Adoption of forensic
audit of potential
CEO hires (Link)
4. EY Survey – China
No.2 in FCPA
enforcements in last
4 years (Link)
5. Samsung Biologics
market value drops
by $6 bn after
revelation of
accounting scandal
(Link)
6. Chinese insurer
Anbangs’s ex-boss
jalied 18 years for
fraud (Link)
1. Majority of banks in
Nigeria failed in anti-
money laundering
system examination
by regulator (Link)
2. Rise in mobile fraud
in Kenya (Link)
3. Central Bank of
Nigeria issues
tougher sanctions
against money
laundering (Link)
4. Lost and/or stolen
credit card fraud
increases by 44.5%
in South Africa in
2017 (Link)
5. Fines + name &
shame for breach of
regulation in
Mozambique (Link)
1. Political corruption
uncovered by bribery
scandal (Link)
2. Senior executive
corruption
3. Large scale fraud
involving depositors
and Directors led to
collapse of Imperial
Bank in Kenya (Link)
4. KPMG continues to
lose clients in South
Africa after audit
shortcomings for
Guptas (Link)
5. Large scale fraud at
VBS Mutual Bank in
South Africa (Link)
6. Internal fraud cases
rise by 56.30% to
26,182 for 2017 in
Nigeria (Link)
1. UAE warns investors
not to deal with
Financial.org (Link)
2. National Bank of
Dubai becomes the
first bank in the
region to implement
Blockchain to
prevent check fraud
(Link)
3. 2 leading banks in
UAE and Oman saw
their cards being
used to steal over
$45mn from ATMs in
more than 25
countries (Link)
4. Bank’s money
laundering controls
blocking aid effort in
Yemen (Link)
1. Anti-corruption drive
in Saudi Arabia
(Link)
2. EY Survey – Middle
East No.3 in FCPA
enforcements in last
4 years (Link)
3. Abu Dhabi’s Al Hilal
Bank uncovered
internal fraud worth
$136 mn (Link)
Note for this section: Topics in red font colour indicate information about an operational risk incident. Topics in black font colour indicate key OpRisk topics.
5
Technology
Failures &
Damages
Global Europe N. America S. America Asia Pacific Africa Middle East
1. Cyber criminals
exploiting channels to
apply security patches
to attack (Link)
2. Organisations looking
for applying AI for
controls
3. Theft of processing
power for coin mining
(Link)
4. 1.5bn sensitive files
are visible on the open
internet (Link)
5. Cyber attacks by state
6. Best practices: Chaos
engineering, multiple
layers of redundancy,
embrace transparency
(Link)
7. Study: Ransomware
continues to be
popular method used
by cybercriminals to
solicit money (Link)
8. Report: There will be a
ransomware attack on
a business every 14
seconds by end of
2019 (Link)
9. Buffett cautious on
cyber insurance (Link)
10. Study: Cyber incidents
result in increase in
debt, drop in credit
rating and cash flow
volatility (Link)
11. FM Index of resilient
countries (Link).
Switzerland,
Luxembourg and
Sweden are most
resilient countries.
12. How cyber insurance
firms detect next big
cyber attacks – (Link)
13. Study: Employees
unsure about their role
in cyber security (Link)
1. BOE preparing new
cyber standard for
UK (Link)
2. GDPR enforcement
3. Regulatory focus on
operational
resilience in UK
4. ECB publishes new
framework to
conduct tests against
cyber attacks (Link)
5. 231% increase in
ATM malware in
Europe during 2017.
192 attacks in 2017
vs. 58 in 2016. (Link)
6. 4 weeks of system
outage at TSB (UK)
7. Cyber risks could
create jobs in
Northern Ireland
(Link)
8. Data of 15,000
customers stolen
from Sheffield Credit
Union using cyber
attack (Link)
9. 85% UK
respondents said
their firm has spent
more on tackling
cyber risks in 2017 –
14% reporting a
significant rise (Link)
10. Rise in state
sponsored cyber
attacks in Finland
(Link)
11. A pro-Ergodan
Turkish hacker team
is behind cyber
attacks in Europe
(Link)
12. NCSC announces
new cyber attack
classification system
in UK (Link)
13. EBS and Ulster hit
by glitch, payment
problems (Link)
Key OpRisk Topics – Level 2
1. US top target for
cyber attacks (Link)
2. US agencies warn
about Russian
government actors
targeting US critical
infrastructure (Link)
3. Federal bank
regulators issue
guidance on cyber
insurance (Link)
4. GDPR enforcement
5. FINRA 2018
priorities: - BCP,
Technology
Governance,
Cybersecurity (Link)
6. 30 hours system
outage at BB&T
impacting customers
(Link)
7. Disruption to IRS
website (Link)
8. Study: Impacts of
long-lasting cloud
downtime (Link)
9. Customers of TD
Bank impacted by
technical glitch (Link)
10. US pull-back from
Iran deal may
increase cyber-
attacks (Link)
11. US cyber premium
reach $2.1bn in 2017
– 54% growth from
2016 (Link)
12. US Energy industry
vulnerable to cyber
attacks – invests
less than 0.2% of
their revenue on
cyber security (Link)
1. Cyber attackers
attempted to
penetrate Mexico’s
electronic payment
systems (Link)
2. 5 Mexican banks
experienced large
cash withdrawals
(Link)
1. China 2nd and India
3rd most targeted for
cyber attacks (Link)
2. Customers of ME
Bank impacted by
planned
maintenance overrun
and unplanned
downtime (Link)
3. 10 government
websites in India
suffer from cyber
attack (Link)
4. Customers of
Commonwealth
Bank impacted by 24
hour system outage
(Link)
5. Study: Asia Pacific
region has greatest
number of
ransomware
encounters (Link)
6. Customers of ANZ
impacted due to
technical glitch (Link)
7. Thailand updating
data privacy law by
end of 2018 (Link)
8. Philippines lagging in
cyber defence (Link)
9. China suffers
shortfall of 700,000
online security
experts expected to
double to 1.4 mn in
2020 (Link)
10. HongKong online
trading companies
comply with new
rules on cyber risks
(Link)
11. Adoption of cyber
insurance rising in
India (Link)
12. IT glitches hit PNB’s
core banking system
and ATMs (Link)
13. Major data breach
across Asia
predicted in next 2
years (Link)
1. Lack of
capacity/skills to deal
with cyber risks
(Link)
2. 3 day outage at
National Bank of
Kenya due to
network links
impacted by bad
weather (Link)
3. Upto 95% of cyber
crimes go
unreported in
Uganda (Link)
4. Report – Africa lost
an estimated $3.5 bn
in 2017 from cyber
crimes (Link)
5. Study – 94% of
companies in Middle
East and Africa
suffered a breach in
2017 and 34% of
breaches resulted in
more than half of
systems being
impacted (Link)
6. Research – 52% of
IT Decision Makers
in South Africa
admitted the
organisations were
lacking proper
security plan (Link)
7. Cyber-crime to cost
Ghana $100 mn in
2018 (Link)
8. N150 bn depositors
monies at risk in
Nigeria from cyber
attacks (Link)
1. Cyber attacks to
sabotage oil
infrastructure
2. Study: 80% of large
Gulf firms still use
username and
passwords for log-in
(Link)
3. 41% of Gulf
enterprises hacked
in past 12 months
(Link)
4. UAE TRA foils over
80 cyber threats in
two months (Link)
5. Iran hit by global
cyber attack (Link)
6. Study – 94% of
companies in Middle
East and Africa
suffered a breach in
2017 and 34% of
breaches resulted in
more than half of
systems being
impacted (Link)
6
Improper Business
Practices
Global Europe N. America S. America Asia Pacific Africa Middle East
1. Misuse of
information by
Facebook. Banks
need to consider
how they handle
customer data and
share this with third
parties.
1. Potential GDPR
enforcements over
the next 6-12 months
2. Regulatory focus on
conduct risks (UK)
3. European Bank’s
post-crisis litigation
could cost $100 bn
(Link)
4. FCA draws ire of
SMBs mistreated by
big banks (Link)
5. Germany sees
difficulties in
shielding firms after
US exits Iran deal
(Link)
6. 5 traders from
Barclays and
Deutsche Bank
appear in first
Euribor- rigging trial
(Link)
7. Barclays boss fined
£642,000 for
‘conduct breach’
(Link)
8. Report on HBOS
collapse prompts
scrutiny of bosses’
conduct (Link)
9. Central Bank in
Ireland keeps all
angles open in its
enforcement
investigations on
behaviour of banks
on tracker
mortgages (Link)
10. Aug 2019 deadline
set for PPI claims by
FCA – (Link)
11. Danske Bank faces
heat over how the
management culture
result in its Estonia
branch being used
for money laundering
(Link)
Key OpRisk Topics – Level 2
1. Potential GDPR
enforcements over
the next 6-12 months
2. FINRA 2018
priorities – Sales to
unsophisticated +
senior investors by
high risk firms and
brokers, Sales of
complex financial
products (Link)
3. Wells Fargo fined
$1bn for forced auto
insurance (Link)
4. Wells Fargo agrees
to pay $480m to
settle shareholder
suits (Link)
5. US investigating
Dutch bank
executives for drug
money laundering
(Link)
6. China Merchant
Bank faces suit over
racial discriminating
against Africa-
American customers
(Link)
7. RBS reaches $4.9
bn deal to settle U.S.
mortgage bond
investigation (Link)
8. Societe Generale
ready to pay $1 bn to
end US probes
covering Libor and
Lybian investigations
(Link)
9. Goldman Sachs
agrees to pay $110
mn to settle forex
case (Link)
1. New overdraft rules
in Brazil (Link)
1. Royal Commission
probe on misconduct
of Australian banks.
Interim report due in
Sep2018 and final
report on
Feb2019.Summary
of the findings and
consequences so far
(Link)
2. Concerns from
misconduct of
Australian banks
spilling over in New
Zealand (Link)
3. New banking code of
practice in Australia
(Link)
4. CBA to pay $3mn
over unjustified
financial advice fees
(Link)
5. Inquiry finds CBA
involved in
widespread
insurance mis-selling
(Link)
6. Chinese insurer
Anbangs’s ex-boss
jalied 18 years for
fraud (Link)
7. UBS Securities Asia
reprimanded and
fined $4.5 mn in
HongKong (Link)
8. Indian banks under
spotlight for conduct
1. Fines + name &
shame for breach of
regulation in
Mozambique (Link)
1. Regulatory focus on
financial mis-selling
in UAE (Link)
2. Bahrain accuses
Future Bank for
helping Iran bust
sanctions (Link)
3. Qatar’s market
manipulation fears
fueled by ‘abnormal’
derivative moves
(Link)
4. Deloitte to face court
in Dubai over
collapse of Beirut-
based bank (Link)
7
Business Process
Execution Failures
Global Europe N. America S. America Asia Pacific Africa Middle East
Key OpRisk Topics – Level 2
1. FM Index of resilient
countries (Link).
Switzerland,
Luxembourg and
Sweden are most
resilient countries.
2. Threats of using bad
quality external data
(Link)
1. Failures of legacy
systems at large
firms
2. Regulatory focus on
operational
resilience in UK
3. A loud noise
knocked out
computers that run
stock exchanges
across northern
Europe (Link)
4. Banks suffer
problems with
transfers on
European banking
holiday (Link)
5. Family forced into
poverty after bank’s
$2.1m overdraft
mistake (Link)
1. Failures of legacy
systems at large
firms
2. Wells Fargo says it
mistakenly kept fire
and police pension
fund fee rebates
(Link)
3. Processing error
impacting customers
at Citizens Bank
(Link)
4. Finra fines Fifth
Third Securities $4
mn for variable-
annuity violations
(Link)
1. No topics for this
reporting period
1. Samsung Securities
issues stocks to staff
by mistake resulting
in market-wide [Link]
2. Failure of legacy
systems in large
firms
3. Customers of
Westpac impacted
by delays in
processing external
transfers (Link)
4. Error in loan
calculator calculates
incorrect interest
rates on loans for
100,000 customers
[Link]
5. World’s largest ID
database exposed
by India government
errors (Link)
6. ATMs in several
states went dry due
to logistical failures
in India (Link)
1. System and human
error results in $632
mn error in
Swaziland
Government’s bank
accounts (Link)
2. 3 customers in
Zimbabwe receive
$279,000 due to
computer error by
bank (Link)
1. No topics for this
reporting period
Vendor Failures &
Damages
1. Escalation of trade
wars and
protectionism
between major
economies may
cause interruptions
within supply chains
2. Excessive currency
fluctuations due to
dynamic geopolitical
environment can
increase/decrease
supply chain costs
3. Adversaries are
increasingly looking
to exploit
vulnerabilities in
supply chain (Link)
4. Deloitte survey –
53% of global
respondents
reporting increase in
their dependence on
third parties. This is
59% for financial
services. (Link)
1. Potential changes to
supply chain of UK
and EU firms due to
Brexit. UK firms
looking to replace
EU vendors with UK
vendors and vice
versa (Link)
2. UK regulators to
increase focus on
banking supply
chain, particularly
outsourcing (Link)
3. UBS suspends
access to research
data for some
external providers
(Link)
1. Regulatory focus on
third-party risks in
the US
2. Higher level of H1B
visa restrictions will
increase IT costs for
firms relying on
vendors to bring staff
from outside the US.
3. Deloitte survey –
Only 2% of US
respondents
regularly identify and
monitor their
subcontractors
(fourth/fifth parties)
(Link)
1. No topics for this
reporting period
1. Concentration of IT
and business
process outsourcing
vendors in India
providing services to
organisations
globally poses
concentration risk
2. Meet the French
‘Hacker’ who
exposed chinks in
India’s cyber security
armour (Link)
1. No topics for this
reporting period
1. No topics for this
reporting period
8
Damage to
Tangible &
Intangible Assets
Employment
Practices &
Workplace Safety
Global Europe N. America S. America Asia Pacific Africa Middle East
1. Data confirms that
extreme weather
events are increasing
in frequency (Link)
2. Hackers targeting
critical infrastructure
3. FM Index of resilient
countries (Link).
Switzerland,
Luxembourg and
Sweden are most
resilient countries.
4. Potential flow of
terrorists from Syria
5. Terrorism (e.g. ISIS
influenced)
6. Russia and China’s
intentions to challenge
US global leadership
7. Antarctic glaciers lost
stunning amount of
ground in recent years
(Link)
8. Report warns on
impending flooding
globally (Link)
1. Regulatory focus on
operational
resilience in UK
2. Climate change is
increasing flood risks
in Europe (Link)
3. Basque terror group
ETA dissolves (Link)
Key OpRisk Topics – Level 2
1. ♯MeToo movement
going global (Link)
2. Modern workplaces
are harmful for health
of employees (Link)
3. Emerging practice on
microchip implants to
track and protect
employees (Link)
4. Bill Gates warns of a
coming disease which
could kill 30 mn
people in 6 months
(Link)
1. European
Commission
proposes
whistleblower
protection law (Link)
2. Increased focus on
gender pay gap in
UK
3. UK firms face action
over failure to report
gender pay gap
(Link)
4. UK study: 1 in 3
women remove their
wedding rings before
a job interview (Link)
5. Employers could
face surge of age
discrimination cases
in Ireland (Link)
6. Standard Charterd
Head of Compliance
being investigated
for misconduct with
staff (Link)
1. 2018 FINRA priority –
BCP (Link)
2. 3 day training exercise
between New York
and New Jersey for
complex attacks (Link)
3. California risks severe
‘whiplash’ from
drought to flood:
scientists (Link)
4. Seattle prepares for a
thousand-year storm
(Link)
1. Increase in reporting
of sexual harassment
cases
2. New initiatives to
protect freelancers
from sexual
harassment (Link)
3. Bank of America says
151 employees
affected by mass
shootings in US (Link)
4. No breaks for staff
costs Wells Fargo
$97m (Link)
5. Former RBC FX trader
suing bank for £13
million for unfair
dismissal (Link)
6. Former Morgan
Stanley employee
owes $500,000 after
seeking $3.5 mn
(Link)
7. See Top 10 causes of
serious workplace
injuries in the US
(Link)
1. Social unrest in
Brazil
2. Brazil hit by
explosive wave of
bank thefts (Link)
1. Threat to employees
during bank
robberies using
explosives (Link)
1. Pace of progress in
North & South Korea
peace talks
2. Australia most
vulnerable to climate
change in the
developed world
(Link)
3. Fracking may have
caused South
Korean earthquake -
study (Link)
4. Disasters could cost
Asia-Pacific region
$160 bn per year by
2030, UN warns.
Region has suffered
$1.3 trillion losses
over the last 50
years (Link)
5. Attacks by family
suicide bombers in
Indonesia
6. State of emergency
imposed in Sri Lanka
after communal
violence (Link)
1. Bank employees
stage protest against
2% pay hike in India
(Link)
2. Of the 10 most
polluted cities in the
world – 9 are in India
(Link)
3. Firms adopting unfair
employment
practices will be
placed on watchlist
(Link)
4. Japanese
companies are
taking measures to
combat ‘death by
overwork’ problem
(Link)
5. Workplace
discrimination is
hitting mothers in
China (Link)
6. Survey suggests
workplace
harassment common
in South Korea (Link)
1. Kenya Flood: 132
killed, 222,000
displaced (Link)
2. ATM robberies using
explosives (Link)
1. Ebola case found in
urban area in Congo
(Link)
2. Threat to employees
during bank
robberies using
explosives (Link)
3. Death toll from
listeria outbreak in
South Africa rises to
more than 200.
Listeria is a food-
borne disease (Link)
4. Watchdog in South
Africa warns on low
awareness of sexual
harassment policies
within employees
(Link)
5. National Bank of
Kenya CEO denies
sexual assault on
employee (Link)
6. Absa executive, who
claimed to be victim
of racism, loses
unfair dismissal case
(Link)
1. Syrian crisis and its
international
dynamics
2. Saudi Arabia
intercepts missiles
over Riyadh (Link)
3. Cyber attacks to
sabotage oil
infrastructure
4. 5.5 magnitude
earthquake strikes
near nuclear power
plant (Link)
1. Omani women call
time on workplace
discrimination (Link)
9
Deep Dive
10
TSB System Failure – Apr2018
• TSB was migrating its core banking system from Lloyds systems to Proteo4UK platform
• About the migration project: -
Migration involving 5 million customers and 1.3bn records. Migration planned from 4pm on 20Apr18 (Fri) to 6pm
22Apr2018 (Sun).
Moving from the legacy platform expected to save £100m a year
Estimated cost of migration = €30-40m. Expected €71m before the crisis.
200 TSB Partners working on migration since 2016
800 software engineers working on new banking platform
70,000 test cases used to test the new system
Building + testing new platform estimated at 2 million hours of effort equivalent to 1,200 years for one person
Event Background
• Migration was not successful which resulted in
disruption to the core banking IT system. The disruption
lasted for 4 weeks.
• 1.9 million customers locked out of their accounts
• Customers unable to access their accounts from PC or
mobile app
• Customers who were able to access were able to see
details of other customers in their accounts (breach of
data privacy rules)
• 40,000 customer complaints
• Customers reporting long call-waiting times (e.g. 2
hours and 40 mins reported by customers on Twitter)
• CEO tweeted on 3rd day of the crisis that services are
“back up and running” even when there were known
issues. CEO criticised for wrong communication.
About the OpRisk Event
• Hired IBM specialists to fix the problems
• CEO had to take direct responsibility for the IT infrastructure on 4th day of the crisis
• CEO had to assure that “no customer would be left out of pocket”
• Bank had to waive overdraft fees and interest changes for its retail and small business
customers for April
• Bank raised the interest paid out on its standard current account to 5% on balances up
to £1,500, up from 3%, for existing customers who stick with the bank
• Bank estimated it will cost about £20m to waive the fees and charges, and to raise the
interest rate on its most popular account
• Bank employees had to work round the clock including bank holiday weekend
• Bank had to process backlog of unprocessed transactions
• Various tweets by TSB customers covered within national and international media
• CEO volunteered to give up £2m bonus associated with the migration of the new IT
system
• CEO and COO were called before Parliament’s Treasury Committee
• FCA dispatched a team to TSB to monitor the situation. Potential regulatory fines may
be levied in the near future.
• HMRC announced that it would accept late payment of VAT by small businesses
impacted by the TSB system outage
• Some customers may switch to other banks
Impacts of the Event
11
TSB System Failure – Apr2018
• The bank did not allocate adequate budget for the migration project. Consultants raised
concerns in 2015 that the bank did not set enough money for an “incredibly complex”
project. So ensure that senior executives allocating budgets for large and complex IT
projects understand the risk exposures especially when concerns are raised by experts.
• There are question marks on quality of testing as the problems were visible soon after
the migration was completed. Good quality testing should have detected the issues.
• CEOs or senior executives should refrain from communicating on “All Green” status
during the crisis until there is a 100% confidence that all the issues have been fully
resolved.
• The bank was unable to cope with increase in customer calls during the disruption
demonstrated by various tweets of customers reporting long call waiting times. Effectively
handling of calls during this time period can re-assure customers and increase the
likelihood of staying with the bank after the crisis.
• The bank has responded well by waiving charges and increasing interest rates for
customers to stay with the bank. Coming weeks will reveal what percentage of TSB
customers switched to other banks.
Key OpRisk Lessons
12
Cyber Insurance
• US cyber insurance premiums reached $2.1bn in 2017
• Most active cyber insurance providers in the US – AIG, Chubb and Axis Capital Holdings
• Verisk estimates cyber insurance premiums to reach $6.2 bn by 2020 with annual take-up rates growing 20% to 30% per year
• Allied Market Research – Cyber insurance market is expected to generate £14bn by 2022, growing at CAGR of nearly 28% from
2016 to 2022 (Link)
• Cyber insurance adoption increasing in India (Link)
• CFC Underwriting – In Q12017, ransomware accounted for 20.5% of cyber claims.
Current State Of Cyber Insurance Market
• PwC – Average hack cost businesses £857,000 in 2017
• Center for Strategic and International Studies – Annual losses for cyber-
crime in 2017 reached £291 bn
• Cumulative productivity losses resulting from 2017 WannaCry ransomware
attack alone was approximately $4bn
• Equifax expects costs related to its massive 2017 data breach to reach
$275 million (Link)
Losses From Cyber Risks
• Losses due to business interruption
• Losses due to data loss
• Losses due to reputational damage
• Loss of income due to targeted hacking attack
• Loss of intellectual property
• Regulatory fines
• Fraudulent fund transfers
• Damage repair to systems
• Payment for credit monitoring of affected individuals
• Payment for ransomware or cyber extortion
• Litigation costs and settlement
What Can Cyber Insurance Cover?
• Warren Buffett – doesn’t want Berkshire Hathway to be a leader in cyber
insurance because neither he nor others in the industry really know the
risk. For his organisation, he estimates cyber risk to have a 2% chance
that would cause $400 bn or more of insured losses. Anyone who claims to
know the base case or worst case for losses is “kidding themselves” he
said. (Link)
• DAS UK Group – One third of UK brokers admit to a ‘poor’ or ‘very poor’
understanding of cyber risks and cyber insurance. 90% of brokers expect
demand for cyber insurance to increase considerably in the next couple of
years. (Link)
Doubts On Cyber Risk Understanding • Cyber insurance pushes organisation to have baseline security controls as
they know not following these will invalidate their insurance
• Basic requirements for cyber insurance: -
Understanding of critical assets
Enforcing strong passwords
Two-factor authentication
Encryption
Detection and response controls
Benefits of Cyber Insurance
13
Cyber Insurance
• Aon, Apple, Cisco and Allianz jointly created a new cyber risk management solution for US businesses. This
involves cyber resilience evaluation services from Aon, secure technology from Cisco and Apple, and
insurance coverage from Allianz (Link)
• Insurance firms could offer data backup facilities as part of insurance (Link)
• The NTU Singapore Cyber Risk Management Project (CyRiM) – research project supported by Monetary
Authority of Singapore, Singapore Cyber Security Agency and leading global insurance companies (Link).
Developed a framework to quantify cyber risk and how a firm’s cybersecurity investment affects the residual
annual loss expectancy, which is closed related to the insurance premium (Link)
Innovation in Cyber Insurance
• Cyber insurance is one of the fastest growing product lines for insurance firms.
• But not all insurance firms may have full understanding of the cyber risks they are insuring. So organisations
need to be diligent in reviewing the coverage terms to ensure they are buying the right insurance cover.
• Insurance firms will need to bundle technology based solutions or partner with technology solution provider to
offer a comprehensive solution. This will stretch the traditional way in which insurance firms have operated
and some firms may not be successful in the future.
• Cyber insurance can enable recovery of post-crisis costs but cannot enable recovery of affected data. So
organisations need to ensure that they have adequate backups of data to recover from a cyber event.
Similarly, cyber insurance cannot help is recovering of reputational damage. So organisations need to ensure
adequate controls are in place to deal with the reputational impacts of a cyber event.
• Purchasing cyber insurance when key IT systems are operated by third parties can be complex. Need to
consider overlaps between firm’s cyber insurance cover and vendor’s cyber insurance cover.
Summary
14
Vendor Risk Management (VRM)
• Large number of vendors
• Initiative to trim number of vendors – increase concentration risk
• Vendors based in multiple geographic locations (managing across
different time-zone differences)
• Vendors managing entire or partial business processes
• Vendor concentration in a single location (e.g. India)
• Vendors outsourcing to other vendors
• Vendors ability to retain and attract talent
• Rising level of wages and costs in emerging economies (e.g. India)
• Pressure on vendors to reduce costs + deliver more value
• Vendor staff located in your offices
• Providing vendors with access to key systems
• Restricting access to certain data (e.g. regulatory issues) for
vendors
• Vendor managing key controls
• Vendor’s risk management approach and alignment with risk
management approach of your organisation
• Mergers and acquisition between vendors
• Monitoring financial health of the vendors & compliance with
standards on corruption and conduct
Key Drivers of Vendor Risks
• Gartner – 75% of Fortune 500 companies are now expected to treat Vendor Risk Management as a board level initiative to mitigate brand and
reputation risk.
• The Poneman Institute study in 2017 highlights: -
• 56% of respondents had been affected by a third-party breach in 2017, up from 49% in 2016
• 57% of respondents don’t have an inventory of all third parties with which they share sensitive information
• Just 17% feel they’re highly effective at mitigating third-party risks, down from 22% in 2016
• 60% of respondents said that they do not have internal resources to check or verify the security and privacy practices of third parties
Statistics on Current State
15
Vendor Risk Management (VRM)
• Adversaries such as cyber criminals are increasingly looking for
vulnerabilities within the supply chain of the organisation they want
to target. They may even target your vendor’s vendors.
• Law firms used by the organisations are most vulnerable. They hold
sensitive information about an organisation and have been slower
compared to other vendor categories in adopting adequate cyber
security measures.
• Multiple organisations increasingly relying on a single vendor (e.g.
Amazon AWS to run software on cloud). The severity of a cyber
incident at such vendor may create wide-ranging impacts for large
number of organisations.
• UK and EU organisations are actively evaluating the impact of
Brexit on their supply chain. A survey by Chartered Institute of
Procurement & Supply conducted survey on impact of Brexit on
supply chain risk. It identified that 32% of UK companies are looking
to replace EU vendors with British vendors and 46% of EU
companies expect to reduce their use of UK vendors.
• The currency fluctuations is a growing concern for 65% of
respondents from the above survey. 58% of respondents from
banking and finance said that supply chains have become costlier.
Many organisations are renegotiating their vendor contracts to
address the risk of unexpected currency fluctuations.
• Brexit may also affect the ability of vendor staff to freely move
between UK and EU. So organisations relying on such movement of
vendor staff should evaluate the associated risks especially if there
is dependency on such staff for core business processes and
systems.
Emerging Topics
• In Nov 2017 - JP Morgan, Bank of America, Wells Fargo, BNY
Mellon and American Express have collectively created a company
called TruSight to assess potential third-party vendors before they
are hired. Vendors need to fill out a common questionnaire and
agree to frequent on-site reviews to verify their claims. Visits can be
monthly, quarterly and semi-annual. Information by vendors is
available to any financial institution.
• In the vendor due diligence, include review of vendor staff with
security and intelligence background. Look for staff with industry
recognised security certification such as CISSP. Also review if their
CISO reports into senior management e.g. CEO of CFO.
• Review if vendors have hired “threat hunter” or plan to do this in the
near future. The job of a threat hunter is to proactively look of cyber
threats and make the appropriate stakeholders aware of these so
the threats can be adequately addressed. Salaries for threat hunters
are in excess of $200,000.
• Extend visibility into third and fourth parties – subcontractors used
by vendors.
Emerging Best Practices
16
Thank you.
10
For further information on any content covered in this report or to submit your
preferred topics for the Deep Dive section in a future report, please contact
Manoj Kulwal at [email protected]
Next edition of the report will be published on 20Jul2018.