Strengthening Risk Management for Financial Enterprises
Written by Marty Aquino
You’d have to live under a rock not to know that cyber risk poses a significant threat to our financial system. An IMF staff modeling exercise estimates that average annual losses to financial institutions from cyberattacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.
Recent incidents demonstrate that the threat is very real. Successful attacks have already resulted in data breaches, where thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheck cryptocurrency exchange. And there is the ever-looming threat that a targeted institution could be crippled by a cyber attack and left unable to even operate. Not surprisingly, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks.
The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships. The OCC has identified instances in which bank management has…
- failed to properly assess and understand the risks and direct and indirect costs involved in third-party relationships;
- failed to perform adequate due diligence and ongoing monitoring of third-party relationships,
- entered into contracts without assessing the adequacy of a third party’s risk management practices;
- entered into contracts that incentivize a third party to take risks that are detrimental to the bank or its customers, in order to maximize the third party’s revenues; and
- engaged in informal third-party relationships without contracts in place.
These examples represent trends whose associated risks reinforce the need for banks to elevate their current risk management practices for their third-party relationships.
Privacy, data protection, regulations in changing political winds, cybersecurity and its associated risks, difficulties and costs rank high among the top concerns of compliance professionals. Many professionals use point-in-time questionnaires to assess deficiencies and troubleshoot pervasive problems. Unfortunately, point-in-time assessments are outdated as soon as they’re deployed. This method can find vulnerabilities at a single moment, but it doesn’t track risk events and changes between assessments. Worse still, dependent on a questionnaire, these assessments can be subjective and prepared only for meeting compliance or audit requirements, instead of addressing the core risk-management concerns. Vulnerabilities are often exploited as a result of these periodic “check-ins” to an ongoing and ever-evolving risk landscape.
Bigger, Faster, Stronger Risks
Point-to-point risk management paves the way for increased vulnerability to more resistant, more pervasive risks. Those risks include areas like cybersecurity and data privacy as well as equally important, yet less overt ones like third-party, counterparty and location-based risks. Regardless of the source of the risk, your entire organization’s reputation hangs in the balance. Criminals target financial firms because that’s where the money is; however, internal risks are also equally problematic when it comes to workers who may have been unknowingly compromised.
“Private sector enterprises in diverse sectors including entertainment, finance, health-care, education, and telecommunications — not just government and military organizations — are being increasingly targeted by states or state-sponsored entities in cyber-attacks. The ubiquity of reliance on the Internet for doing business, combined with lax cybersecurity processes, has created the opportunity for state actors to achieve foreign policy objectives via cyber-attack,” states a recent article by the vice president of Thomson Reuters Labs.
Despite embracing technology and digital innovation such as artificial intelligence, 5G and quantum computing, financial organizations have considerable uncertainty about the degree of cyber risk that new technologies bring. According to a Deloitte study on third-party risk management, 93.5% of respondents express low to moderate levels of confidence in their risk-management and monitoring mechanisms.
Continuous Monitoring as a Practice — and a Culture
Proactive risk managers and executives should upgrade their methods by moving to an always-on and continuous approach to risk assessment. Relying on point-in-time questionnaires has become problematic, unproductive and often misleading. Proactive organizations need to incorporate continuous risk monitoring as a part of their comprehensive risk-management policy. At the same time, they need to reduce the number of false positives and the noise to maintain optimum risk-management effectiveness.
This holistic approach requires full involvement and support from the C-suite as well as the organization’s board. Senior leaders often underestimate the importance of continuous risk assessment, especially as it pertains to some of the risks the organization has already taken on, whether third-party, customer-facing or internal. It is critical that your company have an ongoing monitoring component for maximum risk avoidance and opportunity identification.
The Forecast Is Partly Sunny
There are two kinds of companies: those that have already faced a cyberattack and those that will. Smart companies will weave early warning, rapid assessment and real-time response systems into their very infrastructure. The ability to forecast and navigate through increasingly chaotic, yet highly likely events will become an organization’s competitive advantage or Achilles’ heel.
It seems like only yesterday that organizations could do just fine by being responsibly reactive. Now those same organizations need a continuous feed of relevant, real-time data to make accurate risk forecasts and have corresponding worst-case-scenario countermeasures at the ready for hair-trigger deployment to stay competitive in this new digital decade.
But it’s not all bad news. Bringing onboard a solution that makes continuous and real-time monitoring easy, like Supply Wisdom™️, is an extremely effective way to upgrade your risk-management program. Not only does Supply Wisdom offer real-time and continuous risk monitoring that covers the most comprehensive set of third-party and location-based risks in the industry, but the risk intelligence and negative news alerts are 100% curated so there is no noise and no false positives. Additionally, Supply Wisdom includes comprehensive cyber risk coverage that allows organizations to quickly and efficiently evaluate the cyber s`usceptibility of your third parties and includes advice on how to address those vulnerabilities. Supply Wisdom’s solution is cloud based and available within 24 hours of sign up through open API feeds thus allowing seamless integration into your existing risk-management platform.
Curious to learn more about how Supply Wisdom’s continuous and real-time risk intelligence and monitoring can elevate your current third-party risk management? Request a demo today.
About the Author
Marty Aquino is the founder of Carbonwolf Energy, a venture-capital firm specializing in world-changing and status-quo-defying technologies and people. Since 2009, he has been a passionate writer on venture capital, technology, forecasting, risk mitigation and entrepreneurial topics. His hobbies include cultivating “rabble-rousers,” learning foreign languages, and participating in adrenaline sports such as skydiving, rock climbing, skiing and road rallying.