top of page
Search

September Round-Up - Operational Resilience: More Than Just Weathering the Storm

The financial services landscape is grappling with various operational challenges, from cyberattacks and third-party failures to the ever-evolving risks associated with cloud services. Recent events, such as Amsterdam Trade Bank's bankruptcy and the CrowdStrike incident, underscore the urgent need for operational resilience—the ability to prevent, respond to, and recover from disruptions.


ree

Frank Elderson's speech at the ECB emphasises this point, urging banks to go beyond financial resilience and prioritise operational resilience as a core business strategy. This means investing in robust IT infrastructure, enhancing business continuity plans, and proactively managing third-party dependencies, particularly in the cloud.



DORA and TIBER-EU: A Framework for Cyber Resilience


The upcoming Digital Operational Resilience Act (DORA) sets a new standard for operational resilience in the financial sector. To help firms comply with DORA's requirements for threat-led penetration testing (TLPT), the ECB is promoting the adoption of the TIBER-EU framework. This standardised approach provides comprehensive guidance and access to expert resources, ensuring consistency and quality in cyber resilience testing across the EU.



ENISA Threat Landscape 2024: Staying Ahead of the Curve


The ENISA Threat Landscape 2024 report paints a stark picture of organisations' cyber threats today. Ransomware, malware, social engineering, and DDoS attacks remain prevalent, while attackers increasingly leverage AI and sophisticated evasion techniques. Financial institutions must stay vigilant, strengthen their defences, and adapt their security strategies to address these evolving threats.


Key Takeaways for Financial Institutions:


  • Operational resilience is paramount. Being financially sound is no longer enough. Invest in people, processes, and technology to withstand operational disruptions.

  • Financial institutions must fully embrace DORA and TIBER-EU. Leveraging these frameworks is not just an option; it's necessary to enhance cyber resilience and ensure compliance with regulatory requirements.

  • Financial institutions must prioritise staying informed about the threat landscape. By monitoring emerging threats and vulnerabilities, they can adapt their security posture proactively and stay ahead of potential risks.

  • Prioritise third-party risk management: Carefully assess and manage the risks associated with third-party providers, especially in the cloud.

  • Invest in human capital: Ensure your team has the necessary skills and expertise to navigate the complexities of operational resilience. Continuous skill development is essential.


The message is clear: operational resilience is no longer a luxury but a necessity. By taking a proactive and comprehensive approach, financial institutions can safeguard their operations, protect their customers, and thrive in an increasingly challenging environment.



Hong Kong's Cybersecurity Shakeup: New Legislation for Critical Infrastructure


Hong Kong is stepping up its cybersecurity game with a proposed new law aimed at bolstering the protection of critical infrastructure. This legislation, tentatively titled the "Protection of Critical Infrastructure (Computer System) Bill," signals a significant shift in the city's approach to cybersecurity risk management.


Who's in the Spotlight?


The law focuses specifically on designated critical infrastructure operators (CIOs) and their essential computer systems (CCSs). While the list of designated CIOs will remain confidential, it's expected to encompass organisations in vital sectors like finance, transportation, energy, and healthcare. Significantly, even CCSs outside of Hong Kong may fall under the purview of this legislation.


What are the Obligations?


CIOs will face a range of new obligations, including:


  • Organisational Requirements: Establishing robust cybersecurity governance frameworks, risk management processes, and incident response plans.

  • Preventive Measures: Implement security controls, such as access controls, vulnerability management, and security audits, to protect CCSs from cyber threats.

  • Incident Reporting: Promptly reporting cybersecurity incidents to the authorities. Serious incidents must be reported within 2 hours, while other incidents have a 24-hour reporting window.


Enforcement and Penalties


A new Commissioner's Office with extensive investigative powers to enforce the law will be established. CIOs' non-compliance can lead to fines, although the legislation currently focuses on organisational accountability rather than individual liability.


Key Takeaways for Businesses:


  • Assess your risk: Determine whether your organisation could be designated as a CIO under the new law.

  • Review your cybersecurity posture: Evaluate your existing cybersecurity measures and identify any gaps that must be addressed to comply with the proposed requirements.

  • Prepare for incident reporting: Develop robust incident response plans and reporting mechanisms to meet the strict reporting timelines.

  • Stay informed: Monitor the progress of the legislation and any guidance issued by the Commissioner's Office.


Proactive Steps for Enhanced Cybersecurity


While the law is not yet in effect, businesses in Hong Kong should take proactive steps to enhance their cybersecurity posture. This includes:


  • Conducting thorough risk assessments: Identify critical assets and vulnerabilities within your organisation.

  • Implementing robust security controls: Strengthen your defences against cyber threats with multi-factor authentication, intrusion detection systems, and regular security awareness training.

  • Developing comprehensive incident response plans: Establish clear procedures for identifying, responding to, and recovering from cybersecurity incidents.

  • Engaging with cybersecurity experts: Seek professional guidance to ensure your organisation is well-prepared for the new cybersecurity landscape in Hong Kong.


This new legislation marks a significant step towards strengthening Hong Kong's critical infrastructure against cyber threats. By understanding the proposed requirements and taking proactive steps to enhance their cybersecurity posture, businesses can be well-prepared for the changing regulatory landscape.



SEC - The Potential Risks of AI in the Financial Markets


Artificial intelligence (AI) can potentially revolutionise the financial services industry. However, it also poses significant risks to the stability and integrity of the economic system. In this blog post, we will discuss some potential dangers of AI in the financial markets, using the movie "Her" as an analogy.


The "Her" Scenario: A Warning for the Future


In the movie "Her," Samantha, an AI assistant, interacts with multiple people simultaneously. The video suggests that a similar situation could arise in the financial markets, where many AI models or data sources could influence financial institutions to make similar decisions. This could lead to systemic risk, where a problem in one part of the economic system could cascade and cause issues throughout the entire system.

For example, if several AI models are trained on the same data, they may reach similar conclusions about the value of a particular asset. This could lead to a bubble, where the asset is overvalued and is at risk of a sudden crash.


Key Risks of AI in the Financial Markets


  • Systemic Risk: Using AI in the financial markets could increase systemic risk. AI models can be complex and challenging to understand, making identifying and managing risks difficult.

  • Algorithmic Bias: AI models can be biased, leading to unfair or discriminatory outcomes. For example, an AI model that is trained on data from a predominantly white population may be more likely to make decisions that are unfavourable to people of colour.

  • Data Privacy: AI models require large amounts of data to train. This data may contain sensitive information about individuals, which could be at risk of being misused or stolen.

  • Lack of Transparency: AI models can be challenging to explain, making it difficult for regulators and market participants to understand how they work and assess the risks they pose.


The Need for Regulation


To mitigate the risks of AI in the financial markets, regulators and market participants need to start thinking about how to regulate its use. This may include developing new regulations to oversee its use and requiring financial institutions to disclose how they use AI and explain the risks associated with its use.


In addition, market participants need to be aware of AI's potential risks and take steps to mitigate them. This may include conducting risk assessments of AI systems, implementing robust governance processes, and investing in AI training and education.


Overall


AI has the potential to transform the financial services industry. However, it is essential to be aware of AI's risks and take steps to mitigate them. By working together, regulators, market participants, and industry experts can ensure that AI is used responsibly and safely in the financial markets.



Beyond Risk Management: Building Operational Resilience in Financial Services


The financial services industry faces various operational risks, from cyberattacks and pandemics to technology failures and regulatory changes. More than reacting to these risks is required; firms must proactively build operational resilience to withstand disruptions and maintain business continuity.


A recent report highlights the evolving nature of operational risk management (ORM) and the increasing importance of operational resilience. The Reserve Bank of India (RBI) has issued guidance that aligns with the Basel Committee on Banking Supervision (BCBS) principles, providing a structured approach for financial institutions to strengthen their operational resilience.


Critical Elements of Operational Resilience:


The RBI guidance covers several vital elements that firms should focus on:


  • Governance: Establish clear roles and responsibilities for operational resilience, with strong oversight from the board and senior management.

  • Risk Culture: Foster a culture that values operational resilience and encourages proactive risk identification and mitigation.

  • Change Management: Implement robust change management processes to assess and mitigate risks associated with new products, technologies, and regulations.

  • Third-Party Dependency Management: Effectively manage risks from reliance on third-party providers, including conducting thorough due diligence and ongoing monitoring.

  • Business Continuity Planning: Develop and regularly test comprehensive business continuity plans to ensure operational continuity during disruptions.

  • Incident Management: Establish clear incident response and recovery procedures to minimise the impact of operational disruptions.

  • ICT Risk Management: To address ICT-related risks, strong cybersecurity measures, incident response protocols, and business continuity plans must be implemented.

  • Continuous Improvement: Foster a learning and continuous improvement culture by incorporating lessons from incidents and operational disruptions.


Implications for Financial Institutions:


  • Go beyond traditional ORM: Adopt a proactive and comprehensive approach to operational resilience beyond identifying and mitigating risks.

  • Comply with regulatory guidelines: Ensure compliance with the RBI guidance and other relevant regulations to strengthen operational resilience.

  • Strengthen your risk management framework: Develop and implement a robust Operational Risk Management Framework (ORMF) integrated with your overall risk management processes.

  • Focus on change management: Given the financial sector's increasing complexity, implement a structured approach to change management.

  • Prioritise third-party risk management: Effectively manage the risks associated with your reliance on third-party providers.

  • Enhance business continuity planning: Develop and regularly test robust business continuity plans to ensure operational continuity during disruptions.

  • Strengthen incident and ICT risk management: Develop and implement incident response and recovery plans and a strong ICT risk management program.

  • Foster a culture of continuous improvement: Encourage learning from incidents and operational disruptions to continuously improve your risk management practices.


Building a Resilient Future:


By embracing the principles of operational resilience and implementing the RBI guidance, financial institutions can enhance their ability to withstand disruptions, protect critical operations, and maintain economic stability. In today's dynamic and interconnected world, operational resilience is no longer a choice but a necessity for long-term success.



The Path Forward


The financial services sector is navigating a complex and evolving landscape of operational risks. From cyber threats and third-party dependencies to the growing use of AI and the ever-present danger of human error, organisations face constant challenges to their operational resilience.


This month's roundup highlights a clear and urgent message: proactive and comprehensive operational resilience is no longer optional; it's essential for survival.


Key Takeaways:


  • Operational resilience is paramount: Financial institutions must go beyond financial stability and prioritise operational resilience to withstand disruptions, maintain business continuity, and protect their customers.

  • Embrace regulatory frameworks: DORA, TIBER-EU, and other regulations provide valuable guidance and support for enhancing operational resilience. Compliance is not only necessary but beneficial.

  • Stay ahead of the curve: The threat landscape is constantly evolving. Organisations must remain vigilant, monitor emerging threats, and adapt their security strategies accordingly.

  • Manage third-party risks: The increasing reliance on third-party providers, especially in the cloud, necessitates robust risk management frameworks to ensure operational resilience across the entire ecosystem.

  • Invest in human capital: A skilled and knowledgeable workforce is crucial for navigating the complexities of operational resilience. Continuous training and development are essential.

  • Foster a culture of resilience: Building a strong risk culture that values operational resilience and encourages proactive risk management is crucial for long-term success.


The Path to Resilience:


Building operational resilience is a continuous journey, not a destination. It requires a holistic approach that encompasses people, processes, and technology. By embracing the principles of operational resilience, investing in robust frameworks, and fostering a culture of continuous improvement, financial institutions can navigate the challenges ahead and thrive in an increasingly complex and interconnected world.





 
 

Sign up to be notified about the latest updates of what we think

The posts listed on the 'What we think' webpages are our interpretation of regulatory developments we have been reading about. They should not be considered legal, regulatory or other advice. Contact us if you want to understand the impact of public policy, regulation and governance changes for you.

bottom of page