IT disruptions – whether from a disabling cyber attack, or the more mundane causes of human error or failure of aging hardware – are considered the top threat to financial services firms for 2018 by senior operational risk practitioners, according to Risk.net’s annual Top 10 Op Risks survey.
Risk.net’s survey is based on interviews with chief risk officers, heads of operational risk and senior op risk practitioners at financial services firms, including banks, insurers, asset managers and infrastructure providers. This year, respondents were asked to supplement standardised risk taxonomies with real-world examples of given risks, with the aim of offering readers a direct insight into what keeps their peers awake at night.
As a result, there have been some boundary changes (see table at bottom of article). Cyber risk, which topped the 2016 and 2017 surveys, was broken up this year, and its impact considered across multiple categories – primarily IT disruption (#1), data compromise (#2) and theft and fraud (#4).
Regulatory risk (#3), which was second on last year’s list, held its position as the top non-cyber related risk, followed by outsourcing (#5). Organisational change (#8) also remains from last year. However, there were several re-entries on this year’s list – mis-selling (#6) and model risk (#10), both of which last made the top 10 in 2015 – and a new entry, talent risk (#7). Unauthorised trading – considered distinct from conduct risk this year because it includes the impact of rogue algorithms alongside the actions of rogue traders – comes in at number nine.
A disabling cyber attack remained the top fear of most op risk practitioners at firms of all stripes this year. Fears expressed range from direct attacks on a bank to the indirect consequences of a cataclysmic system-wide attack.
“You can have a business continuity plan in place that lets you recover from a cyber attack which causes widespread market disruption – but what if there’s a London-wide power outage?” says the head of operational risk at the London arm of a global bank. “The UK’s National Cyber Security Centre has said a major UK-wide outage caused by cyber attack is a matter of when, not if. Ukraine’s power grid has been taken offline by politically motivated operatives twice in the past three years.”
Known threats that result in IT failure such as DDoS attacks can still be crippling, say op risk chiefs. A wave of DDoS attacks on three Dutch banks, including ABN Amro over the weekend of January 27–28, knocked out the firms’ online and mobile banking services.
“Denial of service attacks, together with the reputational risk such denial of service will bring, is of greatest concern for systemically important banks,” says a senior op risk executive at a South African bank. “Our focus is on strengthening business resilience capability.”
IT disruptions considered in this category also include non-cyber related causes such as faulty software, hardware failures, problems with outside vendors, or even damage to networks from physical attack or extreme weather. One op risk executive at a large New York-based bank says their firm assesses weather-related risks when choosing outsourcing providers in countries that are prone to flooding, which could topple the infrastructure and render services unavailable.
Data compromise was a close second behind IT disruption – unsurprising given the seismic changes in data protection regulation planned for the second quarter of this year. The vast stores of personal information banks, financial services companies and infrastructure providers hold make them prime targets for cyber thieves and hackers, as well as malicious insiders. In fact, data theft – whether by cyber attack or other means – was identified by half this year’s survey respondents as their top operational risk.
The year’s most infamous breach, at credit checking agency Equifax, compromised the personal information of an estimated 145 million individuals. It was attributed to the firm’s failure to apply an update to a critical piece of software. Equifax didn’t report the breach until September 2017, four months after it had taken place. Under the European Union’s General Data Protection Regulation, which comes into effect from May 25, 2018, will severely penalise companies that fail to notify their regulator within 72 hours of a data breach, inducing fines of up to 4% of global turnover.
GDPR also gives supervisors the power to conduct on-site inspections, issue public warnings and impose sanctions. It is explicitly extraterritorial in scope: all firms that control significant amounts of data pertaining to EU citizens will be forced to comply, no matter where they are based.
Regulatory risk takes in everything from unpredictable actions by regulators to fines and penalties for transgressions, as well as concerns from firms that a pile-up of multiple pieces of regulation will leave them unable to comply. The consequences of mis-reporting required disclosures – something several large banks said their host regulator was coming down increasingly hard on – are also considered here.
Among the year’s mega fines, RBS became one of the last banks to settle with US authorities in July 2017 over claims of mis-selling mortgage-backed securities to the US government-backed mortgage financers Fannie Mae and Freddie Mac, for $5.5 billion.
Theft and fraud encompasses a variety of external and internal threats, including but not limited to cyber attacks. Cyber criminals are adept at finding and exploiting vulnerabilities, and banks acknowledge they are constantly on the defensive due to the number and sophistication of attacks.
One European bank estimates that the success rate of phishing attacks is 3%. A phishing attack that hit several Swedish banks in September by enabling the attackers to redirect payment orders could yet cause a combined $312 million in losses.
“Fraud is getting more and more sophisticated. The fraudsters have to be right just one time and I have to be right all the time,” says the head of operational risk at a North American bank.
Old-fashioned frauds made up a substantial portion of the largest op risk losses for 2017, however – not least the $2.5 billion that fraudulent loans are said to have cost Brazilian development bank BNDES. Two of last year’s top 10 losses – one involving Agricultural Bank of China and the other a group of eight Indian banks – also came from commercial loan fraud. Indian banks alone experienced 37 cases of commercial loan fraud totalling more than $2.57 billion.