This week marks the tenth anniversary of the global financial crisis. Any financial crisis of this magnitude will have a significant impact upon financial markets and their participants as well as severe societal consequences (see Van Dijk (2013) for human level impacts including health, educational and overall quality of life consequences of financial crises). This last crisis may well be the defining moment for several generations - the millennials are understandably upset about the mountain of debt left for them to service (see McKinsey's 2015 reports on debt levels), my generation's collective responsibility whilst those in retirement (only a few years ahead) have found the low rate environment a poor vehicle to invest a lifetime of savings in safe government, bank or corporate debt and earn reasonable returns. But we are where we are.
It was hard not to miss this week's chorus of press about the financial crisis and many predictions of the next one lurking around the corner. In the City of London and in NYC, where I spent part of this week, the risks which commonly come up (although not in the same order) include an emerging markets disruption (Turkey, Argentina, etc), the rise of global popularism creating markets uncertainty, Brexit (I was impressed with REM's Michael Stipe's take on Brexit as "not good"and the need to "mobilise" for change), the dearth of market liquidity and of course the reversal of lax monetary policy to name just a few. I thought one of the more interesting pieces was the interview this week with Gordon Brown who laments failures of global leadership (what would have happened it this lot were in charge 10 years ago?) and more importantly the lack of international cooperation present today. His words makes me recall the IRMC 2018 NYU/Paris Dauphine conference where the chairman of one of Europe's largest bank's recalled the three key pillars designed to react to the crisis (international cooperation leading to easier monetary policy, efforts to boost international trade and heightened regulation) and asked where is the direction of travel today on this front....
I started the week in Chicago at the Bank Director's conference (2018) where many of the challenges of being a US bank director were discussed. Cyber risk was one of the key risks identified facing banks and their directors. This would be one of the risks I might add to the above list, if not at the top. IT failings causes disruptions to capabilities and directly impacts a firm's reputation (see example several stories this past week including the BA hack, the departure of a good CEO at TSB related to IT faults and the decision yesterday by Nationwide to invest a further £1 billion in IT). According the recent Harvard Business Review article by Mee & Schuermann (2018), cybercrime itself has led to $1 trillion in costs, far more than natural disasters for example. As identified by this literature, a successful attack on a payments system, custodian firm, or a major central bank could represent a so-called "direct hit".
It is really time for financial institution boards to ensure they are doing everything in their purview to ensure their firm's culture and capabilities are designed to thwart attacks whilst also having battle ready recovery strategies in place. Furthermore:
It is not only becoming a regulatory requirement (see the EU's Network and Information Security Directive) but a governance best practice requirement too.
- Board members should know the key aspects of the IT infrastructure attached to the operating business model, vulnerabilities and establish a risk appetite for IT risk.
- Vendor risk management programs are important too as often firms outsource key IT roles in terms of data storage, APIs and cloud-based systems.
- In Europe, GDPR which covers the integrity of client data subject to theft results in fines of 4% of global revenue if a firm fails to meet its standards including reporting requirements, so timely compliance here is key.
It is not only becoming a regulatory requirement (see the EU's Network and Information Security Directive) but a governance best practice requirement too.
Photo credits in order: CNBC and CyberSecurity TS CSO.
Comments
Post a Comment