Data theft leads top 10 op risks survey for 2019
Fears of data breaches eclipse concerns over disabling cyber attack; IT failure and Brexit enter top 10
The full results of Risk.net’s 2019 Top 10 Op Risks survey can be found here
Data compromise has topped Risk.net’s annual Top 10 Op Risks survey for 2019, swapping places with last year’s top risk, IT disruption. The former is now seen, albeit narrowly, as a bigger hazard by financial institutions wary of the combined threat of data loss, reputational damage and mega-fines from regulators under draconian new data protection laws.
While this year’s survey will have a familiar look to readers, it also features one re-entry (from 2017) and two new entries: IT failure, data management and Brexit – at numbers 3, 8 and 9 respectively. Every other risk among last year’s top 10 has also shifted place, with none holding steady.
The survey – compiled from interviews and written submissions from senior op risk executives at banks, buy-side firms and financial market infrastructures – provides a gauge of industry concerns for the year ahead.
The threat of mega-fines under the European Union’s General Data Protection Regulation (GDPR) appears to have driven concerns over data compromise to the top of this year’s poll. Entering force in May 2018, the regime’s first fines have already been imposed. In January, the French government fined Google €50 million ($56.3 million) for failing to provide proper data security and privacy. No jurisdiction has yet used the full scope of penalties – the regulation allows for a fine of up to 4% of a firm’s global revenue – but the potential still exists.
Even if a bank isn’t the direct target, the possibility of customer data being compromised is always present: HSBC recently disclosed that hackers had gained access to customer accounts during two weeks in October 2018 via a third-party entity. The thieves may have retrieved names, addresses, account numbers and balances, and birth dates, among other personal information, the bank said.
“One of our key concerns is interconnectedness with third or fourth parties,” says a senior op risk manager at a global bank, who responded to this year’s survey. “We're seeing an increase in malware and phishing attacks in our supply chain. Most importantly, we worry about data breaches. We’re fully aware hackers are getting more and more sophisticated, and [defending against them] is getting more complex because even nations are participating in cyber attacks. The nature of the threat is constantly changing.”
No other source of operational risk cuts across as many threat vectors as malicious cyber attacks, from outsourcing and third-party risk (6) – which drops one place to sixth this year – to last year’s top risk, IT disruption, caused by a disabling cyber attack, which remains high on the agenda for respondents.
IT failure, meanwhile – considered separately from disruption caused by malicious cyber attacks – roars back into this year’s top 10, having last featured as a discrete risk in its own right in 2017. That's no surprise in a year when global regulators led by the Bank of England – spurred by a spate of high-profile incidents affecting retail bank customers, such as TSB’s loss of functionality following the migration of customer data onto a new platform – have trained their sights on financial firms’ operational resilience.
The related threat posed by organisational change (4) – the need to remain agile in the face of new regulatory requirements, technology and risk types – also rises up the agenda for firms this year.
More often than not these days, cyber actors pose the greatest risk of loss to banks from theft and fraud (5) – down by one notch from last year’s survey. In the case of Banco de Chile last June, attackers infected the company’s computers and servers with a virus as a distraction, allowing them to access the firm’s Swift accounts and make off with $10 million. The ensuing chaos resulted in branch closures, and is one of many examples of hackers targeting banks in emerging markets via the international Swift payment network.
Old-fashioned embezzlement schemes still loom large, though, especially in emerging markets. Insider fraud accounted for 2018’s three largest publicly reported op risk losses: Beijing-based Anbang Insurance lost $12 billion to a long-running embezzlement; in Ukraine, $5.5 billion vanished from PrivatBank in a ‘loan-recycling’ scheme; and in New Delhi, the Punjab National Bank lost $2.2 billion to rogue employees working with a fugitive diamond dealer.
Regulatory risk (7), meanwhile, remains a constant: the risk of failing to comply with large swathes of often conflicting rules, and the business risks associated with changing regulations, remains a widely cited fear.
One such regulation, Europe’s GDPR, is behind another new risk in this year’s top 10: data management (8). The risk of mis-steps when handling customer data – be it inappropriate checks on storage and permissioning, or the risk of data becoming trapped and useless in different operational silos – is exacerbated by the vast volumes of structured and unstructured data banks that fund managers hold. Although dealers were given until January 2019 to achieve compliance with the data management principles set down by the Basel Committee (BCBS 239), there’s still widespread uncertainty about what full compliance looks like, and how regulators will enforce it.
Perhaps inevitably, as European firms stare down the barrel of a disorderly exit by the UK from the EU later this month, Brexit (9) makes an unwelcome entry into this year’s top 10. Frustrated by the lack of clarity over a political solution, banks and brokers are setting up new entities in mainland Europe at a speed that almost guarantees new operational risks, such as difficulties with staffing and resource management.
Rounding out the top 10, Mis-selling (10) dips several places this year, with regulatory mega-fines related to residential mortgage mis-selling, payment protection insurance and other products having abated. Among the stragglers last year, HSBC agreed to pay $765 million to US authorities to settle claims that it mis-sold mortgage-backed securities between 2005 and 2007. Similar settlements have been now made by RBS and Deutsche Bank.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Risk management
One year on, regulators still want a cure for bank runs
Broad support for higher outflow assumptions on uninsured deposits, but that won’t save insolvent banks
Falling T2 balances bode well for eurozone’s stability
Impact of fragmentation would be less severe today than in 2010s, says Marcello Minenna
For a growing number of banks, synthetics are the real deal
More lenders want to use SRTs to offload credit risk, but old hands say they have a long road ahead
Did Fed’s stress capital buffer blunt CCAR?
Experts fear flagship test’s use as a capital top-up has undermined its role in risk management
How Ally found the key to GenAI at the bottom of a teacup
Risk-and-tech chemistry – plus Microsoft’s flexibility – has seen US lender leap from experiments to execution
Industry urges focus on initial margin instead of intraday VM
CPMI-Iosco says scheduled variation margin is better than ad hoc calls by clearing houses
Consortium backs BGC’s effort to challenge CME
Banks and market-makers – including BofA, Citi, Goldman, Jump and Tower – will have a 26% stake in FMX
Revealed: the three EU banks applying for IMA approval
BNP Paribas, Deutsche Bank and Intesa Sanpaolo ask ECB to use internal models for FRTB
Most read
- SG trader dismissals shine spotlight on intraday limit controls
- Podcast: Olivier Daviaud on P&L attribution for options
- Too soon to say good riddance to banks’ public enemy number one