The 12 Days of Reputational Risk – 2015 in Review
December 31st, 2015
2015 was the year of reputational risk. From corruption scandals and fraud investigations to information security issues and data breaches, organizations of all shapes and sizes found themselves scrambling to respond. In this series, Joram Borenstein highlights the top issues that took place in 2015 with “The 12 Days of Reputational Risk.” Check back each day as we reveal the next risk in this series. www.niceactimize.com/12Days
Day 12: Single System: AML Moves Toward Enterprise-Wide Compliance
There continues to be a desire by financial services organizations to move their money laundering prevention practices to a single enterprise-wide view and capability. More often than not, one comes across situations in which financial services providers are looking at their money laundering compliance in siloes across business units, geographic offices, and acquired entities. Regulators such as The Monetary Authority of Singapore (MAS) and Office of the Comptroller of the Currency (OCC) and others are issuing rules focused on reducing fragmentation in financial services out of concern that such fragmentation reduces their ability to know what the financial firms are processing and makes it easier for criminals to exploit the financial system. It is logical to expect to see more trending in this direction in 2016.
Day 11: Network Outages: Even Target is a Target
A number of widely-publicized website and network outages took place in 2015. Some of the most memorable ones occurred at United Airlines, the New York Stock Exchange, The Wall Street Journal, and more recently with Target’s website during Cyber Monday. While it does not appear that these incidents were the direct result of any manipulation or attack, the reputational impact – at least temporarily – was significant in the weeks after these incidents due to the ongoing media onslaught and speculation. Such incidents will probably not subside overnight – or perhaps ever – and instead the ability to manage, to talk about, and to defend such situations in a timely manner is a topic that compliance, security, risk, and public relations professionals will likely continue to collaborate on for years to come.
Day 10: Nation-State Hacking: The Threats Go Both Ways
2015 saw a spike in cyber–incidents by one nation-state or another, with particular suspicion of foreign intelligence services. While new strains of malware were mentioned in some cases, the coverage for the most part tended to focus on the diplomatic fallout, the reputational damage on the international stage, and on the way in which adversaries hacking into one another’s systems has become a standard topic of discussion alongside human rights, pollution, and arms control. In fact, most people would propose that this is merely another form of arms control and international organizations are already beginning to discuss how to moderate these tensions. In the same way that the world focused on nuclear weapons post-World War II, there is potential for nation state hacking to become part of a similar conversation for collaboration and control.
Day 9: Cyber Insurance: A Policy Against Data Breaches
This new form of insurance made waves in 2015 and started becoming a more frequent topic of conversation for boards of directors and C-level executives alike. As the number, scope, and intensity of data breaches have proceeded seemingly unabated, insurance has become a reasonable and legitimate alternative that is being increasingly used to offset risk. While not yet a widely deployed technique, it is highly likely that this will be used more in 2016 and that we will see situations in which organizations attempt to cash in their policies when incidents occur. The growing reliance on data as a business tool and a business differentiator also causes organizations to increasingly view such insurance as a critical factor in their planning and risk management preparations.
Day 8: Mass Exodus: Refugees & Money-Laundering
The scope and pace of the ongoing human exodus from Africa and the Middle East into Southern Europe that we have witnessed during the 2nd half of 2015 has been truly unprecedented, representing one of the largest volumes of human movement in the Western world since the end of World War II. Moreover, it presents a uniquely worrisome opportunity for smugglers and human traffickers who provide their services to desperate individuals and families making the journey. In late 2015, this issue has become particularly acute as more and more countries in southern Europe and the Balkans have instituted new and more restrictiveborder crossing measures as a result of European political infighting and in light of the November 13th Paris terrorist attacks. Traffickers’ ability to use traditional financial institutions for moving money, paying their “workers” and receiving payments from refugees poses a continued challenge to anti-money laundering enforcement.
Day 7: Cybersecurity: The Regulators Jump on Board
2015 witnessed an absolute deluge in interest from regulators about cybersecurity. Moreover, this was coming from many regulators that had previously not been interested in focusing on this topic in any significant manner. From the FTC to the SEC to the New York State Department of Financial Services, the regulators have been all over this topic in the hopes of reducing the risk of cybersecurity-related data breaches and manipulation on the entities that they regulate. However, the lack of coordination among the agencies presents challenges to financial services organizations; one hopes that collaboration will win the day ultimately but few have high hopes for this in the short-term.
Day 6: Fraud Follows Speed: “Faster Payments” Means Faster Fraud
From Australia’sNPP to the US Federal Reserve’s Faster Payments initiatives (following the UK’s Faster Payments a few years ago), we are now witnessing faster payments come in with a fury. As a result, money transactions are now a much sexier target for the bad guys who want to use the short clearing periods to their advantage. As Same-Day ACH in the U.S. and Faster Payments in Australia come into their own, the hackers will be watching closely and presumably are already trying to figure out how to hack the system. It would be wise for participants in these systems to be thinking about fraud prevention while simultaneously thinking about getting these initiatives off the ground, as to ignore this risk increase the probability of reputational damages for the relevant parties.
Day 5: EMV in the US: Liability Shifts in 2015
October 1, 2015 represented a true watershed moment for card users in the United States in that it was the date on which a true liability shift occurred between merchants and issuers with regard to who relies on the weakest system. This date represents the first step in making PANs more difficult to hack by the bad guys. Is Chip & Signature perfect? No. Is the US moving rapidly enough down this path? Also no. But in general, the hacks will become more sophisticated, more focused on Card-Not-Present transactions instead of Point-of-Sale-focused ones, and will result in yet further confusion among the general public until people begin to understand these nuances. Nonetheless, having the US move to a chip-based system will help reduce fraud over time (or at least shift it to new arenas) and hopefully help to ensure that card users will transact with increased confidence over time.
Day 4: Bitcoin: Commodity vs. Currency
The regulators deserve tremendous credit for using 2015 to get in front of cryptocurrencies in a proactive and positive manner. The result was the bringing together of different parts of this diverse community and attempting to pull together regulations that enable usage and innovation – while still protecting the poor souls who will inevitably get involved in domains that they simply don’t understand or have no business being involved in. No, it’s not perfect and yes the regulatoryapproaches will likely change many more times in the coming years, but 2015 will go down as the year the regulators opened up these systems to wider usage in a safe manner by helping to classify and categorize them, something that will benefit many more people than these currencies currently do.
Day 3: Flash Crash: Navinder Singh Sarao
The revelation about Navinder Singh Sarao’s participation in the 2010 “Flash Crash” taught us all a lesson as to just how much havoc one individual could wreak on the stock markets. Even though he was “just a guy” supposedly operating on his own and with what appears to have been a relatively modest operation, Sarao proved that regulators and SROs still need to remain vigilant about the likelihood that our capital markets’ basic infrastructural components can be manipulated (and ultimately about their underlying resiliency). In essence, using existing commoditized trading infrastructure and approaches as a mechanism for making himself a lot of money, Sarao proved that there are still ways to manipulate the markets and cause a lot of problems – at least until he got caught.
Day 2: Certificate Authority: Symantec & Google Brush-Up
The recent arm-wrestling between these 2 technology giants hit a crescendo in the fall when Symantec admitted and then re-admitted that elements of its Certificate Authority were compromised by employees. The answers Symantec initially provided evidently didn’t sit well with Google – and presumably others – on the assumption that hacks of a massive type could be enabled through the use of faulty or untrustworthy certificates. This may seem like a boring aspect of Internet plumbing to anyone other than information security geeks, but it is in fact a critical link in the chain of trust that websites rely upon. Google has done a service to the broader community by helping Symantec reach a speedier resolution to this issue than might have happened had they been left on their own and it’s good to see both sides now cooperating.
Day 1: Anti-Bribery & Corruption: FIFA, VW, Petrobras, etc.
In the business community, 2015 will most definitely go down as the year of the corporate scandal. Perhaps not since Enron have there been takedowns and headlines of such enormous reach across the world. The VW, FIFA, and Petrobras scandals – investigations of which are all still ongoing – are perhaps best categorized as reputational risks on a national level. These scandals may impact the GDP of some of the world’s largest countries (Brazil and Germany most directly) and could cause significant corporate, domestic, and stock market losses to investors, employees, and others. Time will tell just how much impact we see based on the fines, new regulations, loss of share loss, loss of market share, lost productivity, and changes in domestic consumption.