Welcome to the first edition of Weather the Disruption. This is a quarterly newsletter intended to highlight the importance of Business Resiliency in today’s world. Our goal is to provide global regulatory updates, industry trends, best practices, and potential threats impacting our clients and sector.
In today’s turbulent economic and geopolitically charged environment, Business Resiliency should be top of mind for financial institution leaders. As these organizations push the boundaries of innovation, regulatory agencies will follow—forcing financial institutions to reconsider their resiliency approach.
Business Resiliency is a firm’s ability to withstand, recover from, and adapt to disruptions to its operations. These disruptions can range from an economic downturn to cybersecurity issues to, perhaps most topically, global pandemics.
However, as the idea of Business Resiliency becomes more prevalent, the unpreparedness of firms has become more apparent. Less than 40% of CEOs globally say they believe they are well prepared to meet challenges posed by a major crisis related to inflation, cybersecurity, supply chain disruptions, or climate change.
There have been major regulatory changes surrounding Business Resiliency of late, with more expected:
United Kingdom: The UK is leading the global charge in the realm of Business Resiliency regulation. In March 2021, the Financial Conduct Authority published new rules and guidance surrounding the operational resiliency of UK Financial Institutions. By April of 2022, all financial services companies must have identified their essential business services and measured their impact tolerances and maximum tolerance disruptions.
United States: The UK regulatory environment serves as a basis for where US regulation is headed. In December 2021, the Financial Industry Regulatory Authority (FINRA) decided to maintain FINRA’s Rule 4370, a law that requires member firms to create, maintain, review, and update a Business Continuity Plan. In addition, the SEC is proposing similar rules to require cybersecurity policies and procedures for incident response and prevention.
Major Breaches and Disruptive Events
The past quarter has had no shortage of Business Resiliency events. Here are some examples of recent major events:
Log4j Vulnerability Log4j is a piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Recently, a vulnerability was discovered and exploited by attackers. which led to widespread breaches of personal information and financial loss.
The recent Russian invasion of Ukraine produced economic shock waves felt across the global market. From skyrocketing fuel prices to supply chain disruptions to increased cybersecurity threats, businesses are scrambling to implement recovery strategies. In addition, the Baltic states have raised similar concerns due to their history of Russian occupation and subjugation.
Active Hurricane Season
Hurricane and weather-related disruptions often lead to a trail of flooding, power outages, infrastructural damage, and destruction. It is predicted that 2022 will remain an active hurricane season with financial institutions, especially those with locations in Hurricane Alley, needing to prepare for potential disruptions to sites, staff, data centers, etc.
Major Data Breach Settlement of a Large Financial Institution
A large financial institution was sued by a group of current and former clients who claimed the firm failed to safeguard their personal information. The lawsuit stemmed from two security breaches that compromised the personal information of 15 million clients. The institution recently agreed to settle the class action suit for $60 million.
Business Resiliency Trends
Here are some examples of steps firms have taken to enhance their Business Resiliency:
Digital Transformation Digital transformation that organizations are undergoing for operational improvements can also lead to fewer disruptions and faster recovery from the disruptions that do occur. The cloud allows for businesses to be more agile and adaptable with multi-cloud infrastructure necessary to maximize growth and efficiency.
Low-Code/No-Code Applications Low-code or no-code tools are a way of building applications without the need for significant lines of handwritten code. They help to strengthen operational resiliency by making developing solutions easier and able to involve more of the workforce to contribute compared to costly, complex legacy systems.
Business Resiliency Best Practices
Forward-looking financial institutions are having great success implementing these business resiliency programs:
During the COVID-19 pandemic, firms across the globe had to accommodate a mass shift to remote/hybrid work that, in turn, led to improvements to firms’ operational resilience. For example, firms with a less geographically condensed workforce are able to recover and adapt easier in times of disruption. Remote work has also forced companies to make improvements to their networks and IT infrastructure, thus reinforcing their resilience from a technological standpoint.
Identifying Essential Services
To best plan for possible operational disruptions, an organization should first determine the services that are most essential. By doing so, they are highlighting areas in which the greatest degree of harm could be inflicted. In addition, firms can identify the assets that prove critical to these essential services, and in turn, the continuity of the firm as whole.
Resiliency in a Net-Zero World
Firms not only have to navigate a changing risk environment, but also a changing social environment. As firms adapt to implement environmental and social change, they must also align their resiliency programs accordingly.
Net-Zero Banking Alliance
The Net-Zero Banking Alliance has received commitments from 103 banks across 40 countries with $68 trillion in total assets since being launched by the United Nations in April 2021. The goal of the Alliance is to support the global transition to a net-zero emissions world.
BlackRock on Climate Risk
In BlackRock’s latest proxy voting guidelines, the firm is asking companies to disclose business plans on how they will meet global net-zero goals while delivering on financial performance.
Developments in the digital world, along with new cyberthreats, have driven the US government to increase its attention on protecting essential service areas such as the financial services community.
The Security and Exchange Commission has started the process of imposing new rules on investment funds and advisors to improve cybersecurity protections, and to alert the SEC within 48 hours of a suspected hacking incident. These requirements, when enacted, will necessitate changes to existing business and communications plans, as well as potentially affecting current governance models.
NIST Report 8389
The National Institute of Standards and Technology (NIST) is also looking to protect the future of our evolving banking practices by soliciting comments in upcoming guidance in the form of NIST Report 8389, “Considerations of Open Banking Technology and Emerging Standards” focused on the new “Open Banking” financial ecosystem. This report contains a definition and description of open banking, its activities, enablers, and cybersecurity, and privacy challenges.
Special thanks to Andrew Vegliante for contributing to this article.