Bank Collapse Preventable with Proper Resilience and Risk Management

In this edition of Weather the Disruption, we discuss financial institution vulnerabilities, regulatory expectations in 2023, business resiliency best practices, and how institutions can address climate change risk.

Disruptive Forces and Resulting Risks

The financial sector is interconnected and interdependent. Lack of stress testing and poor risk management presented challenges to the entire financial services industry.

Bank Collapse and Stress Testing — Silicon Valley Bank (SVB)’s strategy to generate profits quickly backfired when it fell out of compliance with key risk metrics. Due to this strategy, the bank was forced to sell securities losing $1.8 billion,¹ prompting depositor panic and bank failure. Signature Bank collapsed only two days later, making it the third largest bank failure in U.S. history².

Dodd-Frank mandates that FDIC-insured institutions must run stress tests at regular intervals. These tests are intended to simulate scenarios and market conditions that may pose a substantial risk to operations. In 2019, the minimum threshold for institutions was raised to $250B from $10B³, and midsize banks including SVB, First Republic, and Signature were no longer subject to stress-testing requirements and the reporting that accompanies them.

_{Sources:
S&P Capital IQ – Standard
Public Law 115-174 ECONOMIC GROWTH, REGULATORY RELIEF, AND CONSUMER PROTECTION ACT}

Global Regulatory and Supervisory Priorities in 2023

There have been major regulatory changes surrounding Business Resiliency recently, with more expected. Notable changes and focus areas include:

Bank of England Digital Resilience Expectations — The Bank of England has published new regulations intended to mitigate the “non-cyber” related risks associated with technology.⁴ Organizations will now be required to protect their processes and data. This framework will aid increased guidance around sectors outsourcing practices.

Hong Kong Monetary Authority Operational Resilience 2023 Priorities — The Hong Kong Monetary Authority included operational resilience enhancement⁵ on its list of work priorities for 2023, driving focus on cybersecurity and third-party risk management (including cloud service providers).

Central Bank of Ireland Financial System Focus — With ongoing financial economic uncertainty, the Central Bank of Ireland (CBI)⁶ priorities attempt to ensure that financial systems are operating in the best interest of consumers, including several priorities related to risk and resilience.

Cybersecurity

Cybersecurity preparation at financial institutions becomes more critical as recommendations shift to requirements with mandatory reporting. U.S. regulatory bodies are expected to finalize and roll out the following proposed rules in 2023:

Federal Communications Commission Data Breach Update —The Federal Communications Commission (FCC) proposed updates to its data breach rule⁷ in January 2023. The proposal includes a requirement for compromised institutions to notify customers and the FCC, Secret Service, and FBI of customer proprietary network information breaches without unreasonable delay after the discovery of such breaches.
NY Department of Financial Services (NY DFS) Amendment —The NY DFS proposed a second amendment to 23 NYCRR 500⁸: Cybersecurity Requirements for Financial Service Companies, with an expected rollout in 2023. The proposal requires covered entities to maintain a cybersecurity program and incident response plan, appoint a chief information security officer, and conduct regular penetration testing and monitoring both internally and via external independent parties, amongst other areas.
Upcoming SEC Proposed Cybersecurity Risk Management Rules —The SEC proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure for Public Companies,⁹ expected to be finalized in April 2023. The proposal includes reporting requirements for material cybersecurity incidents, periodic reporting for cybersecurity policies and procedures, board oversight of cybersecurity risk, and monitoring over policies and procedures implementation.

Business Resiliency Trends and Best Practices

Here are considerations for developing and enhancing a Business Resiliency program in 2023:

Developing Resilience Culture —With Financial Institutions facing unprecedented challenges organizations must continue to be resilient. One key area is to focus on developing a resilience culture¹⁰ that assures consistency and collective responsibility, understanding Important Business Services, and developing effective communication to promote effective decision-making.
Mitigating Cloud Risks — The financial sector continues to heavily utilize and migrate to cloud-based offerings due to the clear benefits of speed, cost, scale, and resilience.  The US Department of the Treasury recently published a report¹¹ on potential risks and preventive actions that firms should consider. Financial service firms, especially, should continue to dedicate more time on limiting cloud risks as the use of cloud services continues to increase.

Resiliency in a Net-Zero World

Firms not only have to navigate a changing risk environment, but also an evolving social environment. As firms respond to environmental and social change, they must also align their resiliency programs accordingly.

Estimating Climate Risks —The International Monetary Fund proposes a three-pronged approach¹² to addressing climate risks, including: improving data and disclosure, enhancing risk analysis, and promoting policy actions that support a low-carbon transition.
Upcoming European Bank Climate-Related Regulations —Three main regulatory initiatives¹³ are expected to impact European banks in 2023, including the EU Taxonomy, the EU Sustainable Finance Disclosure Regulation, and the Climate Risk Stress Test.  The new regulations¹⁴ highlight the importance of timely and accurate disclosure of climate-related risks and opportunities to investors and stakeholders.