By Jonathan Shiery, Hoan Wagner
Welcome to the Q3 2023 edition of Weather the Disruption, a quarterly newsletter intended to highlight the importance of business resiliency in today’s world. By providing global regulatory updates, industry trends, best practices, and potential threats impacting our clients and sector, we can collaboratively implement strategic measures to optimize resilience. In this edition, we discuss events relating to climate change, such as the Maui wildfires and proposed climate-related disclosures by the Federal Deposit Insurance Corporation (FDIC), to better understand how to maintain compliance with new regulations and how financial institutions can hedge their risk as climate change poses a growing threat.
Climate change has increased the probability of wildfires in fire-prone areas. Implementing practices to increase resiliency, decrease damage, and lower costs from natural disasters can help businesses avoid potential financial impacts and remain operational.
Recovering from Maui Fires
Vulnerable power grids, including deteriorating components and aged infrastructure, increase the risk of wildfires. Due to the fires in early August, 2023, the island of Maui, Hawaii, is estimated to face more than $5.5 billion in rebuilding costs,1 impacting local businesses and the economy of the region.
Building Energy Resilience
Climate change and global warming have increased natural disasters such as heatwaves, wildfires, and hurricanes, resulting in twice as many power outages from severe weather. The US Government Accountability Officer estimated weather-related power outages can cost companies and consumers billions of dollars annually. Investing in energy grid sustainability will assist businesses in being more resilient and, in turn, prevent the additional costs associated with business shutdowns and rebuilding that often come with power outages.2 Investing in energy resilience remains attractive, due to:
The Banking Sector’s Investment in Net-Zero
The UN Climate Change High-Level Champion for Egypt emphasized the crucial role of the banking sector in the transition to a green economy. During the Net Zero Banking Alliance meeting, it was highlighted that banks can invest in climate projects and fulfill their net-zero commitments, as this would not only benefit economies but also engage customers in reducing emissions.4 Resilience is crucial, and the banking sector can significantly contribute to financing and implementing climate and development projects.
Regulatory bodies aim to champion consumer and investor protection, fair and efficient markets, and financial stability, with an increasing focus on monitoring new technologies.
Stricter Guidelines in the Philippines
Bangko Sentral ng Pilipinas (BSP), the central bank of the Philippines, is finalizing guidelines to strengthen the resilience of the financial institutions it supervises (BSP-Supervised Financial Institutions, or BSFIs). BSP’s goal in implementing the guidelines is to strengthen BSFIs in case of shocks, such as the COVID-19 pandemic, economic recession, or cyberattacks. Because of the Philippine economy's growth and resilience in recent years, the BSP wants to ensure BSFIs can continue to help foster growth and mitigate economic risk in the country.7 Financial Institutions operating in the Philippines can consider adopting guidelines to remain resilient and stay competitive in the industry, and non-Philippine institutions can consider how the Philippine economy’s growth can impact their business.
APRA Launches New CPS 230 Operational Risk Management Standard
The Australian Prudential Regulation Authority (APRA) issued a new standard—CPS 230 Operational Risk Management—to direct how regulated entities manage operational risks and disruptions. The key requirements include identifying, assessing, and managing operational risks; delivering critical operations within tolerance levels through severe disruptions and with a credible business continuity plan; and effectively managing risks associated with service providers, having a comprehensive service provider management policy, and robust monitoring. The boards of every APRA-regulated entity will oversee the entity’s operational risk management. Regulated entities have until July 1, 2025, to comply.8
Major Breaches and Disruptive Events
Here are some recent major events that have disrupted the industry this quarter.
Following Hamas’ attack on thousands of Israeli civilians on October 7, Israel and Hamas have engaged in a war in the Gaza Strip. The ongoing conflict could potentially extend to the wider Middle East region, such as the Lebanese militant group, Hezbollah.9 Oil prices rose about 6% since October 7, and economists warn consumers of even higher oil prices if the conflict were to expand beyond the Gaza Strip.10 Airline and technology businesses also blame the conflict for lower profits from this past quarter, specifically naming reduced travel to the region and reduced advertising spending as reasons for lower margins.11
Kroll Inc. Cyberattack
Kroll Inc., the claims assessment firm responsible for BlockFi, FTX, and Genesis Global Holdco’s bankruptcy cases, experienced a cyberattack around August 19. Through SIM-swapping, the hackers breached Kroll’s cloud-based systems and gained access to the data of 717 Genesis Global claimants, which included claims information, names, telephone numbers, and email and physical addresses.12
Caesars Entertainment Pays Hackers’ Ransom
Caesars Entertainment paid half of a $30 million ransom demanded by hackers using a social-engineering scheme. The hackers posed as Caesars employees who forgot their passwords and needed access to their company account, which compromised data belonging to those in Caesars’ loyalty program. Similarly, MGM Resorts and a variety of other businesses on the Las Vegas Strip, immediately shut down operations, including slot machines, sports-betting kiosks, digital hotel-room keys, and online reservations and check-ins.13
Largest Cryptocurrency Hack
Mixin, a Hong Kong company that is recognized as a network for transferring digital assets, experienced what researchers argue is the largest cryptocurrency attack of 2023.14 Mixin lost $200 million in assets and funds in the September attack. As a result, it has stopped allowing users to withdraw their funds from the network. Transfers were not affected, and the services re-opened once the areas of vulnerability were fixed.
Here are considerations for business resiliency program structuring and enhancements to make in 2024:
FDIC Risk Review Trends
The FDIC’s 2023 Risk Review demonstrates the banking industry remained resilient, consistently adapting to changing conditions, with net income for the first quarter of 2023 remaining high.15 The report underscores the importance of aligning best practices with the FDIC’s findings, especially regarding potential challenges in bank loan portfolios and heightened operational risk, including cybersecurity. Banks must continue to remain vigilant in addressing evolving risks to ensure continued stability and growth. FDIC included these key risks:
Operational Risk — Operational risks, including cybersecurity risks and risks related to illicit financial activity, remained elevated across the banking industry.
Climate-Related Financial Risk — Climate-related financial risk includes physical risk and transition risk. The Risk Review is a retrospective look at risks, and the discussion in this section focuses on physical risk from severe weather and climate events.
Crypto-Asset Risk — Crypto-assets present novel and complex risks that are difficult to fully assess.
Continued Cyber Risk Assessments for Existing Vendors
Financial Institutions at a high rate conduct cyber risk assessments for new vendors (90%) when they first onboard, but that drops to 79% when asked about periodic monitoring and evaluation of existing vendors.16 Financial institutions in EMEA have shown improvement in monitoring existing vendors, which may be explained by complying with DORA’s requirement for contract inclusion about monitoring vendor’s performance on cybersecurity. As a best practice, it is important to continue monitoring vendor’s performance periodically to ensure no downstream impacts for any cyber incidents will impact your company.
This article is authored by Jonathan Shiery, Hoan Wagner and Chris Chen with contributions from Devinne Cook, Melany Farinango, and Jordan Leder.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.