Weather the Disruption: Building Resilience Against Climate Change

Welcome to the Q3 2023 edition of Weather the Disruption, a quarterly newsletter intended to highlight the importance of business resiliency in today’s world. By providing global regulatory updates, industry trends, best practices, and potential threats impacting our clients and sector, we can collaboratively implement strategic measures to optimize resilience. In this edition, we discuss events relating to climate change, such as the Maui wildfires and proposed climate-related disclosures by the Federal Deposit Insurance Corporation (FDIC), to better understand how to maintain compliance with new regulations and how financial institutions can hedge their risk as climate change poses a growing threat.

 

Implementing Climate-Proof Resiliency Practices

Climate change has increased the probability of wildfires in fire-prone areas. Implementing practices to increase resiliency, decrease damage, and lower costs from natural disasters can help businesses avoid potential financial impacts and remain operational.

Recovering from Maui Fires
Vulnerable power grids, including deteriorating components and aged infrastructure, increase the risk of wildfires. Due to the fires in early August, 2023, the island of Maui, Hawaii, is estimated to face more than $5.5 billion in rebuilding costs,¹ impacting local businesses and the economy of the region.

Building Energy Resilience 
Climate change and global warming have increased natural disasters such as heatwaves, wildfires, and hurricanes, resulting in twice as many power outages from severe weather. The US Government Accountability Officer estimated weather-related power outages can cost companies and consumers billions of dollars annually. Investing in energy grid sustainability will assist businesses in being more resilient and, in turn, prevent the additional costs associated with business shutdowns and rebuilding that often come with power outages.² Investing in energy resilience remains attractive, due to:

• Share prices of companies engaged in building electric grids or with products and services tied to grid modernization have outperformed firms that are focused on renewable energy growth.
• Renewable energy generation is becoming available at a faster pace than can be channeled onto current grid networks, which often require significant upgrades and new equipment to handle large loads of electricity generated by renewable power.
• Roughly 80 million kilometers of global electric grids need to be added or refurbished by 2040 in order to integrate the planned increases in electricity generation from renewable sources. (At least 3,000 gigawatts of renewable power projects are waiting in grid connection queues, equivalent to five times the amount of solar PV and wind capacity added in 2022).³

The Banking Sector’s Investment in Net-Zero
The UN Climate Change High-Level Champion for Egypt emphasized the crucial role of the banking sector in the transition to a green economy. During the Net Zero Banking Alliance meeting, it was highlighted that banks can invest in climate projects and fulfill their net-zero commitments, as this would not only benefit economies but also engage customers in reducing emissions.⁴ Resilience is crucial, and the banking sector can significantly contribute to financing and implementing climate and development projects.

Regulatory Insight

Regulatory bodies aim to champion consumer and investor protection, fair and efficient markets, and financial stability, with an increasing focus on monitoring new technologies. 

North America (NA)

Banks to Closely Monitor Climate Impact
The Office of the Comptroller of the Currency (OCC), FDIC and The Federal Reserve Board are finalizing the Principles for Climate-Related Financial Risk Management. Banking institutions with over $100 billion in assets may soon be examined on the new requirements for identifying, assessing, measuring, and monitoring climate risk.⁵ As regulatory scrutiny increases for climate-related regulation, financial institutions must understand and implement climate risk mitigation tools as part of the risk management frameworks.

FDIC Proposal to Include Contingency Plans
The FDIC is pushing for more aggressive regional bank oversight after the failures of Signature Bank, Silicon Valley Bank, and Silvergate Bank in the spring of 2023. The new rules propose that regional banks with at least $100 billion in assets hold an additional 2% of capital for risk-weighted assets. Although this would require regional banks with $100 billion in assets to hold the same amount of capital as larger regional banks, whose assets reach up to $700 billion, the FDIC believes this new regulation will allow financial institutions to better hedge against recession.⁶ Though the volatility in the financial industry is unpredictable, financial institutions can take proper precautions to prevent major disruptions. Understanding new regulations prior to implementation will aid financial institutions in remaining compliant in a challenging environment.

Europe, the Middle East, and Africa (EMEA)

DORA in European Union (EU)
The Digital Operational Resilience Act (DORA) is a newly implemented European Union (EU) Regulation, effective from January 2023. This regulation aims at enhancing the digital resilience of the European financial market by creating a consistent regulatory requirement across the EU. The primary objective is to ensure that financial market participants can maintain safe and reliable operations, even in the face of significant disruptions in information and communication technology (ICT). Companies have until January 2025 to achieve full compliance with DORA. 

Increased obligations related to DORA include five main areas: ICT Risk Management, ICT-Related Incident Management, Reporting, Digital Operational Resilience Testing, and Information Sharing. There is a focus on the managing of ICT third-party risk in the information-sharing arrangements, classifying incidents according to certain criteria, and ensuring there is reporting of incidents to the relevant parties to enhance information sharing with regulators and other companies. 

Asia-Pacific (APAC)

Stricter Guidelines in the Philippines
Bangko Sentral ng Pilipinas (BSP), the central bank of the Philippines, is finalizing guidelines to strengthen the resilience of the financial institutions it supervises (BSP-Supervised Financial Institutions, or BSFIs). BSP’s goal in implementing the guidelines is to strengthen BSFIs in case of shocks, such as the COVID-19 pandemic, economic recession, or cyberattacks. Because of the Philippine economy's growth and resilience in recent years, the BSP wants to ensure BSFIs can continue to help foster growth and mitigate economic risk in the country.⁷ Financial Institutions operating in the Philippines can consider adopting guidelines to remain resilient and stay competitive in the industry, and non-Philippine institutions can consider how the Philippine economy’s growth can impact their business.
 
APRA Launches New CPS 230 Operational Risk Management Standard 
The Australian Prudential Regulation Authority (APRA) issued a new standard—CPS 230 Operational Risk Management—to direct how regulated entities manage operational risks and disruptions. The key requirements include identifying, assessing, and managing operational risks; delivering critical operations within tolerance levels through severe disruptions and with a credible business continuity plan; and effectively managing risks associated with service providers, having a comprehensive service provider management policy, and robust monitoring. The boards of every APRA-regulated entity will oversee the entity’s operational risk management. Regulated entities have until July 1, 2025, to comply.⁸

 

Major Breaches and Disruptive Events

Here are some recent major events that have disrupted the industry this quarter.

Israel-Hamas War
Following Hamas’ attack on thousands of Israeli civilians on October 7, Israel and Hamas have engaged in a war in the Gaza Strip. The ongoing conflict could potentially extend to the wider Middle East region, such as the Lebanese militant group, Hezbollah.⁹ Oil prices rose about 6% since October 7, and economists warn consumers of even higher oil prices if the conflict were to expand beyond the Gaza Strip.¹⁰ Airline and technology businesses also blame the conflict for lower profits from this past quarter, specifically naming reduced travel to the region and reduced advertising spending as reasons for lower margins.¹¹

Kroll Inc. Cyberattack
Kroll Inc., the claims assessment firm responsible for BlockFi, FTX, and Genesis Global Holdco’s bankruptcy cases, experienced a cyberattack around August 19. Through SIM-swapping, the hackers breached Kroll’s cloud-based systems and gained access to the data of 717 Genesis Global claimants, which included claims information, names, telephone numbers, and email and physical addresses.¹²

Caesars Entertainment Pays Hackers’ Ransom
Caesars Entertainment paid half of a $30 million ransom demanded by hackers using a social-engineering scheme. The hackers posed as Caesars employees who forgot their passwords and needed access to their company account, which compromised data belonging to those in Caesars’ loyalty program. Similarly, MGM Resorts and a variety of other businesses on the Las Vegas Strip, immediately shut down operations, including slot machines, sports-betting kiosks, digital hotel-room keys, and online reservations and check-ins.¹³

Largest Cryptocurrency Hack
Mixin, a Hong Kong company that is recognized as a network for transferring digital assets, experienced what researchers argue is the largest cryptocurrency attack of 2023.¹⁴ Mixin lost $200 million in assets and funds in the September attack. As a result, it has stopped allowing users to withdraw their funds from the network. Transfers were not affected, and the services re-opened once the areas of vulnerability were fixed.

 

Business Resiliency Trends and Best Practices

Here are considerations for business resiliency program structuring and enhancements to make in 2024: 

FDIC Risk Review Trends
The FDIC’s 2023 Risk Review demonstrates the banking industry remained resilient, consistently adapting to changing conditions, with net income for the first quarter of 2023 remaining high.¹⁵ The report underscores the importance of aligning best practices with the FDIC’s findings, especially regarding potential challenges in bank loan portfolios and heightened operational risk, including cybersecurity. Banks must continue to remain vigilant in addressing evolving risks to ensure continued stability and growth. FDIC included these key risks: 

Operational Risk — Operational risks, including cybersecurity risks and risks related to illicit financial activity, remained elevated across the banking industry.

Climate-Related Financial Risk — Climate-related financial risk includes physical risk and transition risk. The Risk Review is a retrospective look at risks, and the discussion in this section focuses on physical risk from severe weather and climate events.

Crypto-Asset Risk — Crypto-assets present novel and complex risks that are difficult to fully assess.

Continued Cyber Risk Assessments for Existing Vendors
Financial Institutions at a high rate conduct cyber risk assessments for new vendors (90%) when they first onboard, but that drops to 79% when asked about periodic monitoring and evaluation of existing vendors.¹⁶ Financial institutions in EMEA have shown improvement in monitoring existing vendors, which may be explained by complying with DORA’s requirement for contract inclusion about monitoring vendor’s performance on cybersecurity. As a best practice, it is important to continue monitoring vendor’s performance periodically to ensure no downstream impacts for any cyber incidents will impact your company.