Monday, September 30, 2019 - International Association of ...€¦ · Monday, September 30, 2019...

P a g e | 1

____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP)

Monday, September 30, 2019 Top 10 risk and compliance related news stories and world events that (for

better or for worse) shaped the week's agenda, and what is next

Dear members and friends, Sun Tzu has said that supreme excellence consists in breaking the enemy's resistance without fighting. Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win. The genesis of the Defense Advanced Research Projects Agency (DARPA) dates to the launch of Sputnik in 1957, and the commitment by the United States that, from that time forward, it would be the initiator and not the victim of strategic technological surprises. DAPRA’s Semantic Forensics (SemaFor) program develops technologies to automatically detect, attribute, and characterize falsified multi-modal media assets (text, audio, image, video) to defend against large-scale, automated disinformation attacks. According to the program, statistical detection techniques have been successful, but media generation and manipulation technology is advancing rapidly. Purely statistical detection methods are quickly becoming insufficient for detecting falsified media assets. Detection techniques that rely on statistical fingerprints can often be fooled with limited additional resources (algorithm development, data, or compute). Existing automated media generation and manipulation algorithms are heavily reliant on purely data driven approaches and are prone to making semantic errors. For example, generative adversarial network (GAN) generated faces may have semantic inconsistencies such as mismatched earrings. These semantic failures provide an opportunity for defenders to gain an

P a g e | 2


asymmetric advantage. A comprehensive suite of semantic inconsistency detectors would dramatically increase the burden on media falsifiers, requiring the creators of falsified media to get every semantic detail correct, while defenders only need to find one, or a very few, inconsistencies. SemaFor seeks to develop innovative semantic technologies for analyzing media. Semantic detection algorithms will determine if media is generated or manipulated. Attribution algorithms will infer if media originates from a particular organization or individual. Characterization algorithms will reason about whether media was generated or manipulated for malicious purposes. These SemaFor technologies will help identify, deter, and understand adversary disinformation campaigns. Read more at number 10 below. Welcome to the Top 10 list. Best regards,

George Lekatis President of the IARCP 1200 G Street NW Suite 800, Washington DC 20005, USA Tel: (202) 449-9750 Email: [email protected] Web: www.risk-compliance-association.com HQ: 1220 N. Market Street Suite 804, Wilmington DE 19801, USA Tel: (302) 342-8828

mailto:[email protected]

http://www.risk-compliance-association.com/

P a g e | 3


Number 1 (Page 8)

Low for long - causes and consequences Lars Rohde, Governor of the National Bank of Denmark, at the CFA Society Denmark 1st Nordic Investment Conference, Copenhagen, 19 September 2019.

“The term "historically low" has been used many times to describe interest rates in recent years. In Denmark, the key monetary policy rate has been negative since 2012 except for a few months. At the latest auction, yields on government bonds and T-bills fell into negative territory for all maturities. Recently there have even been cases where new homeowners have received payments when taking out mortgage credit loans – that is, financing costs including fees have been negative. A robust economy and sound economic policy is part of the explanation.”

Number 2 (Page 11)

The cyber threat to Universities Assessing the cyber security threat to UK Universities

This paper aims to provide a short assessment of the current cyber security threat to UK universities and academia. This information will be of interest to all academic and non-academic staff. It will be particularly relevant to senior leaders in universities and research institutions, members of university councils and those engaged in research. In the paper, we consider who is targeting the sector and why their attacks may be successful. We also provide a forward look on the threat.

P a g e | 4


Number 3 (Page 14)

Braided Bread and Boiled Beer: Remarks before the Eurofi SEC Commissioner Hester Peirce, Financial Forum 2019, Helsinki, Finland

“My grandmother’s parents made their way from Finland to the United States and eventually settled in Fitchburg, Massachusetts, a community that was home to many other Finns who also had made the journey. My father has a lot of wonderful stories from this part of the family, and I still regularly make braided Finnish coffee bread from a family recipe.”

Number 4 (Page 19)

What economic sovereignty for Europe? Facing the threats with lucidity, and boldly seizing an opportunity Inaugural lesson by Mr François Villeroy de Galhau, Governor of the Bank of France, at the Paris School of International Affairs, Sciences Po Paris, Paris.

“The decision to switch from diplomats to a central banker such as myself perhaps sends out three signals. First, rarely have geopolitics and economics been so closely intertwined. Faced with the rise in protectionist tensions and the verbal volleys, which unfortunately intensified again this summer, some even say that economic interdependence – the “sweet ties of commerce” praised by Montesquieu – is the only thing still shielding us from military conflict. Conversely, rarely has a global economic slowdown been so clearly attributable to political causes: nearly everywhere, public policy instability and uncertainty are on the rise and are damaging private sector confidence; I shall come back to this.”

P a g e | 5


Number 5 (Page 21)

EIOPA calls for a sound cyber resilience framework

The European Insurance and Occupational Pensions Authority (EIOPA) has published the report on "Cyber Risk for Insurers – Challenges and Opportunities".

Number 6 (Page 24)

EIOPA establishes Consultative Expert Group on Digital Ethics in Insurance

The European Insurance and Occupational Pensions Authority (EIOPA) established today its Consultative Expert Group on Digital Ethics in Insurance. As a follow-up of its recent thematic review on the use of Big Data Analytics (BDA) in motor and health insurance, EIOPA established a Consultative Expert Group to assist the Authority in the development of digital responsibility principles in insurance.

Number 7 (Page 26)

Opening remarks - ASEAN Banking Cybersecurity Conference 2019 Opening remarks by Dr Veerathai Santiprabhob, Governor of the Bank of Thailand, at the ASEAN Banking Cybersecurity Conference 2019, Bangkok.

P a g e | 6


“The banking industry, too, is undergoing massive digitalization, from the user-facing tools like mobile banking apps to backend infrastructure and essentially everything in between. These developments are the key drivers behind the convenience and productivity that we all enjoy today.”

Number 8 (Page 28)

Improving strategic communications terminology Published by the NATO Strategic Communications Centre of Excellence

The world is experiencing political turbulence. Buzzwords hijack political discourse, preventing, rather than enabling, meaningful critique and discussion.

Number 9 (Page 30)

Hong Kong as a risk management hub Welcoming remarks and keynote speech by Mr Norman T L Chan, Chief Executive of the Hong Kong Monetary Authority, at the Treasury Markets Summit 2019, Hong Kong.

“About 15 years ago, a senior banker suggested to me that, in order to further promote Hong Kong's position as an international financial centre (IFC), we should turn Hong Kong into a "risk management hub" in Asia. However, he did not elaborate further at the time on exactly what he meant and how this could be achieved. To be honest, it was not clear to me then what this risk management hub idea was all about.”

P a g e | 7


Number 10 (Page 32)

Uncovering the Who, Why, and How Behind Manipulated Media Program seeks to develop technologies capable of automating the detection, attribution, and characterization of falsified media assets

The threat of manipulated multi-modal media – which includes audio, images, video, and text – is increasing as automated manipulation technologies become more accessible, and social media continues to provide a ripe environment for viral content sharing. The creators of convincing media manipulations are no longer limited to groups with significant resources and expertise. Today, an individual content creator has access to capabilities that could enable the development of an altered media asset that creates a believable, but falsified, interaction or scene.

P a g e | 8


Number 1

Low for long - causes and consequences Lars Rohde, Governor of the National Bank of Denmark, at the CFA Society Denmark 1st Nordic Investment Conference, Copenhagen, 19 September 2019.

Thank you for inviting med to speak here today.

The term "historically low" has been used many times to describe interest rates in recent years. In Denmark, the key monetary policy rate has been negative since 2012 except for a few months. At the latest auction, yields on government bonds and T-bills fell into negative territory for all maturities. Recently there have even been cases where new homeowners have received payments when taking out mortgage credit loans – that is, financing costs including fees have been negative. A robust economy and sound economic policy is part of the explanation. This has turned Denmark into an attractive destination for international investors in periods of high market uncertainty. This is not the whole story though. The declining trend in interest rates is a global phenomenon and

P a g e | 9


structural in nature. Interest rates in Denmark mirror interest rate developments abroad. This is a consequence of free international capital flows and the fixed exchange rate policy.

(Graph 3 – Actual and natural real interest rates). Nominal rates are low, partly due to the fact that inflation is low. However, real interest rates are also low. The estimation of the natural real interest rate - called r* (r star) - is currently a hot topic. r* is the real interest rate level that brings actual economic activity in line with potential economic activity. r* is not directly observable and can only be estimated with some uncertainty. However, it is relatively well established in the literature, that r* has followed a declining trend over the past couple of decades. Our estimate of r* in Denmark shows a decline since the mid-1990s by approximately 4 percentage points. This suggests that r* became negative during the financial crisis. It has remained substantially below the pre-crisis level ever since. Although estimates of r* is surrounded by a high degree of uncertainty, it is our assessment that r* will likely remain low in the coming years and perhaps decline even further. This assessment builds on some of the structural drivers of the decline in r*. There are several reasons for the decline and these are global in nature. One of the most important reasons is the decline in global structural growth due to only moderate productivity growth.

P a g e | 10


Add to this the fact that we are faced with a global savings glut. A continuous decline in the real interest rate has been necessary to make the investment opportunities at hand profitable. A large share of savings is concentrated among the richest people in the US, China and Japan. In the last decade, households in countries like China have increased their demand for financial assets. This has happened as the economy has grown, the population has aged, and demand for financial selfinsurance has increased. Moreover, demographic changes have also played an important role for American and European households. In a world with rising life expectancy, households tend to increase demand for savings as they face prospects of a longer life. In our recent study on r*, we showed that savings in emerging market economies – predominantly China - and the ongoing demographic transition in the euro area have been important drivers of the large drop in r* in Denmark. Since the demographic transition is far from over yet, there is no reason to believe that a "normal situation" would imply a much higher level of r* in the coming years. To read more: https://www.bis.org/review/r190919i.pdf

https://www.bis.org/review/r190919i.pdf

P a g e | 11


Number 2

The cyber threat to Universities Assessing the cyber security threat to UK Universities

Introduction This paper aims to provide a short assessment of the current cyber security threat to UK universities and academia. This information will be of interest to all academic and non-academic staff. It will be particularly relevant to senior leaders in universities and research institutions, members of university councils and those engaged in research. In the paper, we consider who is targeting the sector and why their attacks may be successful. We also provide a forward look on the threat. The threat posed to the university sector sits within the broader context of the threat to the UK as a whole. Over the past two years, the UK government has attributed state-sponsored malicious cyber activity against the UK to Russia, China, North Korea and Iran. There is also a serious and sustained threat to the UK from organised cyber crime.

Key judgements 1. The key cyber threats to UK universities are highly likely to be: - Criminals seeking financial gain - Nation states looking to steal personal data and intellectual property, for strategic advantage 2. Cyber crime will probably present the most evident and disruptive difficulties for universities. However, State-sponsored espionage is likely cause greater long-term damage. 3. Likely effects of state espionage include: - Damage to the value of research, notably in STEM subjects - A fall in investment by public or private sector in affected universities

P a g e | 12


- Damage to the UK’s knowledge advantage 4. If foreign direct investment were to come under greater scrutiny or restriction, it is a realistic possibility that the cyber threat to universities would increase, as nation states sought alternative ways to gain access to sensitive research and intellectual property.

Why are universities targeted, and by whom? Universities are key contributors to the economy, skills development and innovation in the UK. In doing this, they handle personal and research data, intellectual property and other assets, each of which has significant value to others. It is almost certain that state-sponsored actors are looking to steal data and information for strategic gain. Meanwhile, cyber criminals seek to commit fraud, or monetise stolen material through sale or ransom. Once access is gained, it is highly likely that both types of attacker will exploit facilities such as compromised email accounts, to further penetrate university systems.

State-sponsored actors While it is highly likely that cyber crime will present the most evident difficulties for universities, state-sponsored espionage will likely cause greater long-term damage. This is particularly true for those universities which prize innovation and research partnerships. This damage will extend to the UK’s larger national interest and to those researchers whose work may give others the chance to 'publish first'. Nation states almost certainly target universities for the data and information they hold. Cyber offers a deniable route to obtain information that is otherwise unavailable to them. It is likely exploited instead of, or in conjunction with, traditional routes to gain access to research, such as partnering, ‘seconded students’, or direct investment. Awareness of the risks associated with international collaboration and overseas funding are variable between universities, as is the level of scrutiny applied to investment opportunities.

Types of data targeted The kinds of data and information of interest to a nation state may be:

P a g e | 13


- emails - bulk personal information on staff and students - technical resources (e.g. documentation and standards) - sensitive research and intellectual property The use of this data is varied, but will meet a wide range of state requirements. Examples include commercial advantage for the nation’s companies, advancing equivalent research efforts, military or security apparatus. Sensitive research may be targeted for its defence or commercial value, and its loss is likely the most detrimental of all to both the affected university and to the UK as a whole. Likely effects include damage to the value of impacted research and intellectual property for both individual researchers and the institution. The attractiveness, relevance and value of an impacted university as an investment partner will also be negatively affected. And at a wider scale, the knowledge advantage of the UK will suffer. Although espionage can cause long-term damage, it's highly likely that UK universities are targeted to advantage the nation states themselves, rather than to harm the UK. To read more: https://www.ncsc.gov.uk/report/the-cyber-threat-to-universities

https://www.ncsc.gov.uk/report/the-cyber-threat-to-universities

P a g e | 14


Number 3

Braided Bread and Boiled Beer: Remarks before the Eurofi SEC Commissioner Hester Peirce, Financial Forum 2019, Helsinki, Finland

Thank you for the opportunity to address you today. It is a particular pleasure for me to be here in Helsinki as I have Finnish ancestry. My grandmother’s parents made their way from Finland to the United States and eventually settled in Fitchburg, Massachusetts, a community that was home to many other Finns who also had made the journey. My father has a lot of wonderful stories from this part of the family, and I still regularly make braided Finnish coffee bread from a family recipe. That bread features cardamom seed, something I am able to buy in my local Indian grocery store. It must have been harder to come by that southern Indian spice at the time that my ancestors were baking here in Finland. Thus, as I braid the Finnish bread, I can revel in the richness brought to our lives by the amazing way our markets are similarly braided together across national borders. The value of this interconnection is an important lesson for us to bear in mind as we talk about financial markets and how to regulate them. Financial markets, including derivatives markets, play a central role in uniting the global marketplace. Before I go any further, I must give my standard disclaimer: the views I express are my own and do not necessarily reflect the views of the U.S. Securities and Exchange Commission or my fellow Commissioners. Although we often think about our national financial markets as distinct and each certainly has its own characteristics, we share an integrated, international financial market. This market, when working properly, sends capital to its most efficient use and shifts risks to those most able to bear them, regardless of location. We must work together to be good stewards of our shared financial marketplace. There are a number of things regulatory caretakers of the global derivatives markets can do.

P a g e | 15


First, we should recognize appropriate jurisdictional limitations. We all make choices about how to protect investors and other market participants in transactions that occur within our borders. Second, regulators should make accommodations to allow foreign firms to compete in their markets. Third, we should eliminate immaterial but market-fragmenting differences in our rules. Fourth, mutual recognition is valuable. Our rules need not be identical to achieve nearly identical objectives. In fact, a diversity of approaches can be healthy; if one regulator’s approach engenders problems within its limited jurisdiction, the consequences will be less severe than they would have been if a single regulatory approach governed everyone everywhere. Regulators around the world have implemented reforms in response to a shared post-crisis commitment to financial stability, but these reforms have sometimes produced results that are inconsistent with the equally important shared commitment to a unified, well-functioning financial system. Sometimes regulatory obligations are so onerous that firms take steps to avoid being subject to them. For example, in an appendix to a recent IOSCO report on market fragmentation, the Commodity Futures Trading Commission described how policy choices led to fragmentation “into separate trading and liquidity pools: those in which U.S. persons participate and those in which U.S. persons are shunned.” In other instances, fragmentation is a result of seemingly small regulatory differences that seem not to have any obvious justification. For example, in a recent white paper, ISDA pointed to different data and reporting requirements as a source of fragmentation. In some cases, regulators have built unnecessary barriers to their own markets by dismissing the approaches taken by their fellow regulators as inadequate. The preference for one’s own approach and suspicion of the approaches taken by others is not unique to our area of financial regulation. I am reminded again of my Finnish family. My father remembers the smell of beer as it simmered on the stove in his grandparents’ house; his great aunt preferred her beer warm, perhaps a habit carried over from Finland. I am not a beer drinker, but a frequent response when I tell others of my great great aunt’s preference for warm beer is “That’s just wrong!” Maybe it is wrong for some people, but it seemed to work for her.

P a g e | 16


We should be wary of our own tendency to condemn other regulators’ approaches as “just wrong” simply because they do not suit our own preferences. As long as nobody is forcing you to drink warm beer, you should not worry about the fact that someone else is not drinking her beer at your preferred temperature. I understand that Mr. Himino of the JFSA touched on these themes in his panel remarks on Wednesday, and I wholeheartedly endorse his insistence that we confront and address unintended negative consequences of difference in our regulations. Avoiding fragmentation both domestically and abroad is one theme that is guiding our efforts at the SEC as we finalize the framework for security-based swaps. In the United States, regulatory authority over the derivatives markets resides at multiple regulators, including the SEC, Commodity Futures Trading Commission, and the banking regulators. The SEC—with the benefit of the insights of the CFTC, including Commissioner Brian Quintenz from whom you heard earlier this week—recently finalized our rules on capital, margin, and segregation for security-based swap dealers. I expect that we will soon release final rules on security-based swap dealer recordkeeping and reporting. We also are working on finalizing some changes to and guidance for our cross-border rules with the help of comments we received on a proposal that came out earlier this year. These changes are designed to allow firms to serve clients effectively across borders without compromising investor and market protection. At the same time, we are trying to be more sensitive to the potential distortions that can arise when we impose requirements on transactions that technically occur within our borders but involve two counterparties outside those borders. In all of these rulemakings, we have worked closely with the CFTC to harmonize our rules, and where harmonization is not possible, to reduce the differences. We are now entering another stage in our implementation process, a stage where it is important for us to work, and to work efficiently and diligently, with our international regulatory counterparts. Once the two remaining pieces of our rulebook that I just described are finalized, the clock for registration will begin running. Depending on when we complete these rules, security-based swap dealers may be required to register with us as early as the second half of 2021. To help firms make decisions about registration and about how to structure their businesses, it is critical that we provide clarity to firms as soon as

P a g e | 17


possible whether substituted compliance will be available and, if so, for what requirements. Accordingly, when the Commission proposed its cross-border amendments in May of this year, we announced that we were inviting our counterparts to talk with us as soon as possible about substituted compliance for one or more of our rules. We are eager to hear about what kind of relief firms will need. As we begin this process, I want to assure other regulators that I will be advocating for an approach to substituted compliance that respects both our different approaches and our shared objectives. Substituted compliance determinations will not be based on rule-by-rule assessments of foreign regulatory regimes, but on a broader look at whether the alternate regime achieves the same objectives as ours, even if it does so differently. Being able to defer to our regulatory counterparts can strengthen our respective regulatory frameworks and our markets, as it not only lowers burdens for the firms we regulate but also allows each of us to focus our limited supervision, examination, and enforcement resources on the firms that are most active in our markets. I hope that the SEC can play an important role in proving that a technical, outcomes-based, non-political approach to these determinations can work in these markets. I am not saying that the work will be easy, which is why we have already begun and must work diligently. We may receive requests from several jurisdictions, and conducting the legal analysis to make a comparability determination will take time and staff resources. Our staff will have to understand other jurisdictions’ regulatory objectives, legal requirements, and approaches to examination and enforcement. Preparing these applications will take time, and it will take time for us to review them. We also will need to enter into a memorandum of understanding with each jurisdiction that receives a comparability determination. I am optimistic that the SEC staff will be able to complete this work quickly; indeed, conversations are already underway. If you have not yet reached out to us, now is the time to do so. Time is of the essence. Shared concern for global derivatives markets serves not only to help those markets function well, but to deepen cross-border relationships. I know that we will learn much from each other in the process and expect that the end result will be a system in which we all work together—each within our own jurisdiction—to achieve the goal of a shared financial market that is

P a g e | 18


robust and focused on facilitating, not undermining, the broader economy. I thank you for the chance to be here with you in Europe and welcome those of you who find your way to the United States to stop by for a visit. I might even serve you some braided Finnish bread, but, rest assured, I will not be serving boiled beer.

P a g e | 19


Number 4

What economic sovereignty for Europe? Facing the threats with lucidity, and boldly seizing an opportunity Inaugural lesson by Mr François Villeroy de Galhau, Governor of the Bank of France, at the Paris School of International Affairs, Sciences Po Paris, Paris.

Mr Director, Dean (dear Enrico), Ladies and gentlemen, teachers, dear students, It gives me great pleasure to speak before you today. I follow in the footsteps of several Ministers of Foreign Affairs, including Jean-Yves Le Drian and Nathalie Loiseau. Caro Enrico, thank you for your invitation, knowing this makes me feel all the more grateful and honoured! The decision to switch from diplomats to a central banker such as myself perhaps sends out three signals. First, rarely have geopolitics and economics been so closely intertwined. Faced with the rise in protectionist tensions and the verbal volleys, which unfortunately intensified again this summer, some even say that economic interdependence – the “sweet ties of commerce” praised by Montesquieu – is the only thing still shielding us from military conflict. Conversely, rarely has a global economic slowdown been so clearly attributable to political causes: nearly everywhere, public policy instability and uncertainty are on the rise and are damaging private sector confidence; I shall come back to this. Second signal: rarely have central banks been called upon to do so much. I’m not going to bore you with a lesson on the technical delights and subtleties of monetary policy. Let’s just say that we have a central mandate – price stability – and a main instrument for achieving this – the short-term interest rate.

P a g e | 20


But for the past ten years, since the great financial crisis, we have been using new instruments: quantitative easing (QE), forward guidancei and even negative rates. These non-standard policies have been effective; but they can also create the – mistaken – illusion that monetary policy is omnipotent. Third signal: rarely has Europe appeared so necessary and at the same time so divided. I am a French and European official, I was in Maastricht 28 years ago to launch the euro; every two weeks I take part in meetings of the ECB Governing Council which manages the currency. I stand by this conviction in Europe and in the belief that the joint work carried out by France and Germany is an indispensable driver, even if it is not enough. Nearly 30 years ago, the fall of the Berlin Wall injected new impetus into the construction of Europe. Today, Europe is turning in on itself, is on the defensive. Yet it is vital that it make itself heard in the face of the threats that it is facing, and that it do so with one voice if it doesn’t want to be inaudible. But beyond the threats, and at the risk of sounding paradoxical and even a little provocative, I would like to present you with an opportunity: in the current crisis of globalisation, Europe doesn’t need to keep its head down; it should assert and propose a model – its own social, environmental and mutilateral model. I propose that we do this in the spirit of Stefan Zweig, who as early as 1934, admirably described the state of mind of the great European Erasmus of Rotterdam: “Instead of listening to the vainglorious claims of petty princelings, of fantastical sectarians and of national egoists, the mission of the European is on the contrary to emphasise that which unites the peoples”. To read more: https://www.bis.org/review/r190919n.pdf

https://www.bis.org/review/r190919n.pdf

P a g e | 21


Number 5

EIOPA calls for a sound cyber resilience framework

The European Insurance and Occupational Pensions Authority (EIOPA) has published the report on "Cyber Risk for Insurers – Challenges and Opportunities". The increasing frequency and sophistication of cyber attacks, the fast digital transformation and the increased use of big data and cloud computing make insurers increasingly susceptible to cyber threats, in particular considering the amount of confidential policyholder information insurers are possessing. This calls for a sound cyber resilience framework for insurers. On the other hand, the digital economy and the advance of technology offer opportunities to cyber underwriters. Appropriate cyber insurance coverages can make a valuable contribution to manage cyber risk faced by businesses and organisations. A well-developed cyber insurance market can play a key role in enabling the transformation to the digital economy. Insurers play a key role in this transformation: not only are insurers susceptible to cyber threats directly themselves, but they also offer coverage for cyber risk through their underwriting activities. This report analysed cyber risk from both angles based on responses from 41 large (re)insurance groups across 12 European countries with the aim to further enhance the level of understanding of cyber risk for the European insurance sector. The findings confirm the need for a sound cyber resilience framework for insurers and identified the key challenges faced by the cyber underwriters. In particular, clear, comprehensive and common requirements on the governance of cybersecurity as part of operational resilience would help ensure the safe provision of insurance services. This would include a consistent set of definitions and terminology on cyber risks to enable a more structured and focused dialogue between the industry, supervisors and policymakers, which could further enhance the cyber resilience of the insurance sector.

P a g e | 22


Ultimately, further actions to strengthen the resilience of the insurance sector against cyber vulnerabilities are essential, in particular considering the dynamic nature of cyber threats. Regarding the cyber insurance market, the report finds that, although still small in size, the European cyber insurance industry is growing rapidly, with an increase of 72% in 2018 in terms of gross written premium for the insurers surveyed in the report, amounting to EUR 295 million in 2018 compared to EUR 172 million in 2017. However, non-affirmative cyber exposures (where cyber risk is neither explicitly included nor excluded within an insurance policy) remain a source of concern. While common efforts to assess and address non-affirmative cyber risks are under way, some insurers have adopted a 'wait-and-see' approach to address non-affirmative cyber risk, where the implementation of actions plans to address non-affirmative exposure depends on the materialization of future events. Therefore, further effort is needed to tackle properly non-affirmative cyber exposures to address the issue of potential accumulation risk and provide clarity to policyholders. Finally, enhanced data collection on cyber incidents and losses should allow insurers to manage and price their affirmative cyber risk exposures more effectively.

Having common and harmonized standards for both cyber risk measurement and cyber incident reporting purposes could greatly facilitate this. To this end, creating a European-wide cyber incident-reporting database, based on a common taxonomy, could be considered.

P a g e | 23


You may visit:

https://eiopa.europa.eu/Publications/Reports/EIOPA_Cyber%20risk%20for%20insurers_Sept2019.pdf



P a g e | 24


Number 6

EIOPA establishes Consultative Expert Group on Digital Ethics in Insurance

The European Insurance and Occupational Pensions Authority (EIOPA) established today its Consultative Expert Group on Digital Ethics in Insurance. As a follow-up of its recent thematic review on the use of Big Data Analytics (BDA) in motor and health insurance, EIOPA established a Consultative Expert Group to assist the Authority in the development of digital responsibility principles in insurance. The thematic review concluded that there are many opportunities arising from BDA and digitalisation more broadly, but also some risks that need to be further addressed. For this reason, the digital responsibility principles will address the use of new business models, technologies and data sources in insurance from the perspective of fairness and taking into account ethical considerations. While they are expected to cover different areas of the insurance value chain, specific focus will be given to pricing and underwriting, given their specific importance in the insurance sector. The Consultative Expert Group may also act as a sounding board for EIOPA in other related policy initiatives in the area of InsurTech, for instance by supporting EIOPA in promoting a sound governance framework around the use of BDA tools such as Artificial Intelligence and Machine Learning. EIOPA's call for expression of interest of July 2019 resulted in an extraordinary group of high-level experts with a diverse set of experiences and expertise. EIOPA is pleased to confirm the composition of its Consultative Expert Group on Digital Ethics in Insurance. For further details, please refer to the table below. The group will meet for the first time on Tuesday, 8 October.

P a g e | 25


To read more: https://eiopa.europa.eu/Publications/EIOPA_BigDataAnalytics_ThematicReview_April2019.pdf

https://eiopa.europa.eu/Publications/EIOPA_BigDataAnalytics_ThematicReview_April2019.pdf

https://eiopa.europa.eu/Publications/EIOPA_BigDataAnalytics_ThematicReview_April2019.pdf

P a g e | 26


Number 7

Opening remarks - ASEAN Banking Cybersecurity Conference 2019 Opening remarks by Dr Veerathai Santiprabhob, Governor of the Bank of Thailand, at the ASEAN Banking Cybersecurity Conference 2019, Bangkok.

TBA Board of Directors, TBA members, Members of ASEAN banking community, Distinguished guests, Ladies and gentlemen, I am delighted to be here with you this morning, and I would like to thank TB-CERT for inviting me to speak at this event. Technology and the internet have undeniably become integrated into our daily lives. Customers’ behaviors continue to evolve and adapt to the technological progresses. In response, new technologies are developed to serve and accommodate customers’ ever-evolving needs. A prime example is the invention of smartphone over a decade ago, which has completely transformed our ways of lives and increased people’s connectivity to unprecedented levels. The banking industry, too, is undergoing massive digitalization, from the user-facing tools like mobile banking apps to backend infrastructure and essentially everything in between. These developments are the key drivers behind the convenience and productivity that we all enjoy today. But, inherent to any invention, these technological revolutions come with their own form of risk: cyber risks. The more “digital” banks become, the more channels for potential points of attacks from cyber criminals, who are constantly evolving to exploit new loopholes. Even when these loopholes are identified and patches are issued, delayed updates could also pose potential risk.

P a g e | 27


We have repeatedly witnessed that the various—and many times severe—cyber related incidents often revolve around financial institutions. Some infamous examples include the Bangladesh Bank incident, the hacking of ATMs in Taiwan and various other countries, Target’s credit card data breach which resulted in data of over 70 million credit cards stolen, Equifax’s data leakage in which the company was fined 700 million USD, and more recently the case of Capital One Bank in which over 100 million customers’ data were leaked. Thailand is also not immune to these cyber threats. A state bank’s ATMs were hacked, customers’ data from 2 large banks were leaked on the Dark Web, and the WannaCry ransomware outbreak. In addition to attacks on financial institutions, customers’ behavior and lack of cyber threat awareness also pose significant cyber risks as well. Social media scams through LINE or Facebook Messenger in which attackers pretend to be the victim’s acquaintance, asking for a favor to transfer money; or users’ submitting their bank account information to questionable, illegal gambling website from which their data eventually got leaked a few weeks prior are some examples of cyber-attacks that hinge on the user’s inexperience or lack of awareness of online threats. As such, I don’t think it is an over exaggeration to say that cyber threats have kept many bank executives and regulators awake at night given the nature of these threats that can occur anytime and anywhere without warning, and the significant damage they could cause. In addressing these threats, it is important to operate under the assumption that it is not a matter of “if” but rather “when” these threats will occur, and focusing solely on “protection” and “detection” is no longer sufficient. To read more: https://www.bis.org/review/r190919e.pdf

https://www.bis.org/review/r190919e.pdf

P a g e | 28


Number 8

Improving strategic communications terminology Published by the NATO Strategic Communications Centre of Excellence

The world is experiencing political turbulence. Buzzwords hijack political discourse, preventing, rather than enabling, meaningful critique and discussion.

In this contested space it is imperative that NATO member states communicate between themselves in the most precise, efficient, and

P a g e | 29


frictionless way and strengthen the alliance’s understanding and application of Strategic Communications. In October 2017 the Netherlands, one of the NATO Strategic Communications Centre of Excellence (StratCom COE) founding nations, requested a Strategic Communications terminology review project. Over the past year a team of StratCom COE and external experts have been working to streamline and improve the language used in the StratCom community at NATO. To read more: https://www.stratcomcoe.org/improving-nato-strategic-communications-terminology-0

https://www.stratcomcoe.org/improving-nato-strategic-communications-terminology-0

https://www.stratcomcoe.org/improving-nato-strategic-communications-terminology-0

P a g e | 30


Number 9

Hong Kong as a risk management hub Welcoming remarks and keynote speech by Mr Norman T L Chan, Chief Executive of the Hong Kong Monetary Authority, at the Treasury Markets Summit 2019, Hong Kong.

Ladies and gentlemen, 1. About 15 years ago, a senior banker suggested to me that, in order to further promote Hong Kong's position as an international financial centre (IFC), we should turn Hong Kong into a "risk management hub" in Asia. However, he did not elaborate further at the time on exactly what he meant and how this could be achieved. To be honest, it was not clear to me then what this risk management hub idea was all about. 2. Now looking back, I realise that, even without us consciously pursuing the idea as a policy objective, Hong Kong has already made major accomplishment as the "risk management hub" in Asia. Let me explain.

Prerequisites for a Risk Management Hub 1. Clearly an important pre-condition for a risk management hub is to have money or capital flowing through Hong Kong. In this context, it is important to distinguish genuine financial flows from those that are not. Many of you may recall that, in the 1990s and prior to the Asian Financial Crisis, many Japanese (regional) banks used Hong Kong to conduct the so-called euro yen businesses, through which the banks would book in Hong Kong their yen loans to borrowers in Japan, presumably to benefit from more favorable tax treatment. While this kind of booking businesses may inflate the size of Hong Kong's banking system in terms of total assets, it does not, as we have learnt from the experience of the euro yen booking in the 1990s, bring about much real benefits to Hong Kong in terms of job creation or enhancement of the credit underwriting skills of the bank practitioners. The lending institutions did not perform any meaningful risk management functions in booking these

P a g e | 31


euro yen businesses. As we all know, the euro yen business in Hong Kong, driven by tax reasons, faded away right after the Asian Financial Crisis. 2. That is why the HKMA has made it clear in the past 10 years that we do not welcome banks moving "pure" booking business to Hong Kong. Our position is that, in booking any loans or other assets in Hong Kong, the banks must demonstrate that they have the necessary capability and control process to prudently manage the risks of these assets, both at origination and on an ongoing basis. Then there is still the basic question: how do we attract financial flows to Hong Kong instead of to other financial centres? There is a bit of chicken and egg problem here. Unless restrained by capital controls, money is highly agile and risk sensitive and will migrate to centres that offer the greatest efficiency and safety. In other words, money tends to move through centres that provide a high standard of risk management. By handling more financial flows, a centre will be able to further improve and innovate on its risk management capability. The process is interactive and there would be a clustering effect once a centre has established the leading position in risk management and client servicing. 3. Here I should mention several important developments in the last decade that are highly relevant and instrumental to Hong Kong's rise to become the risk management hub in Asia. To read more: https://www.bis.org/review/r190919f.htm

https://www.bis.org/review/r190919f.htm

P a g e | 32


Number 10

Uncovering the Who, Why, and How Behind Manipulated Media Program seeks to develop technologies capable of automating the detection, attribution, and characterization of falsified media assets

The threat of manipulated multi-modal media – which includes audio, images, video, and text – is increasing as automated manipulation technologies become more accessible, and social media continues to provide a ripe environment for viral content sharing. The creators of convincing media manipulations are no longer limited to groups with significant resources and expertise. Today, an individual content creator has access to capabilities that could enable the development of an altered media asset that creates a believable, but falsified, interaction or scene. “At the intersection of media manipulation and social media lies the threat of disinformation designed to negatively influence viewers and stir unrest,” said Dr. Matt Turek, a program manager in DARPA’s Information Innovation Office (I2O). “While this sounds like a scary proposition, the truth is that not all media manipulations have the same real-world impact. The film industry has used sophisticated computer generated editing techniques for years to create compelling imagery and videos for entertainment purposes. More nefarious manipulated media has also been used to target reputations, the political process, and other key aspects of society. Determining how media content was created or altered, what reaction it’s trying to achieve, and who was responsible for it could help quickly determine if it should be deemed a serious threat or something more benign.” While statistical detection techniques have been successful in uncovering some media manipulations, purely statistical methods are insufficient to address the rapid advancement of media generation and manipulation technologies. Fortunately, automated manipulation capabilities used to create falsified content often rely on data-driven approaches that require thousands of training examples, or more, and are prone to making semantic errors. These semantic failures provide an opportunity for the defenders to gain an advantage.

P a g e | 33


The Semantic Forensics (SemaFor) program seeks to develop technologies that make the automatic detection, attribution, and characterization of falsified media assets a reality. The goal of SemaFor is to develop a suite of semantic analysis algorithms that dramatically increase the burden on the creators of falsified media, making it exceedingly difficult for them to create compelling manipulated content that goes undetected. To develop analysis algorithms for use across media modalities and at scale, the SemaFor program will create tools that, when used in conjunction, can help identify, deter, and understand falsified multi-modal media. SemaFor will focus on three specific types of algorithms: semantic detection, attribution, and characterization. Semantic detection algorithms will determine if multi-modal media assets were generated or manipulated, while attribution algorithms will infer if the media originated from a purported organization or individual. Determining how the media was created, and by whom could help determine the broader motivations or rationale for its creation, as well as the skillsets at the falsifier’s disposal. Finally, characterization algorithms will reason about whether multi-modal media was generated or manipulated for malicious purposes. “There is a difference between manipulations that alter media for entertainment or artistic purposes and those that alter media to generate a negative real-world impact. The algorithms developed on the SemaFor program will help analysts automatically identify and understand media that was falsified for malicious purposes,” said Turek. SemaFor will also develop technologies to enable human analysts to more efficiently review and prioritize manipulated media assets. This includes methods to integrate the quantitative assessments provided by the detection, attribution, and characterization algorithms to prioritize automatically media for review and response. To help provide an understandable explanation to analysts, SemaFor will also develop technologies for automatically assembling and curating the evidence provided by the detection, attribution, and characterization algorithms. Throughout the life of the program, the SemaFor technologies will be evaluated against a set of increasingly difficult challenge problems that are representative of new or emerging threat scenarios. More information about the program is available in the Broad Agency Announcement that is posted on FedBizOpps.gov, https://go.usa.gov/xVkNd

https://go.usa.gov/xVkNd

P a g e | 34


Disclaimer The Association tries to enhance public access to information about risk and compliance management. Our goal is to keep this information timely and accurate. If errors are brought to our attention, we will try to correct them. This information: - is of a general nature only and is not intended to address the specific circumstances of any individual or entity; - should not be relied on in the context of enforcement or similar regulatory action; - is not necessarily comprehensive, complete, or up to date; - is sometimes linked to external sites over which the Association has no control and for which the Association assumes no responsibility; - is not professional or legal advice (if you need specific advice, you should always consult a suitably qualified professional); - is in no way constitutive of an interpretative document; - does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; - does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. It is our goal to minimize disruption caused by technical errors. However, some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems. The Association accepts no responsibility regarding such problems incurred because of using this site or any linked external sites.

P a g e | 35


International Association of Risk and Compliance Professionals

You can explore what we offer to our members: 1. Membership – Become a standard, premium or lifetime member. You may visit: https://www.risk-compliance-association.com/How_to_become_member.htm 2. Weekly Updates - Visit the Reading Room of the association at:

https://www.risk-compliance-association.com/Reading_Room.htm 3. Training and Certification – Become a Certified Risk and Compliance Management Professional (CRCMP), a Certified Information Systems Risk and Compliance Professional (CISRCP), a Certified Cyber (Governance Risk and Compliance) Professional - CC(GRC)P, and / or a Certified Risk and Compliance Management Professional in Insurance and Reinsurance - CRCMP(Re)I.

https://www.risk-compliance-association.com/How_to_become_member.htm

https://www.risk-compliance-association.com/How_to_become_member.htm

https://www.risk-compliance-association.com/Reading_Room.htm

P a g e | 36


Companies and organizations like Accenture, American Express, USAA etc. consider the Certified Risk and Compliance Management Professional (CRCMP) program a preferred certificate. There are CRCMPs in 32 countries. You can find more about the demand for CRCMPs at: https://www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf For the Certified Risk and Compliance Management Professional (CRCMP) distance learning and online certification program, you may visit: https://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm For the Certified Information Systems Risk and Compliance Professional (CISRCP) distance learning and online certification program, you may visit: https://www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm For the Certified Cyber (Governance Risk and Compliance) Professional - CC(GRC)P distance learning and online certification program, you may visit: https://www.risk-compliance-association.com/CC_GRC_P_Distance_Learning_and_Certification.htm For the Certified Risk and Compliance Management Professional in Insurance and Reinsurance - CRCMP(Re)I distance learning and online certification program, you may visit: https://www.risk-compliance-association.com/CRCMP_Re_I.htm

https://www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf

https://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

https://www.risk-compliance-association.com/Distance_Learning_and_Certification.htm

https://www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm

https://www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm

https://www.risk-compliance-association.com/CC_GRC_P_Distance_Learning_and_Certification.htm

https://www.risk-compliance-association.com/CC_GRC_P_Distance_Learning_and_Certification.htm

https://www.risk-compliance-association.com/CRCMP_Re_I.htm

P a g e | 37


For instructor-led training, you may contact us. We can tailor all programs to meet specific requirements. 4. IARCP Authorized Certified Trainer (IARCP-ACT) Program - This is an additional advantage on your resume, serving as a third-party endorsement to your knowledge and experience. Certificates are important when being considered for a promotion or other career opportunities. You give the necessary assurance that you have the knowledge and skills to accept more responsibility. To learn more, you may visit: https://www.risk-compliance-association.com/IARCP_ACT.html 5. Approved Training and Certification Centers (IARCP-ATCCs) - In response to the increasing demand for CRCMP training, the International Association of Risk and Compliance Professionals is developing a world-wide network of Approved Training and Certification Centers (IARCP-ATCCs). This will give the opportunity to risk and compliance managers, officers, and consultants to have access to instructor led training at convenient locations that meet international standards. ATCCs use IARCP approved course materials and have access to IARCP Authorized Certified Trainers (IARCP-ACTs). To learn more: https://www.risk-compliance-association.com/Approved_Centers.html

http://www.risk-compliance-association.com/IARCP_ACT.html

https://www.risk-compliance-association.com/IARCP_ACT.html

https://www.risk-compliance-association.com/Approved_Centers.html

http://www.risk-compliance-association.com/Approved_Centers.html

Monday, September 30, 2019 - International Association of ...€¦ · Monday, September 30, 2019...

Documents

Transcript of Monday, September 30, 2019 - International Association of ...€¦ · Monday, September 30, 2019...