parker-fitzgerald.com

From cyber security to operational resilienceSeptember 2018

POINT OF VIEW

2

executive summary

The ten-year anniversary of the collapse of Lehman Brothers is a poignant moment to predict the culprit of the next financial crisis. This time around pundits are pointing their fingers not at a credit crunch but a cyber attack.

We are, after all, in a very different landscape: the past decade has seen a major shift in business and operating models in financial services following the “tsunami” of regulation and digital transformation. Prudential regulatory reforms have resulted in a more liquid and well capitalised financial sector, but the digitisation of finance has introduced new systemic risks – most notably cyber.

In its 2018 Risk Report, the World Economic Forum (WEF) cited cyber security as the biggest source of technology risk facing businesses worldwide, while the Centre for Strategic and International Studies (CSIS) put the economic cost of cyber crime worldwide at $600 billion – equivalent to a 14% tax on the digital economy.1

Financial services are in the firing line when it comes to cyber attacks. Professional cyber criminals seek high-value targets, such as banks, while state-sponsored activities are now adding to the growing array of cyber threats. At the same time, supply chains in financial services are outgrowing firms’ and regulators’ oversight, introducing substantial cyber risks through third and fourth parties.

Adding to the financial sector’s vulnerability to cyber risks, the systematic importance of large financial institutions and critical market infrastructures also amplifies the macro-stability implications of any cyber breach.

Regulatory scrutiny has been ramping up in recent years: 41 out of the 56 existing cyber-related supervisory documents were introduced since 2016.2 A further 72 percent of G20 jurisdictions have reported plans to issue new regulations, guidance or supervisory practices that address cyber security in the financial sector over the coming year.3

The UK regulators have been a leading force in treating cyber security as an integral part of operational resilience. The Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have been clear in stating that operational resilience is a priority for the supervisory authorities, and is viewed as no less important than financial resilience.

The evolution of CBEST as a testing framework bears this view out. The introduction of a new, designated Senior Manager Function (SMF24 – Chief Operations) in November 2017 further reinforced the shift to viewing cyber security as a Board-level responsibility and an expanding dimension of operational risk.

Intensified prudential scrutiny – and potential capital charges – over cyber resilience is not inconceivable. Financial institutions should wake up to this prospect and start seeing cyber risks not just as a matter for the IT department, but also as a business critical consideration in optimising capital allocation and the whole enterprise risk management framework. Ultimately, as financial institutions accelerate digital transformation, they need to safeguard themselves from both the increasingly complex threat landscape externally and the risks associated with their own digital innovations. This calls for cyber risk management to be driven by firms’ business strategies and objectives.

1 Centre for Strategic International Studies and McAfee, Economic Impact of Cybercrime – No Slowing Down, February 2018. 2 The World Bank, Financial Sector’s Cybersecurity: A Regulatory Digest, December 2017. 3 Financial Stability Board, Stocktake of Publicly Released Cyber Security Regulations, Guidance and Supervisory Practices, October 2017.

3

The financial services sector is embarking on the journey from cyber security to operational resilience – but doing this well requires a more strategic and coherent response from both financial institutions and their regulators. To start, they need to understand that cyber resilience is not just a cost of doing business, but also an enabler for growth.

4 Reuters, Cyber attack hits 200,000 in at least 150 countries: Europol, 14 May 2018. 5 BBC, NHS “could have prevented” WannaCry ransomware attack, 27 October 2017. 6 Smart, William., Lessons learned: Review of the WannaCry Ransomware Cyber Attack, February 2018.

The digital economy is only as strong as its weakest link

Throughout history, the job of the nation state has been to protect its citizens. This meant protecting a nation’s vital economic interests from a range of threats, be that disease, famine, or foreign invasion. In an analogue world, these threats were physical in nature and, in many ways, localised.

The threat landscape is radically different in a connected, digital world. National infrastructures are no longer isolated. Personal digital assets, such as identity and online behaviour data, are increasingly globalised. Threats to these aren’t nearly as easy to monitor or defend against – national governments’ ability to deal with them is being eroded.

Industries and businesses are now finding themselves on the front line to safeguarding the digital economy against cyber attacks, financial crime, and cyber warfare – some of which is sponsored by other sovereign states.

Cyber security and resilience of digital infrastructures, from smart metres to payment systems, have become vital national interests. But digital infrastructures are highly susceptible to global attacks. The scale of the cyber threat was highlighted on 12 May 2017, when cyber attackers unleashed WannaCry, instantly spreading to more than 150 countries in a worldwide ransomware outbreak.4

In the UK, WannaCry triggered the biggest cyber attack to have hit the National Health Service (NHS). Over 6,000 appointments, including surgery and operations, were cancelled with 19,000 appointments affected overall. The cost to the NHS ran into tens of millions of pounds.5

WannaCry wasn’t an attack on the NHS; it was an attack on the weak links in the national IT infrastructure. A report by the UK’s National Audit Office (NAO) revealed that every NHS trust assessed for cyber security vulnerabilities (88 out of 236 trusts) has failed to meet the cyber security standard required.6 These NHS Health Trusts had repeatedly ignored warnings issued in 2014 to patch or migrate away from older, more vulnerable IT systems.

The NHS’s failure to heed the warnings and make the necessary investment is a lesson to us all. The digital economy is only as strong as its weakest link – and the weakest link might be a lot weaker than we imagine.

4

THE SCALE OF CYBER CHALLENGE IN FINANCIAL SERVICES

There are many reasons why financial services are in the firing line when it comes to cyber threats, from the value of their coffers and data, to the evolution of supply chains and third-party outsourcing exposing further connections to cyber risks. Within financial institutions themselves, new, digitally-enabled capabilities are frequently plugged into banks’ legacy IT estates, which are often unable to be migrated to new technologies or be transformed into digital platforms easily. The net effect is a growth of the overall IT estate as the proliferation of new digital technologies and platforms introduces new and previously unaccounted for cyber risks and vulnerabilities into the scope of management.

All these vulnerabilities to cyber risks are also being exacerbated by the rapid pace of change in financial services. It is just over 20 years since the first online banking portal was introduced into the UK market, as launched by the Nationwide Building Society in 1997. Today, the penetration of digital banking is over two thirds in the UK, a picture mirrored in other developed economies.7 Globally, over 400 million people use cross-border payment systems with more and more payments made on smartphones (themselves enjoying penetration over 80% in developed markets).8

Most households and businesses now interact with digital financial services in some way, meaning that vast amounts of personal data, not to mention money and other household and business wealth is only as secure as the IT platform it is stored on.

Bank IT outages affect access to everyday financial services such as transactions, deposits or withdrawal of money. The recent example of TSB in the UK highlights the scale of the problem. Though not caused by a cyber incident, service outage resulting from a problematic IT migration cost the challenger bank over £176 million to date.9 This included the costs of compensating customers, placing 2,500 people in customer-facing roles, and foregoing income due to waived overdraft fees and interest charges.

The scale of the losses was enough to push an otherwise profitable bank into the red as well as triggering significant reputation damage – around 26,000 customers switched their bank account away from TSB as a result of the IT failure.10

Business impacts on such a scale explain why cyber security is now seen as an integral part of operational resilience and why supervisory authorities around the world are beginning to monitor this ever more closely.

COST OF CYBER BREACHES

Cyber breaches impose multiple forms of costs on firms. The

National Cyber Security Centre categorises these into direct, recovery and long-term costs.

DIRECT COSTS Costs from staff being prevented

from carrying out their work; lost, damaged or stolen outputs, data, or assets; and lost revenue

if customers could not access online services.

RECOVERY COSTS Additional staff time needed to

deal with the breach or to inform customers or stakeholders; costs to repair equipment or infrastructure; and any other

associated repair costs.

LONG-TERM COSTS The loss of share value; loss of investors or funding; long-term loss of customers; costs from

handling customer complaints; and any compensation, fines

or legal costs.

$

7 UK Finance, UK Payment Markets: Summary, 2018. 8 Deloitte, Global mobile consumer trends: 2nd edition, 2017. 9 The Independent, TSB falls to £107m loss as cost of IT fiasco soars to £176m, 27 July 2018. 10 The Telegraph, TSB meltdown leads to eight-fold increase in customers switching accounts, banks say, 18 May 2018.

Source: National Cyber Security Centre, 2018.

5

the progression of cyber regulation

Since the launch of the first cyber-related regulation in South Korea in 2007, regulatory supervision has increasingly focused on the need to identify and address cyber security risks. As of December 2017, there are 56 cyber-related regulations, guides, and supervisory documents in effect, most of which have been introduced since 2016 (see figure 1). A further 72 percent of G20 jurisdictions have reported plans to issue new regulations, guidance or supervisory practices that address cyber security for the financial sector in the year ahead, according to the Financial Stability Board (FSB).11

Alongside the clear increase in regulatory focus on cyber security, approaches to addressing cyber risks are also changing. Early approaches focused on ensuring senior managers were responsible for managing operational risk, as seen in the 2011 BIS Principles for the Sound Management of Operational Risk. In 2015 the UK Senior Managers and Certification Regime evolved this approach; the Monetary Authority of Singapore (MAS) and Hong Kong Securities and Futures Commission have since followed suit.

Before cyber regulation became a distinct and clearly defined area of focus, aspects could be found within broader regulations. For example, measures relating to cyber were nestled within regulation and guidance for outsourced providers (MAS, 2016) and those concerned with data protection and security of the end-client.

Regulatory scrutiny ramping up

Figure 1: Introduction of cyber regulation by year (2007–2017)

25

20

15

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

10

5

0

Source: World Bank, 2017.

11 Financial Stability Board, Stocktake of Publicly Released Cybersecurity Regulations, Guidance and Supervisory Practices, October 2017.

2 21

32

5

2021

6

The UK regulators have been a leading force in making cyber security and resilience an integral part of operational resilience. The PRA and the FCA have made clear in recent publications that operational resilience is a priority for the supervisory authorities and is viewed as no less important than financial resilience.

The evolution of CBEST reflects the regulator’s view of cyber as a matter of resilience, testing and assurance. Introduced in June 2014 by the Bank of England, the CBEST framework is the primary method for financial institutions to voluntarily test their cyber defences using threat intelligence and attack simulations. To date, the PRA has indicated that it is broadly satisfied with the cyber resilience of tier-1 banks, namely banks with financial stability implications. However, the PRA has identified a “cyber poverty-line” when it comes to tier-2 banks.

Reflecting a risk-based approach, the Bank of England’s view is for large banks that have demonstrated a track record in red team testing in the past to have greater autonomy in implementing CBEST going forward. While the CBEST framework has not been without its critics, there has been a shift in industry attitude: the banks are now welcoming this and are wanting to help evolve and enrich the CBEST framework.

To further reinforce the treatment of cyber risks as part of the operational resilience agenda, the PRA designated a new senior manager function (SMF) for banks in November 2017. The PRA expects the newly-designated Chief Operations (SMF24) to include responsibility for business continuity, cyber security, IT, internal operations, operational continuity, outsourcing and shared services, and to have reporting duty into the Board and the CEO.

From cyber security to operational resilience

To date, the majority (55%) of the regulatory responses to cyber threats have been driven at the national level. Supranational measures, in contrast, are often voluntary guidelines and best practices, rather than hard-and-fast requirements. This means that financial institutions, especially those operating across jurisdictions, can face multiple and different disclosure requirements.

The FSB report on cyber regulations in October 2017 highlighted the private sector’s concern over how different regulatory requirements can drive structural changes that are sub-optimal from a business perspective. The separation of networks in different jurisdictions to insulate the parent company from certain requirements applicable to a single subsidiary is an example.

Even when regulatory requirements are non-conflicting across jurisdictions, compliance can still be tricky due to inconsistent use of language or different deadlines for reporting cyber incidents. The FSB highlighted an example where seven sets of terminology are used under different regulatory schemes, all regarding the implementation of the same NIST control.

Even within nation states, regulatory coherence can be lacking. For example, within the US, there remains a wide variation in cyber policies between state and federal regulators and public bodies, leading to a large and complex array of regulatory requirements and fragmented oversight.

Towards a more effective reporting framework

TECHNICAL INNOVATION Fintech

Artificial Intelligence

Distributed Ledger

Crypto Assets

CHANGING BEHAVIOURS Instant Access

Mobile Technology

Faster Transactions

KEEPING PACE Skills Gaps Obsolescence

SYSTEM COMPLEXITY Third Parties

Concentration Risk

Cross-border Dependencies

CHALLENGES TO BUILDING

OPERATIONAL RESILIENCE

Source: Bank of England, Prudential Regulation Authority and Financial Conduct Authority, Building the UK financial sector’s operational resilience, July 2018.

CHALLENGING ENVIRONMENT Cyber Incidents

Cost Pressures

7

Figure 2: US cyber-related regulatory structure for financial services (2017)

Federal and State Financial Services Regulatory and Oversight Agencies and Self-Regulatory Organizations

Additional Cyber Agencies

State regulators

Board of Govern. of the

Fed Res System

Depository institutions

White House (EOP, NSC/NEC,

OSTP)OMB US Treasury

(OFAC, FinCEN) DHS (ISAOs)Federal

Communications Commission

Dept of StateLaw

Enforcement Agencies (DOJ,

USSS, FBI)

Dept of Commerce (NIST, BIS)

Insurance companies

Non-depository entities that offer

consumer financial products or

services

Broker-dealers or other securities and derivatives

markets intermediaries

Investment companies, investment advisors or

municipal advisors

Fannie Mae, Freddie Mac

and Federal Home Loan banks

Financial market utilities and other

infrastructures

Banking CFPBOCC Securities SEC MSRBFDIC Insurance FHFA FINRANCUA FTC CFTC NFA

Note: The figure depicts the primary regulators in the US financial regulatory structure, as well as their primary oversight responsibilities. “Regulators” generally refers to entities that have rulemaking, supervisory and enforcement authorities over financial institutions or entities. There are additional agencies involved in regulating the financial markets and there may be other possible regulatory connections than those depicted in this figure. Source: GAO; GAO-16-175

Regulated Entities

Key Safety and soundness oversight

Consumer financial protection oversight

Securities and derivatives markets oversight

Insurance oversight

Housing finance oversight

Consolidated supervision or systemic risk-related oversight

CFPB CFTCFDICFHFAFINRAFTCMSRBNCUANFAOCCSEC

Bureau of Consumer Financial ProtectionCommodity Futures Trading CommissionFederal Deposit Insurance CorporationFederal Housing Finance AgencyFinancial Industry Regulatory AuthorityFederal Trade CommissionMunicipal Securities Rulemaking BoardNational Credit Union AdministrationNational Futures AssociationOffice of the Comptroller of the CurrencySecurities and Exchange Commission

Financial Stability Oversight Council member agency

As figure 2 demonstrates, regulatory reporting requirements often lack coherence and may result in duplication. This imposes greater regulatory burdens on banks and absorbs significant resources for reporting purposes. In a recent US Senate inquiry, one Chief Information Security Officer (CISO) estimated that 40% of his team’s time and resources were devoted to reconciling various regulatory requirements.12 This meant that the development of internal bank tools to improve cyber risk detection and response was delayed by 3-6 months.13 Regulators at the national level need to pay attention to creating a simplified reporting framework as a starting point for a more effective regulatory structure globally.

12 US Homeland Security, Cybersecurity Regulation Harmonization, 21 June 2017. 13 US Homeland Security, Cybersecurity Regulation Harmonization, 21 June 2017.

Source: US Government Accountability Office.

8

In response to FSB’s consultation, financial institutions acknowledged the growing needs of supervision in cyber security and expressed support for principles-based, risk-based and proportional regulation. They have, however, raised concerns over the costs and inefficiencies associated with multiple and potentially conflicting regulatory schemes and the lack of a global process for coordinating regulation for cyber security.

More harmonised rules across borders will help to direct resources towards enhancing the critical financial infrastructures of the economy. Where appropriate, regulatory convergence through alignment and mutual recognition of national conduct rules should be a key objective for regulators.

Supranational bodies have focused on standardised governance and guidelines, covering areas such as incident reporting, risk-based approaches to cyber security, examinations and test exercises. To this end, the European Banking Authority also published its FinTech Roadmap this March to promote best supervisory practice for resilience supervision.

One milestone on this road was reached on 2 May 2018, with the European Central Bank (ECB) publication of its European Framework for Threat Intelligence-Based Ethical Red Teaming (TIBER-EU). This provides the first Europe-wide framework for controlled and bespoke tests against cyber attacks in the financial market. The TIBER-EU framework also seeks to facilitate a harmonised European approach towards intelligence-led tests, mimicking the tactics, techniques and procedures of real hackers who can be a genuine threat. More recently, the FSB published its Cyber Lexicon, which defines 50 core terms related to cyber security and cyber resilience in financial services to facilitate cross-border understanding and to promote information sharing on best practices.

This stage of evolution does not signpost the development of a single global rulebook, rather it represents the need for greater mutual recognition between national standards to address the trans-national nature of cyber threats.

A call for global regulatory equivalence

55% Regulatory responses to cyber risks driven at the national level

7 Sets of languages used to

implement a single cyber control

40% Time and resources spent on reconciling regulatory requirements for a global

bank’s CISO

9

ADDRESSING CYBER CHALLENGES: BUSINESS ISSUES AND PRIORITIES

Not only are financial institutions particularly vulnerable to cyber risks through their complex supply chains and vast legacy IT estates, but the costs of cyber breaches are also substantially higher in financial services. According to IBM and the Ponemon Institute, the 2017 cost of each data record lost in financial services was $206 – 39% higher than the average across industries.14 The introduction of General Data Protection Regulation (GDPR) this May will push up the cost of data breach further, as firms are liable for a fine of up to €20 million or 4% of revenue.

In addition, the cost of cleaning up after a cyber breach is only a small fraction of the total cost. One study of the cost of cyber crime for Italy found that while the actual losses were $875 million, the recovery and opportunity costs reached $8.5 billion.15

Speaking in January 2018, Robin Jones, the FCA’s Head of Technology, Resilience and Cyber, highlighted the startling speed with which cyber attacks can cripple a company’s IT systems: the NotPetya malware was designed to use a collection of tools to infect machines and travel through a network as quickly as possible. One report put the time of total failure of one of the largest victims of the NotPetya attack, with almost 10,000 connected systems, at just 19 minutes.16

From the viewpoint of senior managers, firms must understand their key IT assets and constantly assess the vulnerability of those assets against possible future attacks. If a firm has just 19 minutes to protect itself, does it know which systems it should prioritise? Does the firm have sufficient back-up arrangements in place to create an effective protection around those assets?

In the case of data theft, being able to prioritise the protection of the most sensitive financial and customer data is critical. Basic hygiene is equally key: learning the lessons from the WannaCry attack on the NHS, addressing vulnerabilities in ageing IT systems - which in some banks may be up to 20 years old - or patching on a regular basis can help to limit the impact of such attacks.

As important as knowing what to prioritise in the face of a cyber incident, it is also vital for firms to understand where their weakest links lie. The weakest link to cyber resilience may be located in the financial services sector’s supply chain, highlighting the importance of cyber risk considerations during procurement processes. Equally, the weakest link may be found within a firm’s own organisation. For example, staff need to be able to identify and report suspected phishing attacks quickly, and the security teams need to be able to respond in a timely manner.

Appropriate prioritisation for a rapid response

x10 Direct loss vs. total cost following a cyber breach

according to a study of cyber crime in Italy

19 minutes Time taken for NotPetya to affect

10,000 systems

20 years Age of some of banks’ legacy

IT systems

14 IBM and Ponemon Institute, The 2018 Cost of a Data Breach Study. 15 Centre for Strategic International Studies, Net Losses: Estimating the Global Cost of Cybercrime, June 2014. 16 Financial Conduct Authority, Building Cyber Resilience, 26 January 2018.

10

The need for a rapid response and appropriate prioritisation in the face of a cyber incident requires firms to put strong governance in place and to have visible and dedicated leadership for cyber. In the UK, through the introduction of SMF24, the PRA was clear in its expectation for senior management to own the accountability for cyber security as a part of operational resilience.

This shift from cyber security to operational resilience requires responsibilities across the entire organisation as well as financial institutions’ supply chains.

As financial institutions accelerate their digital transformation, cyber resilience will be key to ensuring that the risks associated with innovations such as new digital products can be contained within firms’ risk appetite. This highlights the need for cyber risk management strategy to be driven by an organisation’s business strategy and objectives, in addition to its cyber resilience requirements. Similarly, frameworks for managing cyber risks should be embedded in a firm’s operating model as well as its enterprise risk management framework overall.

Making cohesion between business and cyber directives calls for more effective communications between the technology department and the boardroom. Defining a cyber risk appetite in light of business strategy would help, as would the quantification of cyber risks with a view to optimising the overall capital framework.

Making cohesion between business and cyber directives

Financial institutions and their regulators can often see their cyber resilience as a matter of “input” – namely, the amount of investment in cyber security. Our estimate suggests that the total cyber spend among the 30 Global Systemically Important Banks (GSIBs) was $6.3 billion in 2017 – 0.8% of their total operating costs.

Historically, there has been limited visibility on whether defence is effective and how the inherent level of cyber risk is reduced. This is partially due to the inconsistencies between an organisation’s own risk assessment and the cyber threat landscape to financial institutions, and the fact that the threat landscape can mutate faster than the pace at which firms’ cyber control and oversight could keep up with. The consequence of this is manifested through seemingly poor return on investment and the lack of a clear correlation between cyber input and outcome.

This can be exacerbated by the mismatch between the cyber risks that firms face, and the skills possessed by the firms’ current workforce. Filling skills gaps within a workforce can prove problematic as demand for cyber experts far outstripping market supply. The estimated shortfall in cyber security professionals in the US in 2018 will amount to 516,000, up from 389,000 in 2017.17 The global shortfall of cyber professionals is expected to hit 1.8 million by 2022.18 For global banks faced with such skills gaps, investing in people is as important as investing in systems.

From cyber input to cyber outcome

$6.3 billion Estimated GSIBs’ spend on

cyber in 2017

1.8 million Global shortfall of cyber professionals by 2022

17 Frost & Sullivan, The 2015 (ISC)2, Global Information Security Workforce Study, 16 April 2015. 18 Frost & Sullivan, The 2017 Global Information Security Workforce Study, 2017.

11

Conclusion

Conventional business wisdom identifies cyber security as a cost centre and a necessary evil; doing it well doesn’t necessarily give a firm a competitive advantage, but not doing it well will potentially destroy the business. Or at least, inflict major financial and reputational damage on a firm.

This thinking needs to evolve. Cyber resilience is a critical enabler to financial institutions throughout their digital transformation journeys. Cyber risk should be a priority not only for the IT department, but also for the Boards and C-suites as changing business models and advances in technology challenge financial institutions’ ability to identify, mitigate and manage operational risk.

Meanwhile, regulators are increasing their level of oversight on how firms manage their cyber risk. As an expanding dimension of operational risk, it will likely attract intensified prudential scrutiny and potential capital charges, especially in the context of an enhanced regulatory focus on the operational resilience of the financial system.

At Parker Fitzgerald, our deep risk management expertise and team of experienced cyber risk and information security practitioners will help you to identify and manage the cyber risks arising from your business activities in accordance with risk appetite, reducing your overall operational risk exposure and providing you with a competitive advantage in an age of digital finance.

12

related Publications from parker fitzgerald’s thought leadership ProgrammeThis report is the latest in a series of publications examining the economic, regulatory and technology environment, and its implications for the financial industry’s strategic and risk agenda. For further publications, please visit our website.

parker-fitzgerald.com

Safeguarding Digital Transformation:Understanding the Digital Impact on Banking Business Models and Risk Management

December 2017

POINT OF VIEW safeguarding digital transformation December 2017

The adoption of digital technology in the banking industry is shifting the economic fundamentals of the market, giving rise to a widening gap between business aspirations and operational reality in the sector.

sustainable financial services in the digital ageMay 2018

This joint report by UK Finance, an industry group representing nearly 300 of the largest financial firms in the UK, and Parker Fitzgerald focuses on three key technologies in finance: artificial intelligence, the Cloud and Distributed Ledger Technology. It discusses how the advent of the digital economy, financial regulation and the emerging risks for firms are transforming the financial services landscape.

sustainable ai in financeMay 2018

The power of Artificial Intelligence (AI) to improve productivity in financial services is undeniable but it also brings new risks. Technology is benefiting customers with faster decision-making and a more dimensional view of customers and markets. At the same time, predictive analytics and machine learning have opened new possibilities in the detection of fraudulent activity and financial crime.

13

IS THE ERA OF FINANCIAL REGULATORY COORDINATION COMING TO AN END? May 2017

The Basel Committee’s 2017–18 strategic priorities indicate a pause for thought to the global concerted effort to financial regulation. This at a time when US and EU regulators review their own agendas.

monetary policy and financial stability: three priorities for the croJune 2017

A prolonged era of low rates and cheap money has created a long list of side effects. With monetary policy normalisation now on the cards, markets and banks should watch out for risks to financial stability associated. We outline three key considerations for the CRO.

what does a post-brexit london tell you about the future of finance?October 2017

FinTech adds to London’s Brexit-proof appeal. Technology will be the dominant driver of change in global financial services, as well as that of new systemic and firm-level risks. The City of London is in the prime position to address these risks and reap the potential benefits of a digital financial marketplace.

For further publications, please visit parker-fitzgerald.com

14

About the authors

Alastair advises Parker Fitzgerald’s senior management and its clients on critical issues relating to risks associated with digitalisation with a focus on technology strategy, data privacy, cybersecurity and infrastructure resilience.

Prior to joining Parker Fitzgerald, Alastair was the Global Managing Partner of Technology Consulting, leading Accenture’s technology strategy and risk transformation practice. He also served on Accenture’s Technology leadership council. Previously, Alastair was also the Global Head of Technology at PwC.

Alastair has advised and led projects for major financial services clients, but has also worked extensively in the energy, telecommunications, defence and high tech sectors as well as the federal government. He also sat on the related committees for the US and UK governments, the European Commission and the United Nations Security Council.

Alastair has a BSc in Physics, Postgraduate Diplomas in Computer Science and Digital Imaging, a PhD in Theoretical Physics, a DPhil in Cryptographic Science and a Management Diploma from IMD in Lausanne.

Dr Alastair MacWillson Chief Technology Adviser Parker Fitzgerald Group

Kuangyi leads Parker Fitzgerald’s thought leadership programme as well as the firm’s engagement with industry groups, regulators and policymakers.

Prior to joining Parker Fitzgerald, Kuangyi held various thought leadership roles at both policy think tanks and commercial organisations, including Chatham House, the State Council of China, and Accenture. Her roles focused on offering strategic content and advisory for the C-suite and senior government officials. Most recently, Kuangyi was a Principal Researcher at Accenture’s internal think tank, responsible for authoring the company’s flagship publications at the World Economic Forum in Davos and for leading cross-industry thought leadership programmes.

Kuangyi is a regular columnist in business newspapers and a published author in leading business and academic journals including Harvard Business Review and Business Economics. Kuangyi holds an MPhil in Economics from the University of Oxford, where she specialised in theory and policy relating to competition and regulation.

Kuangyi Wei Head of Research and Market Engagement Parker Fitzgerald Group

Kyle is the Lead Partner for Parker Fitzgerald’s Cyber Risk practice, specialising in cyber and information security. He has over 20 years of experience in the Banking and Capital Markets sector and is a subject matter expert in the management of cyber, information, technology and operational risks.

Kyle’s specialism is advising and assisting Boards in shaping their strategic response to the emerging cyber threat landscape and new global regulatory environment.

Prior to joining Parker Fitzgerald, Kyle held senior roles at Barclays, latterly serving as Global Head of Technology Risk for Barclays Wealth and Investment Management, VTB Capital – where he was global Chief Information Security Officer (CISO) – and Deloitte. Early in his career, Kyle was a Cryptologic Officer in the United States Navy where he worked in Information Operations for the U.S. Department of Defense.

He holds an B.S. in Computer Science from the United States Naval Academy and an M.S. in Computer Science from the University of Minnesota.

Kyle Hastings Partner Parker Fitzgerald Group

15

Parker Fitzgerald is a strategic advisor and consulting partner to the world’s leading financial institutions.

Headquartered in London, our global network of senior industry practitioners, technical experts and change specialists is trusted by the leaders of the world’s largest financial institutions, regulatory authorities and government agencies.

We are experts in all areas of financial and non-financial risk, regulation and financial technology. We provide independent advice, assurance and market-leading solutions to help our clients navigate their most critical issues, reduce complexity and improve their overall risk-adjusted performance.

Our unparalleled knowledge and experience in financial services, world-class thinking and excellence in delivery has seen Parker Fitzgerald recognised as one of the most dynamic and progressive consulting firms in Europe.

Areas of expertise include:

Disclaimer The information contained in this document has been compiled by Parker Fitzgerald and includes material which may have been obtained from information provided by various sources and discussions with management but has not been verified or audited. This document also contains confidential material proprietary to Parker Fitzgerald. Except in the general context of evaluating our capabilities, no reliance may be placed for any purposes whatsoever on the contents of this document or on its completeness. No representation or warranty, express or implied, is given and no responsibility or liability is or will be accepted by or on behalf of Parker Fitzgerald or by any of its partners, members, employees, agents or any other person as to the accuracy, completeness or correctness of the information contained in this document or any other oral information made available and any such liability is expressly disclaimed. © 2018 Parker Fitzgerald

+44 (0) 20 7100 7575 info@pfg.uk.com www.parker-fitzgerald.com @p_f_g Parker Fitzgerald

Parker Fitzgerald Level 18 Heron Tower 110 Bishopsgate London EC2N 4AY

About Parker Fitzgerald Group

• Cybersecurity • Financial Crime• Strategic Change• Transaction Support

• Risk Management • Financial Regulation• Banking Technology • Digital Innovation