Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Financial Services Boards Evolving Expectations and Cyber Risk
Session 1: Melissa ScullyBoard Effectiveness
Board effectiveness: Board impact
Board impact can be described as the effect of the governance structure and processes, and contribution from Board members, which helps shape different and more positive outcomes. In other words, do the actions of the Board, the sum of the parts and the various inputs make a difference to the organisation and its stakeholders?
Board impact – key inputs and outputs
Board processes
Skills and experience of Board members
Board dynamics and behaviours
Collective Board impact
Organisation: Positive outcome
1 Deliberately slowed or speeded-up the pace of decision-making;
2 Provided support to management in implementing some tough changes;
3 Removed executives following control issues, or poor execution of initiatives;
4 Requested ‘deep dives’ into parts of the organisation that merit attention;
5 Tested some of the underlying assumptions behind the organisation’s strategy and business model; or
6 Promptly addressed concerns raised by shareholders.
Board effectiveness: Evolving expectations
Board effectiveness: Culture
The board sets the culture for the company, and actively participates in programs designed to promote legal and regulatory compliance and appropriate standards of honesty, integrity, and ethics..
Financial Reporting Council: One of the key roles for the board includes establishing the culture, values and ethics of the company. It is important that the board sets the correct ‘tone from the top’. The directors should lead by example and ensure that good standards of behaviour permeate throughout all levels of the organisation.
Central Bank Consumer Protection Outlook Report: Boards and senior management need to fully consider risks to their customers, and embed the right culture, practices and behaviours within their firms.
European Insurance and Occupational Pensions Authority (EIOPA): Insurance undertakings should make full use of the ORSA to set up a strong risk culture. We expect Boards of insurance companies to set, communicate and enforce a risk culture that consistently influences, directs and aligns with the strategy and objectives of the business…The new governance requirements as a paradigm shift towards a more consumer-centric culture.
Central Bank Thematic Review of Conflicts of Interest: There is an onus on Boards to engrain in the culture of their firm a duty to act in the best interest of the client in allinstances.
Regulatory focus
Someone else’s problem?
65% of senior bankers believed there were
significant cultural failings across the industry
33% believed the same of
their own bank
Board effectiveness: Culture
Equipping Board members:
Understand the culture(s) that exists
Attend on site, rotate Board meetings and engage with staff and customers
Be satisfied with the Code of Conduct and Whistleblowing Policy
Make it a Board priority!
Clarify committee and management responsibilities
Get the right intelligence (see Appendix 2)
Instil a culture of accountability among directors
Board effectiveness: Strategy
Innovation
Short, medium and long term
focus
Subsidiary governance challenges
Strategic key performance
indicators
Link to risk appetite
Disruption
The board advises management in the development of strategic priorities and plans that align with the mission of the organisation and the best interests of stakeholders. The board also actively monitors management’s execution of approved strategic plans as well as the transparency and adequacy of internal and external communication of strategic plans.
Board effectiveness: Strategy
Equipping Board members:
Include strategy and innovation on the Board agenda as standalone items
Subsidiary Boards – engage appropriately with the Group strategy setting process
Attend Group Non-Executive Director conferences
Ensure that risk appetite is considered as part of the strategy setting process
Consider aligning a Board member to a “strategic initiative”
Seek external perspectives on disruption
Develop strategic (and innovation) key performance indicators
Incorporate updates on topics such as new product development or a business unit updates in the annual Board calendar
Board effectiveness: Governance
The board retains primary responsibility for corporate governance within their organisation. Some of the common challenges we see in financial services include:
Ensuring a greater focus on risk at the Board
Reinforcing the three lines of defence
Improving Board information (including data and IT governance)
Expanding remit of the audit committee
Heightened expectations on stakeholder engagement
Increased pressures on NEDs
Board effectiveness: Governance
Governance continues to be an area of regulatory focus across all sectors in financial services:
Banking
Insurance
Assessment of governance and risk management as an integral part of the annual Supervisory Evaluation and Review Process
Risk governance and data quality will remain a priority in 2016
CBI themed inspections for 2016 will include Solvency II Systems of Governance
Activities for low impact firms will include governance
Product governance is planned for later in 2016
Investment management
CBI themed inspections for 2016 on the Risk Function will include focus on the risk culture within firms including governance arrangements, risk ownership and responsibility
Continued focus on director time commitments.
Board effectiveness: Governance
Equipping Board members:
Ensure that there are sufficient resources to support the Board and implement good governance
Review the holistic governance framework at least annually
This should be supported by an internal audit review every three years
Request “deep dives”
Adopt a “continuous improvement” approach to Board effectiveness
Board effectiveness: Talent and succession planning
The Board selects, evaluates, and compensates the CEO and oversees the talent programs of the company, particularly those related to executive leadership.
Nomination Committee
Financial services industry knowledgeSpecialised categories
Skills to manage the intricacies of risk
Broader skillsets
Greater diversityChairing experienceSophisticated numeracy
skills
Comprehensive skills matrixAbility to constructively challenge
IndependenceIdentify key skills gaps
Training and development
Share insight without overstepping the boundaries between executive and non-executive
Good judgement
Soft skills
International experience
Technology
Right characteristics
Assess CEO
Board effectiveness: Talent and succession planning
Equipping Board members:
Undertake training and development
Formally document succession plans, associated policies and processes
Understand existing board culture and dynamics
Conduct a board skills analysis and identify future requirements
Consider timings and where possible plan in advance
Think strategically and plan for various scenarios
Engage key internal and external stakeholders
Consider the need to use an executive / non-executive search utilise internal support – Company Secretary and Human Resources
Continuous activity
Final thought –importance of effective Board dynamics
Session 2: Jacky Fox
Why is Cyber Security so topical?
What is Cyber Security?
Information technology security – typically to include information & infrastructure
Information security – typically just information including non-digital
Data governance – typically information and organisation structure focused
Cyber security – generally accepted as external perimeter focused and cyberspace
These terms are often used synonymously
Motivation for Cybercriminals: Reward vs Risk
Theft of intellectual property or strategic plans
Financial fraud
Reputation damage
Business disruption
Destruction of critical infrastructure
Threats to health & safety
High reward/gains
Online anonymity
Annual time limited penetration test vs advanced persistent threat
Challenges for law enforcement with cross jurisdictional cybercrime
Minimal sanctions
Low risk of being caught?
Impact of Cyber Incidents – What we know
Data Source: Verizon, Ponemon
0
500
1000
1500
2000
2500
3000
3500
2010 2011 2012 2013 2014 2015
# Incident
M
200 M
400 M
600 M
800 M
1000 M
1200 M
2010 2011 2012 2013 2014
# Breaches
€0
€20
€40
€60
€80
€100
€120
€140
€160
2010 2011 2012 2013 2014
Cost Per Record
Incident Per Year Records Breached per Year Cost Per Record Breached
Recent significant high profile cyber attacks
Target US retailer – 70M
Ashley Madison networking site – 37M
Turkish government data breach - 50M citizens
Anthem health insurance data breach – 80M people
JP Morgan Chase – 76M
eBay – 145M
US Voter database – 191M
Mossack Fonseca (Panama papers) – 11.5M
Increasing compliance and regulatory requirements
EU Directive on Network and Information Security (December 2015)Public bodies + market operators (healthcare, banking, energy & transport)
Cooperation, information sharing & minimum security standards
EU General Data Protection Regulation (May 2016 – fully enforced May 2018)Breakdown of Safe Harbor
Portability, profiling, right to be forgotten
US Cyber Security Strategy (April 2015)
Various US Bills on Cyber securityCollins Reed – Board cyber expertise
Central Bank of Ireland thematic reviews of Cyber securityGL44 Banks (May 2015)
Fund services (September 2015)
Challenges for the board
US Bills moving towards requirement for expert knowledge on boards
Cyber risk committee
Whole board cyber literacy
Cyber report vs balance sheet – composition
Compliance & regulatory requirements
Cyber simulations
Technical vs business decisions – are they being escalated appropriately
Budgetary restrictions – potential for assumption of unknown risks (24/7 SOC)
How can a board display and evidence that they have assessed and challenged cyber risk appropriately?
Current board level cyber literacy
United States
United Kingdom
Germany
Japan
Nordics
59%
66%
61%
38%
50%
77%
76%
69%
56%
53%
78%
86%
74%
77%
55%
NEDs C-level executives CIO/CISO
1500+ respondents from these categories where asked if they considered themselves cyber literateSource: Nasdaq research conducted in April 2016
Boardroom survey insights: Cyber
Cyber security threats are not just for information technology specialists anymore. This topic is drawing attention from the very top, and has become a huge concern for many Boards. This is no surprise when a number of organisations have been impacted by such security breaches and their Boards are being held accountable. Cyber is an increasingly important oversight responsibility for Board members.
2. Is one Board member nominated as the cyber security expert?
0 10 20 30 40 50
1(low)
2
3
4
5 (high)
All sectors Financial services
1. What level of awareness does the Board have on cyber security?
0
10
20
30
40
Financial services All sectors
Source: Deloitte NEDs EMEA survey
Boardroom survey insights: Cyber
“This has really moved up on our Board’s agenda and non-executives are driving this.”
Source: Deloitte NEDs EMEA survey
2. What part of the organisation is responsible for the cyber security action plan?
A Boardcommittee
The Board Theexecutive
committee
Other0
10
20
30
40
50
Financial services All sectors
1. Does the organisation currently have an action plan in place linked to cyber security?
01020304050607080
Financial services All sectors
You need clear reporting lines for the board in both directions
Where should Cyber security sit in the organisation chart?
CEO
CISO CRO CFO COO CIO
ISO ISO ISO ISO
If the Information Security Officer reports into the Chief Information Officer are they independent?
If the ISO is not at CISO level will budget be an issue?
Will other CxO be able to report and filter cyber risks effectively?
Assess current state of Cyber Security maturity
Secure – Are your assets protected in proportion to their value?Access control
Encryption
Movement control
Vigilant - How do you know if something goes wrong?Logging and monitoring
Security Operation Centre
Resilient – How quickly can you recover post incident?Crisis management
Incident response plansSECURE
Are controls in place to guard against known and emerging
threats?
VIGILANTCan we detect malicious or
unauthorised activity,
including the unknown?
RESILIENTCan we act and recover
quickly to minimize impact?
% of budget split over the 3 areas are often an indicator of maturity
Board metrics & KPIs
Asset identification
Where is the data in your custody?
Governance
Cyber security policies
What controls are in place?
Organisation structure
Third party management
Cyber risk appetite
68% respondents on recent Nasdaq report had assessed likely losses for cyber attacks
Mitigation plans, insurance etc.
Budget - cost of management vs breach
Peer comparison
Vulnerability management
Routine vulnerability & penetration testing
Patching volume and lag
Incident reports
Malware reports
Breaches
Threat intelligence
Sector specific threats
Geo location threats
Questions
Questions
5 Cyber risk - What are the key KPIs you believe a Board member needs to fully understand to be able to discharge responsibilities in respect of cyber risk?
1 Cyber risk - What is your view on where the Cyber Risk Owner should be ‘positioned’ in the organisation and what should his/her reporting lines look like?
Governance - How can Board members, get comfort that their organisation has robust and effective governance in place, going beyond compliance against codes and guidance?
2
Strategy - What can Boards do to stay on top of disruption and new innovation to fully understand both the risks and opportunities they present and the implications on strategy?
3
Culture - Some say the single biggest influence a Board can have is on the hiring, firing and compensation of the CEO. To what extent do you agree with this statement?
4
Appendices
Appendix 1: Culture report
The term “culture” refers to the type of behaviours which a company will promote and encourage and those that it will not tolerate. The determination of such
behaviour depends to a great extent on the values set and practiced by the Board and top management, as well as, their cascading through the organisation.
Organisations need to ensure that the right drivers of behaviour are in place and are aware how to identify and address situations where there is a discrepancy between Board, top management and external stakeholder expectations and
actual practice within the organisation.
What do we mean by culture?
Such a discrepancy is an important risk factor, while, conversely, a strong culture helps promote sustainable long term financial success. From this perspective, a
focus on culture should not merely be about identifying outliers at risk of disaster, but of boosting the longer-term performance of mediocre or moribund
companies.
Focus on culture
“Behaviour is determined not only by rules but also by the culture of the entity concerned.”
The Report of a senior practitioners’ workshop on identifying indicators of corporate culture is the outcome of a round table discussion to ascertain indicators of good and poor cultures and to gain a deeper collective understanding of what drives culture in a business. The workshop was held in December 2015, which was sponsored by the International Corporate Governance Network (ICGN); Institute of Business Ethics (IBE); and Institute of Chartered Secretaries and Administrators (ICSA). The session brought together a group of individuals from a range of disciplines including: corporates; investors; and regulators.
Appendix 1: Culture report
Main conclusions
Good corporate governance – Good corporate governance is critical but there should be a broader view of what this means. Boards should see that good governance runs through all areas of the organisation. There should be clear lines of authority and structure, and openness to challenge at every level.
Transparency and openness – A good culture means being able to discuss difficult issues. Key considerations include: strengthening talent spotting; utilising employee surveys; Board contact with those that supervise employees; training and education; fairness in remuneration; and having good metrics that the CEO can discuss with the Board.
The role of HR, ethics officers and Internal audit – HR need to determine how culture is embedded. Good whistleblowing arrangements are essential. Internal audit is well placed to detect changes in culture.
Lax financial discipline – Propensity to excessive gearing or failure to undertake proper due diligence in a takeover is linked to cultural weaknesses.
The role of HR – Need to be responsible for a framework of incentives designed to support strategic objectives, and should ensure that corporate code of behaviour relates to people development. HR needs to ensure desired culture is embedded and not work in isolation as a segregated HR function, as it is integral to the work of every executive. HR is not always trusted by employees as it management, this is where ethics officers can assist.
Internal audit – Increasingly looking at indicators of culture, for example, exit interviews, employee engagement surveys and micro-cultures. They provide valuable information to the Board.
Speak-up / whistleblowing process – Highly important, although not a substitute for an open culture. A culture of no-retaliation is important. Most whistleblowers have been employed for less than two years, with long-term employees not inclined to speak-up.
External auditors – Some participants felt external auditors should play a larger part in analysing culture. Many auditors say they give informal feedback on culture.
Flawed executive remuneration practices –One of the most public areas of confrontation between companies and shareholders, and, second largest matter of public concern about business after taxation. However, such outright confrontation is rare in proportion to the number of listed companies. Problems tend to occur year after year – can be a sign all is not well with the culture.
Complex legal structures – Makes it hard for the Board to have oversight of the whole organisation, for example, excessive subsidiary Boards within VW; and complex shareholder structures.
Tendency for takeovers to proliferate –Poorly implemented takeovers can lead to cultural issues including silos and pockets of bad culture.
Lax financial discipline – This can also be a sign of a weak overall culture, for example, excess leverage seen in RBS and Northern Rock.
Other warning signs Critical functions
Appendix 2: Principles for culture management information
How can Boards and senior management meaningfully assess the culture of their organisation? How can they understand whether their “tone from the top” is reflected in a strong and consistent “echo from the bottom”? Read more in our new publication – “Management information on culture –connecting the dots.” Available at https://www2.deloitte.com/uk/en/pages/audit/articles/management-information-on-culture.html