So, let me continue and make a transition from operational risks to non-financial risks. This relates to the increasingly sophisticated cyber-threat landscape and cyber criminals we have today and the potential risk this entails for a bank.
Non-financial risks are any risks not pertaining to traditional financial risks such as market, credit and liquidity – for example inadequate or failed internal processes, people, and systems. The characteristics for non-financial risks are related to interruptions in IT systems, human mistakes, fraud and other deficiencies in internal control. Adding to this are external factors like natural disasters or external crime.
Banks have long experience in managing financial risks, with well-developed models and analytics, and access to relevant data. In contrast, processes, methodologies, risk assessments, and controls for non-financial risks are less mature and often dependent on data-points that are required to be able to create an overall view regarding specific and important areas to follow up regarding non-financial risk. This can e.g. refer to information on cyber-related threats and vulnerabilities. This means that accessing and quality assuring relevant data becomes more difficult, and that it is more difficult to weight and evaluate a non-financial risk position. In addition, regulatory expectations are less well defined. This means that it is challenging to define and quantify some non-financial risk types and integrate them into the risk appetite statement.
However, when it comes to non-financial risks relating to cyberattacks, the situation is completely different when compared to some of the more traditional operational risks we have previously worked with. The main difference in today’s non-financial risk is the development and consequences related to cybercrime actors and the damage that cyberattacks cause to companies and society. Cyber criminals have well-defined targets and goals with their attacks. The purpose and goals of cyber-attacks differ depending on the industry segment. It can be theft of patents in manufacturing and high-tech companies, it can be about causing damage to socially critical functions such as data communication and electricity supply. For banks, it is often the case that cybercriminals, with the end-goal, to get a ransom, create interruptions and inaccessibility for banks to deliver services to customers or carry out socially important functions such as payments. But of course, there is also interest in cybercriminals to manipulate payment systems or steal sensitive data. When it comes to Nation State Actors, the modus is similar but the purposes are related to long-term infiltration and disruptions.
An aggressive cyberattack is the single most dangerous risk for a bank. In a worst-case scenario, it could potentially cause such far-reaching disruptions that a bank’s operational capability is knocked out and that it simply cannot recover from the cyberattack.
Here I would like to add that the largest Swedish banks have a well-established collaboration to together strengthen the cyber defense and create the countermeasures required to make it difficult for cybercrime actors to attack a bank. At SEB, we are constantly strengthening our cyber defense and focusing on cyber hygiene in order to e.g., prevent theft of user credentials, protect data and assets for our customers, apply modern detection capabilities that respond to deviant behaviours.
Banks would benefit from adopting a holistic non-financial risk framework, which SEB are in the progress of doing, that offers an integrated approach to managing these risks. Such a framework should be based on a comprehensive inventory of non-financial risks and relevant controls, linked to the risk appetite framework, and employ a consistent and regular assessment approach.
Many companies, including banks, increasingly rely on third-party service providers. These relationships present a distinctive set of risks including non-performance, theft of intellectual property, violations of laws, unethical conduct, data breaches, and the inability to provide services in case of an infrastructure breakdown or disaster. The providers themselves may also subcontract a portion of the work to additional vendors. Although third-party service providers are not under the direct control of the buying party, their actions can cause significant financial and reputational damage, for example if these third-party vendors fail to perform or if they engage in illegal or unethical conduct. Regulators have made clear that outsourcing parties are responsible for managing the risks posed by their third parties. Cyber criminals are increasingly focusing on third-party vendors in their attacks, for example to try to disrupt supply chains or to try to spread malicious code via third-party vendor distribution channels to their customers. This causes a new dimension of non-financial risks.
Manage non-financial risks
In the wake of a series of major non-financial risk events, companies and regulators are devoting considerably more attention to the broad range of non-financial risks, such as cybersecurity, security culture, and third-party risk. Effectively managing these risks will require companies to rethink how risk management operates and the issues it addresses, and many will need to develop new methodologies and processes for these risks.
Companies may benefit from adopting a comprehensive framework for non-financial risk to allow an integrated approach. Advanced technologies, such as cognitive analytics, machine learning, big data, and natural language processing, have the potential to automatically identify potential non-financial risk events before they occur to allow preventive action to be taken. Still, the most commonly used initiation of a cyberattack is via e-mails containing malicious program or social engineering.
Investments in risk data governance and IT systems will be needed to provide access to the high-quality, timely data required to quantify these risks and align them with the bank-wide risk appetite statement. Beyond these steps, banks are well advised to enhance their governance structure as well, such as grouping non-financial risk management activities within a non-financial risk function within the Chief Risk Officer (CRO) organization.
The growing threats from non-financial risks is a central element of a new cyber-threat landscape and is requiring new risk management approaches. Banks will need to consider new approaches to managing these risks, from leveraging advanced technologies to adopting a non-financial risk framework.
When it comes to SEB, we are on to all of the above, but we need to continuously develop in order to adopt to the ever-changing threat-landscape. You are all a part of this, and I am confident that we together will do our outmost to stay on top of the threat