Data theft leads top 10 op risks survey for 2019

The full results of Risk.net’s 2019 Top 10 Op Risks survey can be found here

Data compromise has topped Risk.net’s annual Top 10 Op Risks survey for 2019, swapping places with last year’s top risk, IT disruption. The former is now seen, albeit narrowly, as a bigger hazard by financial institutions wary of the combined threat of data loss, reputational damage and mega-fines from regulators under draconian new data protection laws.

While this year’s survey will have a familiar look to readers, it also features one re-entry (from 2017) and two new entries: IT failure, data management and Brexit – at numbers 3, 8 and 9 respectively. Every other risk among last year’s top 10 has also shifted place, with none holding steady.

The survey – compiled from interviews and written submissions from senior op risk executives at banks, buy-side firms and financial market infrastructures – provides a gauge of industry concerns for the year ahead.

The threat of mega-fines under the European Union’s General Data Protection Regulation (GDPR) appears to have driven concerns over data compromise to the top of this year’s poll. Entering force in May 2018, the regime’s first fines have already been imposed. In January, the French government fined Google €50 million ($56.3 million) for failing to provide proper data security and privacy. No jurisdiction has yet used the full scope of penalties – the regulation allows for a fine of up to 4% of a firm’s global revenue – but the potential still exists.

Even if a bank isn’t the direct target, the possibility of customer data being compromised is always present: HSBC recently disclosed that hackers had gained access to customer accounts during two weeks in October 2018 via a third-party entity. The thieves may have retrieved names, addresses, account numbers and balances, and birth dates, among other personal information, the bank said.

“One of our key concerns is interconnectedness with third or fourth parties,” says a senior op risk manager at a global bank, who responded to this year’s survey. “We're seeing an increase in malware and phishing attacks in our supply chain. Most importantly, we worry about data breaches. We’re fully aware hackers are getting more and more sophisticated, and [defending against them] is getting more complex because even nations are participating in cyber attacks. The nature of the threat is constantly changing.”

No other source of operational risk cuts across as many threat vectors as malicious cyber attacks, from outsourcing and third-party risk (6) – which drops one place to sixth this year – to last year’s top risk, IT disruption, caused by a disabling cyber attack, which remains high on the agenda for respondents.

IT failure, meanwhile – considered separately from disruption caused by malicious cyber attacks – roars back into this year’s top 10, having last featured as a discrete risk in its own right in 2017. That's no surprise in a year when global regulators led by the Bank of England – spurred by a spate of high-profile incidents affecting retail bank customers, such as TSB’s loss of functionality following the migration of customer data onto a new platform – have trained their sights on financial firms’ operational resilience.

The related threat posed by organisational change (4) – the need to remain agile in the face of new regulatory requirements, technology and risk types – also rises up the agenda for firms this year.

More often than not these days, cyber actors pose the greatest risk of loss to banks from theft and fraud (5) – down by one notch from last year’s survey. In the case of Banco de Chile last June, attackers infected the company’s computers and servers with a virus as a distraction, allowing them to access the firm’s Swift accounts and make off with $10 million. The ensuing chaos resulted in branch closures, and is one of many examples of hackers targeting banks in emerging markets via the international Swift payment network.

Old-fashioned embezzlement schemes still loom large, though, especially in emerging markets. Insider fraud accounted for 2018’s three largest publicly reported op risk losses: Beijing-based Anbang Insurance lost $12 billion to a long-running embezzlement; in Ukraine, $5.5 billion vanished from PrivatBank in a ‘loan-recycling’ scheme; and in New Delhi, the Punjab National Bank lost $2.2 billion to rogue employees working with a fugitive diamond dealer.

Regulatory risk (7), meanwhile, remains a constant: the risk of failing to comply with large swathes of often conflicting rules, and the business risks associated with changing regulations, remains a widely cited fear.

One such regulation, Europe’s GDPR, is behind another new risk in this year’s top 10: data management (8). The risk of mis-steps when handling customer data – be it inappropriate checks on storage and permissioning, or the risk of data becoming trapped and useless in different operational silos – is exacerbated by the vast volumes of structured and unstructured data banks that fund managers hold. Although dealers were given until January 2019 to achieve compliance with the data management principles set down by the Basel Committee (BCBS 239), there’s still widespread uncertainty about what full compliance looks like, and how regulators will enforce it.

Perhaps inevitably, as European firms stare down the barrel of a disorderly exit by the UK from the EU later this month, Brexit (9) makes an unwelcome entry into this year’s top 10. Frustrated by the lack of clarity over a political solution, banks and brokers are setting up new entities in mainland Europe at a speed that almost guarantees new operational risks, such as difficulties with staffing and resource management.

Rounding out the top 10, Mis-selling (10) dips several places this year, with regulatory mega-fines related to residential mortgage mis-selling, payment protection insurance and other products having abated. Among the stragglers last year, HSBC agreed to pay $765 million to US authorities to settle claims that it mis-sold mortgage-backed securities between 2005 and 2007. Similar settlements have been now made by RBS and Deutsche Bank.