Conduct risk management began gaining traction in the financial services industry as a way to minimize the probability of another financial meltdown. The Equifax cyber meltdown exposed the close connection between managing conduct risk and cyber risk.
Two years ago, we suggested that cybergovernance would track the same path as financial governance, with Sarbanes Oxley-like guidance eventually emerging for managing cyber risk. Some unpredictable precipitating event would become the catalyst for more stringent oversight and regulation of “cybergovernance,” i.e. an organization’s cybersecurity oversight practices.
The Equifax debacle is that catalyzing event. The Equifax breach exposed data in virtually every U.S. household to hackers. In combination with other massive breaches by Yahoo, Facebook, and OPM, it has dramatically weakened the nation’s authentication mechanisms. The brazen lack of concern shown by Equifax’s CEO for protecting consumer data is now driving action on the national front to improve conduct and culture.
Culture and Conduct Risk
The interrelationship between culture and conduct risk was explored for the first time. Almost half (48 percent) consider culture and conduct risk to be intrinsically linked, with firms also highlighting culture as a critical factor in managing conduct risk. Inside Financial & Risk, Thomsen Reuters, May 18, 2017
Conduct risk management began gaining traction in the financial services industry as a way to minimize the probability of another financial meltdown. The UK’s Financial Conduct Authority has done an extensive analysis of conduct risk. The concept’s currency has been gaining in the financial world for the past half dozen years, and it turns up as a key topic at most risk governance conferences. Now conduct risk is being introduced into discussions of how to increase responsibility at the board and executive level for cybersecurity and privacy protection.
The recent Equifax cyber meltdown exposed the close connection between managing conduct risk and cyber risk. Almost a year in advance, the Equifax CEO learned that the organization was given a “zero out of ten” rating on its cybersecurity practices (cyber risk), and he didn’t take appropriate action (conduct risk).
Listing high-level risk mitigation principles illustrates how closely related conduct risk and cyber risk are. The table above makes it clear that oversight, being proactive, increasing awareness, accountability, regular assessing and reporting, and programs of ongoing improvement apply equally to both conduct risk management and cyber risk governance.
Establishing the right set of practices is vital in both the financial and security realms. “When you establish practices that reward the wrong behavior, and then couple that with self-regulation instead of being somewhat regulated, it’s a lethal combination,” said Audrey Rampinelli, a leading risk strategist and former long-time head of risk management at Loews Corporation. “We saw that with Wells Fargo, we saw that with the whole financial crisis, and now we’re seeing that in cybersecurity, because there really is no regulation.”
Deloitte suggests in Managing Conduct Risk that “when people do not have to bear the risk if things go wrong, they have a reduced incentive to treat that risk as important. When breaches of conduct standards [like Equifax] are not penalized, the message is sent that contraventions are acceptable and rules are bendable.”
Wells Fargo finally took a big step this week when they appointed Amanda Norton, a 29-year industry veteran from JPMorgan Chase, as their chief risk officer. “In her new role, Norton will oversee the company’s independent corporate risk function and risk oversight activities, including credit risk, market risk, operational risk, compliance, information security risk, and conduct risk.” Assigning someone of her stature suggests that the board and management team are taking their responsibility for improvement seriously.
Misalignment: Security Spending and the Source of Breaches
In cybersecurity, just as in finance, spending doesn’t always align well with the cause of problems. The graphic assembled by Willis, Gartner, and PWC reveals the misalignment between security spending and the actual cause of breaches. While 78% is spent on technology (e.g., to protect the perimeter), two-thirds of breaches result from “employee behavior or malfeasance.” In other words, the vast majority of breaches are caused by people, policies, and processes, yet only 1% of expenditures are applied to address problems in these areas.
In the next several weeks, we will dig deeper into an investigation of how incorporating conduct risk principles into cybergovernance could strengthen efforts to raise cyber resilience.
“Culture is a set of shared values and norms that characterize a particular organization – the mindsets that drive behaviors in firms. Firms need to own and manage their cultures at all levels and understand the drivers that will help or hinder them to achieve the cultures they aspire to.”
“Our Priorities – Firms’ Culture and Governance”
UK Financial Conduct Authority (FCA) Business Plan