Ignore cyber security at your peril
Internet advancements have given organisations many advantages, including lower costs, increased revenue, greater speed to market, better access to customers and increased competitiveness. For most FS business, the internet has become a primary channel to market, offering significant opportunities to engage with new and existing customers.
However, the downside is that internet interaction also makes firms vulnerable to cyber incidents. For example, employees who aren’t trained to think about security can disclose sensitive data on social networks or click on sites that hackers use to infiltrate corporate networks. Also, data loss by insiders – both accidental and intentional – account for up to 50% of cases and this is set to increase with greater use of the internet.
Cyber threats are increasing in scale and sophistication. Symantec recorded over 3 billion malware attacks in 2011, noting the growing wave of targeted attacks at large corporations (i.e. Sony), in a recent security report. Moreover, Bank of America’s share price dropped 3% after WikiLeaks threatened to ‘take down a major American bank and reveal an ecosystem of corruption’ using documents from an executive’s hard drive.
Despite the damage that can result from a security breach, there is often a disconnect between the board and those that manage the risks. If a FS business’s network and data is compromised, its reputation and brand could be put in serious jeopardy.
Regulated firms also face the risk of investigative and enforcement actions if their systems and controls, or their oversight and governance arrangements, are found to be inadequate to protect against, detect and manage cyber attacks. To reap the benefits of digital channels and all that technology offers it is necessary, but not sufficient, to solve IT security issues. People, process and technology elements all require equal attention. Boards and senior executives in financial institutions need to be vigilant and proactive to counteract the growing sophistication of cyber criminals, through:
- embracing cyber innovations such as social media, cloud computing and mobility when they promote growth and create advantage – while recognising the exposure to new risks they don’t understand which must be evaluated and monitored
- balancing the risks and rewards, by modernising where required, and setting the right tone from the top and building information security into strategy, operational structure and culture
- understanding the issues sufficiently to ask the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) the right questions and know when they’re getting the right answers to protect their business
- understanding that in some cases teams dealing with information and cyber security risk are not up to the challenge – organisational change may be required
- including information security issues appropriately in their risk registers and in their risk resilience planning and
- being prepared to respond confidently to challenge from the non-executive directors, regulators, investors, customers and the media if a cyber attack occurs or if a regulator questions whether they are prepared to manage a cyber attack.
Measures to protect data networks from cyber attacks must be built into operational process of a firm. In this regard, CIOs and CISOs have some key responsibilities, including:
- helping their CEOs and boards understand the new landscape and risks
- ensuring cyber and information security issues have the standing they warrant on the organisation’s risk register
- putting in place a clear plan and strategy to protect their business
- conducting simulations of cyber incidents
- recognising when incidents need to be escalated and
- becoming champions of the opportunities and benefits to balance out the cost of managing the risks.
Despite best efforts, even the most prepared FS businesses can still suffer a cyber incident such as a data breach or cyber crime, but being prepared will enable the board and executives to effectively manage such incidents to limit the potential damage.
France, Italy, Spain and Belgium have implemented a ban on short-selling for 15 days in a move to quell wild stock market volatility. The European Securities and Markets Authority (ESMA), which coordinated discussions between national authorities, reminded investors that it is illegal under the Market Abuse Directive to spread information which gives, or is likely to give, a false or misleading signal on a financial instrument.
The ban, which commenced on 12 August 2011, affects equities, convertibles and equity derivatives — but not credit default swaps — of more than 60 financial institutions across the four participating countries.
Despite efforts to seek a European consensus, countries such as the UK declined to participate, while Germany is still holding out for an EU ban on naked short-selling of stocks, government bonds and credit default swaps, before committing to any joint efforts. However, this round of short-selling was much better co-ordinated than measures introduced following the 2008 collapse of Lehman Brothers and more consistent. This time, ESMA was able to develop almost identical prohibitions in all four countries.
However, some observers believe there is little or no direct evidence to indicate that short selling was a factor in recent market fluctuation. Moreover, research (CASS, 2008) has shown that short-selling prohibitions to be counter-productive by disrupting liquidity and undermining the price discovery process.
The recent short-selling ban, which came unexpectedly, forced traders to readjust their trading platforms and added to already heightened uncertainty in European financial markets. To anticipate systemic and customer risks, regulators will need greater levels of transparency and disclosure in financial markets, however this relationship works both ways and market participants also need the same levels of transparency and disclosure from regulators to help them to plan ahead and effectively identify risks to their investments strategies. Co-ordinated EU wide measures on short selling may offer the best hope to improve certainty for regulators and investors, and to begin restoring confidence to our turbulent markets.
UK introduces template for recovery and resolution plans
All UK deposit holders and large investment firms will have to draw up living wills by the end of 2012, according to proposals by the UK Financial Services Authority (FSA).
In an effort to prevent a repeat of the fallout from the collapse of Lehman Brothers in 2008, banks and building societies, as well as investment firms with asset exceeding 17 billion euros, will be required to prepare, outline, report and maintain recovery and resolution plans. Both large and small firms will be required to prepare a client assets resolution pack if they hold money or assets belonging to customers.
While, requirements will vary depending on the type and size of the institution, its systemic importance, operating model and interconnectedness with other entities, over 250 financial institutions will be required to prepare:
- a recovery plan: showing how the firm will recover in the face of a range of negative financial shocks and
- a resolution plan: showing how the firm intends to wind-down in an orderly manner, that reduces the impact on financial stability and minimises the need for government support.
Under proposals, recovery plans should be reviewed each year by the board and be buttressed by appropriate governance checks and balances, including triggers and procedures to ensure timely implementation of recovery options in a range of negative scenarios. According to the FSA, each recovery plan should have a number of common features, including:
- actions to cope with a series of severe stressful events including systemic crisis
- actions which address capital shortfalls, liquidity pressures and profitability issues and should aim at returning the firm to a stable and sustainable position and
- actions that the firm would not consider in less severe circumstances such as: disposals of the whole business, parts of the businesses or group entities; raising equity capital which has not been planned for in the firm’s business plan; complete elimination of dividends and variable remuneration; and debt exchanges and other liability management actions.
By showing what firms would do if they fail, resolution plans will address the financial, legal and operational obstacles to resolution. This enables the regulator to make an assessment of the potential effect on financial stability and then determine whether this is acceptable. Resolution plans should help regulators understand institution’s ownership structure and exposures to, and connections with, other affiliated and unaffiliated entities and market and payment infrastructures.
Finally, all firms holding client money and custody assets (irrespective of size) will be required to prepare a client assets resolution pack detailing vital information that will be readily accessible to liquidators. The aim of the pack is to promote the speedier return of client money and assets to customers, once a firm has failed, which has been a significant challenge in the Lehman insolvency.
While some European countries, notably the Netherlands, Denmark and Switzerland, have released details of either resolution or recovery plans, the UK proposals are more advanced and will likely contribute to current debates in the EU and further afield. The EU also plans to issue legislative proposals on cross-border bank resolution in September.
However, industry is concerned about the ambitious deadline set by the FSA as the initial process of preparing RRPs is likely to be time consuming, expensive and require significant restructuring of business models. Firms are particularly worried that forcing them to prepare recovery plans — such as possible asset sales — could make them more susceptible to takeovers and hostile bids in the future according to reports from the FT. Furthermore, given the complexity of today's financial institutions, many issues remain over how to make these RRPs effective at rehabilitating or resolving firms in a straightforward manner.
Germany and France push for a financial transaction tax
On the 16 August, French President Nicolas Sarkozy and German Chancellor Angela Merkel ordered their officials to prepare proposals on a financial transaction tax (FTT) by September 2011, as part of a package of measures designed to promote tighter fiscal integration in the EU. France and Germany will later this year repeat their attempt to reach a deal on a FTT at G20 level and, failing that, push for an EU-wide tax.
According to the FT, some European banks analysts believe the tax might levied at of 0.1% on stocks and bonds and 0.01% on derivatives which could raise 30 billion to 50 billion euros per year.
This announcement reflects strong views in the two largest countries in the eurozone and is intrinsically linked to the wider debate around enhanced and more centralised economic governance in the currency area. However, the initiative will still face significant opposition in Europe and internationally.
Speaking to the European Parliament in June 2011, Jean-Claude Trichet, President of the European Central Bank, called on parliamentarians not to pursue plans for a FTT, warning that the competitiveness of financial centres across Europe would be damaged unless the scheme was adopted internationally. Trichet argued that a financial transaction tax is counterproductive and would have a similar effect as to “putting sand in a machine”.
As we reported previously
, the IMF believes that there are more efficient ways of taxing the financial sector than a FTT. In a 2010 report, the intergovernmental organisation argued that a backward looking charge on financial instruments, based on past balance sheet items, would be a more effective way of recovering the costs of government support during the crisis, noting that FTTs reduced the value of securities, increased the cost of capital to users and had the effect of lowering overall liquidity in financial markets.
The unintended consequences from Basel III and Solvency II
Capital requirements under Basel III and Solvency II are too different to convincingly determine whether banks or insurance firms will face higher capital costs following the introduction of the two regimes, according to an IMF working paper.
On the one hand, the debt-equity swap (i.e. deleveraging of banks) that Basel III tries to achieve will raise the marginal costs of capital for banks. Capital deductions also appear to be more stringent under Basel III. The larger scope for risk-mitigation techniques allowed under Solvency II could also result in higher capital costs for banks relative to insurers.
However, the move to a more risk-based approach under Solvency II is likely to increase the cost of capital for higher risk insurers, as investors use the additional information to seek out higher quality insurers. If insurers try to achieve higher capital levels by reducing liabilities, they are likely to do so at additional costs relative to banks, due to, amongst other things, the lack of financial markets for many insurance liabilities.
The working paper also argues that the new liquidity standards for banks and the new credit risk charges for insurers could increase the interconnectedness of both two sectors. In particular, Solvency II and Basel III will result in extra demand for — and subsequent exposure to — sovereign debt across both sectors.
On funding patterns, there is concern that the two regimes could collectively reduce demand for banks’ long-term instruments. The standardised approach for the Solvency Capital Requirement (SCR) under Solvency II will automatically make holding longer-dated sovereign debt more attractive than lower rated bank debt. Similarly, Basel III liquidity provisions could promote a partial swap on banks’ balance sheets between senior unsecured private bonds (i.e. bonds from other banks) and covered and sovereign debt, as the two latter debt instruments qualify for the Liquidity Coverage Ratio and the Net Stable Funding Ratio.
The working paper suggests that the two regimes may result in an increased use of securitization for funding purposes in both sectors which could translate into risk migration between or away from the two sectors.
In terms of policy considerations, the IMF recommends:
- Strong collaboration between regulators in both sectors to minimise the risk of regulatory arbitrage and ensure regulators understand the combined implications of the behavioural incentives that the two regimes may provide
- Higher counterparty capital charges for exposures in non-equivalent jurisdictions
- Responsible determination of equivalent jurisdictions by the Europe Commission (EC) to address leakage problem, where insurers lower their capital charges by using reinsurers in jurisdictions where solvency standards are deemed equivalent but are in effect non-equivalent
- An extension of the scope of regulation should be considered, as Basel III and Solvency II may lead to increased activity by non-regulated entities and the creation of market-based risk transfer mechanisms
- Basel III and Solvency II may lead to excessive risk transfer to consumers and therefore, may require strengthening consumer protection
- There is a need for empirical investigation about the magnitude of the impact of unintended consequences, on which there is at this stage no universal agreement.