For asset servicing providers and their clients across the globe, the ongoing march of technological innovation brings an array of opportunities and risks. Just as new data and processing capabilities bring efficiency, scale and opportunity, so too do they drive complexity and challenge for institutional investors and market participants across the spectrum as they seek to achieve and demonstrate the appropriate risk management that stakeholders demand.
The pressure is on from regulators, boards, trustees, underlying clients and other stakeholders—in the form of new reporting, disclosure and affirmation requirements. Market participants are expected to remain vigilant and work to continuously improve the controls and security measures in place to protect the information under their control, affirm that their vendors and supply chains
meet necessary standards, and demonstrate their overall commitment to building and maintaining diligence and resilience across their organisations.
The Canadian example
The Canadian market holds a well-deserved reputation as a safe haven. As such it should come as no surprise that regulators and market stakeholders continue to extend their focus on areas related to diligence, prudence and good governance.
Accordingly, activities in the Canadian market may offer relevant insights and tools for market participants globally seeking to reinforce to their stakeholders their commitment to doing business at the highest standards. Expectations in Canada include rising attention on internal processes, cybersecurity, employee education, vendor management and supply chain oversight processes, and creating the right “risk culture”.
Regulatory focus areas: cyber risk, outsourcing risk
Areas which have come more closely into focus in recent years include mitigating cyber risk (including technological developments across cloud computing, distributed ledger/blockchain activities, and fintechs), strengthening vendor management and supply chain oversight, as well as affirming and strengthening overall resiliency across investment operations. For example, 2019 saw Canadian regulators introduce new requirements for certain domestic federally regulated financial institutions to address technology and cybersecurity incidents in a timely and effective manner.
Canadian regulators have also directed significant focus to the area of outsourcing with regulatory governance requirements, such as National Instrument (NI) 31-103 “Registration Requirements, Exemptions and Ongoing Registrant Obligations,” and Canada’s Office of the Superintendent of Financial Institutions Canada Guideline B-10 requirements, “Outsourcing of Business Activities, Functions and Processes.”
These regulatory efforts have served to bring into focus the theme that while operations can be outsourced, responsibility cannot—firms remain accountable for the activities they have entrusted to their vendors. As such, firms must put in place demonstrable measures designed to provide assurance that outsourced activities (such as those entrusted to a local asset servicing provider) are being conducted at required standards.
Cybersecurity self-assessment
Canadian regulators have also provided market participants with relevant tools to support their efforts to achieve and demonstrate sound and strong controls. While these tools are designed with Canadian market participants in mind, the principles and questions may be relevant for participants in markets around the world. Whether investing into Canada or seeking a high standard against which a firm can measure itself, this checklist may prove useful.
The value of a self-assessment checklist is relevant given that maintaining the confidentiality of specific cybersecurity controls and preparations are one facet of cybersecurity risk management. After all, disclosure of the specific protections in place to protect a firm may enable hostile actors to more easily devise an attack. This necessitates a careful balance between providers and clients: to provide sufficient confidence regarding the protections in place while also maintaining sufficient confidentiality. Self-assessments, policies and other external tools can provide a means by which participants can provide assurance that they are adhering to relevant standards while maintaining that necessary confidentiality.
Governance assurance and client support
Global investors and market participants in Canada also continue to seek efficiencies and stronger controls through operational transformation, which includes outsourcing additional activities and exploring new opportunities to capture and engage with data in collaboration with vendors. At CIBC Mellon, growing client interest in our ability to affirm our strength, governance and preparedness led our firm to design and deploy a client governance programme and client governance guide. This guide is designed to support our clients in demonstrating to their stakeholders the oversight they have over our firm by providing a relevant framework, definitions and tools to assist clients in their oversight over activities entrusted to our organisation.
Financial market participants face increasing pressure from regulators and other stakeholders to ensure the necessary oversight of their suppliers, specifically when those suppliers are considered outsourcers. Firms are ultimately responsible and accountable for all the functions that they outsource to a third party. Any time your organisation outsources a function to a third-party supplier, it accepts an outsourcing risk as it entrusts control of that function to a provider. As such, firms must put steps in place to affirm that the service provider adheres to the same level of business discipline and internal controls.
For firms who partner with an outsourcing provider either for technology purposes such as managing data or administering payments, firms should expect to apply a very high standard of review and diligence. However, given that the details of certain types of controls (particularly those around cybersecurity) must be kept confidential, firms must carefully consider what will suffice in terms of delivering the necessary confidence and assurance. Ultimately, firms cannot outsource their responsibility for information risk and must be thoughtful in how they deliver on that responsibility in collaboration with their providers.
Evolving risk pillars
Regardless of your role across the investment landscape, a broad familiarity with risk management practices and recent trends may assist you in understanding and preparing for potential outcomes—as well as support you in engaging with stakeholders seeking a conversation about the steps your organisation has taken to deliver confidence to stakeholders.
The process of identifying and measuring risk factors takes place across institutions globally. In Canada, for example, the Office of the Superintendent of Financial Institutions enforced the implementation of Operational Risk Management Guidelines for federally regulated financial institutions; this regulation provides fundamentals of risk management and regulatory oversight, establishing principles for organisations’ management of the different types of risk. Most organisations are familiar with such well-established pillars as credit risk and market risk, which are generally considered to be mature pillars in the investment space. Directing focus to the broader category that is operational risk, the material risks typically captured under this pillar include transaction processing, talent, technology, business continuity, outsourcing, legal, and regulatory risk. Based on an organisation’s risk management structure, the firm place certain well-established risk management pillars such as reputational risk and strategic risk outside of operational risk due to the large inventory of principles captured under the operational risk pillar.
In Canada and globally, regulators and market participants alike have placed significant focus on a more recently emerging pillar—information risk—as it encompasses information security, cyber risk, and technology risk. Due to its prevalence—from recent regulatory changes to the regular emergence of global media coverage related to hacks, breaches and other cyber attacks—industry professionals across the spectrum should be aware of information and cybersecurity issues. Across cyber and operational risks, the core theme of resiliency continues to gain ground: fortifying operations against challenging situations, disruptions, attacks and other expected and unexpected challenges.
Information risk, cybersecurity
At CIBC Mellon, we understand that our clients face increasing pressure from institutional investors, regulators and stakeholders to provide assurance that processes are in place to mitigate the effects of unexpected disruptions and threats on critical services such as breaches due to technology-related events. Information security is generally thought of as the risk of managing the confidentiality, integrity and availability of information assets. The goal is to prevent disclosure of data, unauthorised or accidental modification of data or loss of information assets.
The Business Continuity Institute (BCI) is a leading international organisation for business continuity professionals worldwide. The Institute issues an annual Horizon Scan Report designed to track risks and threats to organisations. In the most recent Horizon Scan, the Institute tracked the top trends according to 657 organisations in 76 countries. Sitting at the top of the list in 2016, 2017 and 2018 amongst survey respondents are cyber-attacks and data breaches. Organisations remain concerned about the potential for damage via attacks and breaches. These risks were cited by more than half of the respondents to the BCI survey.
In the event of a cyber-attack, there are significant risks to consider that extend beyond technology risks such as:
Transaction processing risk from the inability to process if a firm cannot access systems to enter transactions.
Business continuity risk: can an organisation continue operations following a cyber event? How quickly can it return to a regular operation?
Legal risk: a firm could be at risk of being negligent in protecting its data, which could result in potential litigation from underlying clients, vendors or other stakeholders.
Regulatory and compliance risk from potential violations or non-conformance with regulations related to information security.
Reputation risk could impact an organisation’s ability to establish new relationships or services, or to continue servicing existing clients. There could be a significant focus on a cyber event that impacted a financial institution or institutional investor is given the volume of personal information that an organisation might maintain. Reputation is further impacted in the event that a scenario is not managed effectively—a firm’s response is critical to minimise reputational damage.
Considering an information security perspective, there are multiple ways vendors can provide assurance that data under their control is sufficiently protected and that an organisation has the necessary resilience. In engaging with vendors, consider seeking assurance of such factors as multiple redundant data centres, affirming that a detailed business continuity/disaster recovery plan is in place, and setting high standards for information security.
In considering vendors, firms may wish to assess whether a vendor adheres to established third-party standards such as the ISO 22301:2012 Societal security— business continuity management systems standard.
From internal processes and employee education, through vendor management, businesses are expected to remain vigilant and work to continuously improve the controls and security measures in place to protect the information under their control—and in turn, support their clients by providing necessary assurances on this front.
Financial market participants globally continue to hone their focus on risk management, governance and risk assurance. The Canadian market example may offer insights and tools for global participants as they seek to deliver assurance—in particular when the focus moves to protect data managed both internally and externally by vendors.
Fostering a sustainable risk culture and demonstrating powerful resiliency is a staple of success in the evolving technological landscape. With new innovations springing up on an ongoing basis, new and evolving risks will need to be (re)considered by financial market participants of all sizes and functions.
Regardless, by taking the steps to consider risk from many lenses, by learning from relevant examples, leveraging available tools and resources, and most of all by engaging thoughtfully with vendors and clients, firms can set themselves up to continue to bolster stakeholders’ confidence and in turn continue to drive success.
