Rampant cyberattacks, the possibility of cybersecurity regulation in New York, unexpected political events and digital innovation left risk managers with a lot to think about in 2016.
But 2017 has arrived, and with it come a new set of challenges and opportunities. Some of these are in continuation of last year's trends, and others are in response to them.
1. First-in-nation cybersecurity regulation
Regulators are aware of the volatile cyberthreat landscape facing financial institutions, which has prompted the New York Department of Financial Services (DFS) to propose the nation's first cybersecurity regulation in New York State.
On Dec. 28, 2016, the New York DFS made adjustments to the initial proposal to accommodate "more flexibility and company customization" for financial institutions, according to The National Law Review. Now, the cybersecurity strategy of a given institution should be based on periodic risk assessments.
"The Risk Assessment and cybersecurity program is no longer cookie-cutter; it must be based on the individualized aspects of the entity and the specific risks it faces," the National Law Review wrote.
Whether this will pass in its current form remains to be seen. But there is a strong chance that the fate of this proposal will be determined in 2017, and that it will set precedence for future cybersecurity regulation.
2. Fintech companies gain momentum
The Office of Comptroller of the Currency (OCC) recently established a limited-purpose bank charter program for fintech firms, and is in the process of refining a framework that would help regulate these companies. While this development does not immediately impact banks and credit unions, Deloitte pointed out in a recent white paper that the national charter may eventually make it easier for fintech companies to compete more directly with traditional financial institutions. It added that this should spur banks and credit unions to increase their focus on fintech:
"Banks should seek to understand the capabilities of fintechs by attending industry forums and roundtables that bring traditional banks and fintech firms together," Deloitte argued. "They should also stay abreast of regulatory developments related to fintech firms and partnership arrangements, exploring ways to enhance their bank services by partnering, or possibly by investing or purchasing fintech firms."
Any new implementations of technology may add layers of risk that need to be managed; however, banks that opt out of fintech for the sake of risk avoidance will miss opportunities. Fintech's rewards are open for the taking, but only for those who are capable of managing its risks.
3. Increased focus on enterprise risk management
Risk modeling for new business initiatives, be they technology-based or not, is all but impossible without an enterprise view of a financial institution.
Historically, some organizations have taken inward-facing measures in their efforts to manage longer-term risk, or what Eric Nelson, who will facilitate Community Bankers and Directors Hot Button Conferences in Mississippi later this month, referred to as siloed decisions.
This methodology can be problematic because it fails to identify bigger-picture, company-wide risk. The outcome is the increased likelihood of optimism bias among certain departments, or a lack of organizational transparency. For some financial institutions this may not be an issue, but others may see value in the ability to have a bird's-eye view of their risk appetite, now and in the future.
"Enterprise Risk Management (ERM) is the next generation of regulation based on forward-looking measuring and monitoring techniques as opposed to what bankers have been doing, i.e. using historic data to measure risk," Becky Gillette wrote the Mississippi Business Journal.
It's difficult to predict exactly how ERM will fare among banks and credit unions in 2017, but based on failings to identify sources of organizational risk in 2016, some financial institutions may start assessing the value of an ERM-based approach to risk management.
4. Greater emphasis on cybersecurity assessments
Cybercriminals hit organizations harder in 2016 than ever before and they can do it again in 2017. Only this year, cyberthreats will be more evolved. Hackers are constantly adopting novel tactics to intrude organizations. Thomas Curry, the Comptroller of the Currency, called cyberthreats the "single greatest systemic threat to our financial system."
It's not always possible to preempt every source of a cyberattack, especially in such a rapidly changing digital world. However, cybersecurity assessment tools can help the risk managers identify weak spots in their own organization that leave them susceptible to known threats. Business stakeholders can then set a plan in motion to address those chinks in the armor through whatever means necessary.
Supernal Software, creator of Scout risk management software, helps thousands of risk managers at banks and credit unions create FFIEC-based cybersecurity risk assessments. From here, these financial institutions are able to organize their cyber risk management efforts. This allows them to mitigate the likelihood of cybersecurity oversights that could induce data breaches, malware intrusions and other cyberattacks. For information about the value of Supernal's cybersecurity assessment tool, click here.