Effective Internal Audit in the Financial Services Sector - Key Points

Eliza Hawthorn September 3, 2013

Recently the Chartered Institute of Internal Auditors release their recommendations from the Committee on Internal Audit Guidance for Financial Services titled Effective Internal Audit in the Financial Services Sector.

This guidance document represents the final recommendation of the Committee on Internal Audit Guidance for Financial Services chaired by the highly experienced Roger Marshall, the Audit Committee Chair of a FTSE 100 insurance group and a director of the accountancy standards setter, the Financial Reporting Council (FRC).

The Committee on Internal Audit Guidance for Financial Services was set up as an independent, industry-led body by the Institute of Internal Auditors specifically for the purpose of developing this guidance in the wake of the credit crunch and the perceived weaknesses in the Internal Audit practice which have become to be seen as a contributory factor to the near melt down of the global financial services industry.

This is an important guidance document for both audit professionals, risk and compliance professionals and senior executives and board members as it sets out what good Internal Audit looks like in a post credit crunch world. Here are some key points.......

New StratexPoint Introduction Animation

Eliza Hawthorn August 30, 2013

StartexSystems are really pleased with our brand new 40 sec StratexPoint Intro Animation Video. It's the perfect summary of our integrated strategy execution & risk management solution based on Microsoft's SharePoint framework.

Information Risk - an emerging crisis in financial services or here already?

Eliza Hawthorn August 29, 2013

Abstract: Information is collected, stored and used through digital media. Our businesses rely on information in this digital space - information that we use to conduct our day to day business; information that lets us make decisions or do things better than our competitors; information that we need to protect and share to comply with the law and regulations placed upon us. There is a growing cyber threat to this media and I agree with the recent KPMG report that a cyber attack could be the next big crisis to befall the financial services sector. But I also contest that cyber, or more accurately information, incidents are already here and having significant impacts across the sector. We need to act now to stave off the near-term and longer term risks.

Many of you reading this will have, like me, read the recent report by KPMG warning of a cyber attack, or massive system outages (which themselves, of course, may or may not be caused by a cyber attack), as being the next catastrophe awaiting the financial services sector. If not the report then you will have probably caught an article about it (such as this one by Computer Weekly, that stated "Cyber attack or disruption could cause the next systemic shock to the UK banking industry rather than a liquidity crunch". The KPMG report provides some interesting facts and figures on the escalating cyber issues, such as increases in online account fraud.

This got me thinking as to the wider information risks that financial services face. Information is essential for financial institutions to conduct their business. Information is usually held on ICT systems. Manual interaction with the ICT systems, or automated systems, trigger actions based on that information. So whilst we are dependent on the systems themselves, it is the information which is of paramount importance. Arguably, it is the information we need to conduct our business, ICT just streamlines the operations. If we had the information we could, arguably, continue a semblance of our business. So is it right to look at cyber risk, which tends to lead us into the world of IT security, or is cyber risk a sub-element of a broader information risk, which is a much more prominent business-led activity?

Good information management is about having the right information in the right place at the right time and using it effectively - that is protecting it as it gives us a source of competitive advantage, and sharing it when we need to or when it will lead to enhanced business value.

A look over the fines that the FCA or ICO (Information Commissioners Office) have issued recently shows that companies are not getting the right information and / or not keeping it or getting it to the right place at the right time. The conclusion: Information incidents are here and already causing much disruption.

The ICO have, to date, predominantly fined councils and healthcare organisations, but they have issued 3 fines to financial services organisations, as well as some to energy organisations and law firms.

Whilst the ICO fines for breaching the Data Protection Act, a maximum of £500k, may seem relatively insignificant to a large financial services organisation, there can be more significant impacts. In this world of growing on-line banking and fraud, information security has been a source of competitive advantage. I Now I for one consider the security of my personal information when choosing an on-line bank. Banks recognise this consumer behaviour (it isn't just me!) and for some time have deployed variations of passwords, card readers, random password key generating tokens, secret questions and so forth to promise their customers the most secure account log in. So a fine from the ICO, which effectively says to the market "this organisation doesn't look after your personal data quite right" can have far more severe financial impacts than just the fine with loss of reputation, and therefore customer retention and attraction, impacts.

FCA fines are far more significant but rarely are they talked about in information incident terms. Here are some of the top 10 fines issued that could be construed as information incidents.

CPP were fined £10.5m for mis-selling insurance in 2012. One of the two primary reasons, rather ironically, was that CPP "overstated the risks and consequences of identity theft during sales of identity protection". This case of mis-selling could easily be classed as an information incident - a case of not having the right information and not sharing it appropriately with their customers.

Shell were fined £17m for market abuse in 2004, in which FSA accused Shell of making "false and misleading announcements" in relation to its oil and gas reserves. A case of having, we assume, all the right information to hand but sharing the wrong information with key stakeholders.

Goldmann Sachs were fined £17.5m in 2010, where a breakdown in communications led to the FSA, as was, not being informed of an individual working in the UK who was subject to serious fraud charges in the US. Again an incident of not sharing information appropriately.

Of course, who could forget UBS who were fined nearly £30m in late 2012 for serious weaknesses in controls that led to losses of over £1.5bn during three years of illicit trades by a relatively junior employee. Arguably, weak information systems and poor information risk management led to the company not finding, or analysing, data to provide actionable intelligence to identify the issue earlier and address it.

Prudential, in March 2013, were fined £30m for not informing the FSA of a planned acquisition in a timely manner. Another case of not using information that existed in an appropriate manner.

The FSA, as was, has also issued fines directly related to losing customer data, for instance Zurich being fined £2.3m for losing the personal data of 46,000 customers in 2010.

What does all this tell us? Well, we started this exploration of information risk from the recent KPMG report that suggests a cyber attack could be the next big crisis in financial services. I contest that the issue of cyber, or information, incidents is here already. Fines for not controlling our information, and the subsequent reputation and share price damage, have been happening for years - those listed above total over £100m and it would be easy to add more to the list. If we don't get a good control of our information systems (which include people and physical premises, not just IT) now, we will continue to suffer increasing fines and reputational damage in the short term, and fail to protect ourselves against the next big crisis just around the corner.

Secure Data Sharing

Eliza Hawthorn August 8, 2013

I’ll Send You that File How many times each day do you say, “I’ll send you that file” or something very similar? If you are anything like me, more times than you want to admit. We all share data daily and the frequency and amount of data shared shows no sign of diminishing, if anything file sizes and quantity just keep growing year on year.

With all this movement of data do we ever stop and think just what it is that we are sending across the internet? How many of those shared chunks of data contain sensitive information? Now you don’t have to be working for MI5 to have sensitive information, we all have such data on our PCs, laptops, iPads etc. Personal information such as bank account details, contracts even very simple stuff like friends addresses, telephone numbers. In a world where identity theft is a very real and growing problem should we not be taking much more care of this data? I for one think we should.

Identifying the Threat It is easy to become paranoid when you start thinking about cyber security, assessing the risk is not always as easy as you would think. For instance; what are the risks of sending a clear text email?

Well firstly your email will travel across the internet via any number of servers before it reaches your intended recipient. At each of these servers it is possible for the data to be read and copied, even read and amended. Now this is generally not the case, however conceptually it is possible. I’m sure big brother is reading all our communications these days, justified as part of the fight against terrorism. But concerns about interception are just part of the story. Copies of your emails are generally saved as sent items, this can be on your device but equally it can be on your internet provider’s server. What level of security exists there? And as the receiver of that email how certain are you that the sender is who you think it is?

So you see just looking at one possible way we share data it isn’t easy even feasible for us to truly evaluate the risk. What we tend to do is just press send and then forget about it.

Responsible Adult Is it good enough to carry on like this? As responsible adults should we be doing more to protect ourselves, our friends and our business partners from becoming the target of some sleazy cyber-criminal? We definitely should! Just recently I was subjected to an identity theft attack and I can tell you it was no fun sorting that one out. So what should we be considering?

Secure Email and File Transfer The obvious answer to all of these concerns is data encryption. And before you say it, it doesn’t have to be complicated, costly or impossible to understand. The latest generation of email encryption products offer real ease of use some additionally allow the encrypted transfer of even very large files all in just a couple of clicks. Now if you have ever tried using email or file encryption in the past you are probably thinking apart from all the complexities involved I’ll have to get my friends and colleagues to buy into the same product so this is a non starter. Well you might be surprised to learn that some secure email products such as Egress’s Switch offer all the above functionality and more, whilst being free to use as the recipient. So there really should be no excuse.

Summary Well I hope this has given you food for thought. Don’t wait until you become the target of an attack. Take responsibility for securing your communications. No one will thank you for allowing their personal data to be left at risk. Do it today.

Cyber crime and cyber espionage could cost $100bn every year

Eliza Hawthorn July 25, 2013

The cost of cyber crime and cyber espionage could amount to as much as $100bn every year with some 500,000 lost jobs in the US alone, according to a new report by security software vendor McAfee and the US Center for Strategic and International Studies. (CSIS)

The report, titled 'THE ECONOMIC IMPACT OF CYBERCRIME AND CYBER ESPIONAGE' was compiled with the aid of economists, intellectual property experts and security researchers.

"Losses to the US (the country where data is most accessible) may reach $100bn annually. The cost of cyber crime and cyber espionage to the global economy is some multiple of this likely measured in hundreds of billions of dollars," reads the report, which classified malicious cyber activity into a number of different areas.

[VIA]

Enabling Effective Conduct Risk Webinar

Eliza Hawthorn July 24, 2013

Apologies to the attendees who were 'trapped' in the waiting room and couldn't enter the Webinar! We encountered a number of technical difficulties, including sound issues as well.

Please find below, the recording of the Conduct Risk webinar (July 17th) for you to view in your own time.

July 17th 2013 "Enabling Effective Conduct Risk" Webinar 15:00-16:00 GMT The regulatory landscape for the UK Financial Services industry has undergone a fundamental change with the Financial Services Authority (FSA) splitting into two new regulatory bodies; the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA).

INTRODUCTION:

The regulatory landscape for the UK Financial Services industry has undergone a fundamental change with the Financial Services Authority (FSA) splitting into two new regulatory bodies; the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA).

Focusing on the FCA and the Conduct Risk agenda, in this webinar, "Enabling Effective Conduct Risk", StratexSystems demonstratse how firms can effectively manage conduct risk by taking an integrated approach to strategy and risk management, and how the StratexPoint solution can support firms as they seek to meet the challenges of conduct risk and engage effectively with the new regulator around this agenda.

During the webinar, StratexSystems outlines:

‘The Seven Key Challenges of Conduct Risk Management’;

1. Managing and embedding Governance into the business

2. Definition and embedding the Business Model

3. Definition and execution of the Business Strategy with customers at its heart

4. Enabling & embedding Conduct Risk specific processes

5. Process Management, and specifically New Product Development

6. Product level performance and risk management

7. Conduct incident reporting and analysis

StratexSystems demonstrates during the webinar that Enabling Effective Conduct Risk Management is not about throwing everything that one currently does away and starting afresh but rather building on existing strategy execution and risk management processes and tools.

Cyber Risk in Top 3 Global Risk Issues According to Lloyds Risk Report

Eliza Hawthorn July 12, 2013

The third Lloyd's Risk Index has been published and it was very interesting to not ethe rise in the Risktable of Cyber Risk.

Cyber risk has moved from position 12 (malicious) and 19 (non-malicious) in 2011 to the world’s number three risk overall. It appears that businesses across the world have encountered a partial reality check about the degree of cyber risk. Their sense of preparedness to deal with the level of risk, however, still appears remarkably complacent.

The number of incidents attributed to state-sponsored hacking and revenge attacks by ‘hacktivist’ networks is growing. So, too, are the costs of cyber breaches. A 2012 study by the Ponemon Institute3 found that the average annualised cost for 56 benchmarked organisations was US$8.9 million a year, up from US$8.4 million in 2011, with a range from US$1.4 million to a staggering US$46 million per year, per company. The most costly cybercrimes involved malicious code, denial of service and web-based attacks.

Against all the evidence of the past two years, businesses believe they are slightly more able to deal with the risk, with an overall preparedness score of 5.9, against the priority given to the risk itself at 5.7. In 2011, the US was the only world region where the cyber threat made it into the top five; by 2013, this is now the region’s number two risk. And yet US businesses still score their preparedness (at 5.4) at a higher rate than the risk itself (at 5.1).

As in 2011, we must ask again if, despite their escalating spend on cyber security, businesses are actually spending money on the right things? Cyber insurance specialists are offering increasingly integrated cyber products, including those that provide cover for data breach costs, forensic analysis and crisis public relations services in one package.

While these products are highly effective in an emergency, spending money upfront on risk management – and ensuring recommendations are implemented throughout a company – might go a long way to preventing a cyber disaster before it starts.

You can download their Full Report from HERE

StratexSystems announces impressive client wins in the first half of the year for its Enterprise Risk Management Solution

Eliza Hawthorn July 5, 2013

StratexSystems announces impressive client wins in the first half of the year for its Enterprise Risk Management Solution.

London, UK. July 5th, 2013 – StratexSystems announced today that it has seen a significant increase in the number of clients in the first half of 2013. Included within their recent client wins are two of Europe’s largest Central Banks/Financial Services regulators, one of the largest global asset management firms, six insurance companies as well as a FTSE100 defence company. Additionally, a number of organisations are piloting the StratexPoint solution, including their first firm in the water industry, whom has recently completed a pilot deployment with positive results.

The number of clients highlighted above is significant as it demonstrates that the StratexPoint solution has been adopted by a wider range of organisations and is being applied to address needs beyond Enterprise and Operational Risk Management in Banks.

Having two of Europe’s largest Central Banks/Financial Services regulators as StratexSystems clients can be seen as a strong validation of their solution’s integrated approach to strategy and risk management. Furthermore, gaining an asset management firm and several insurance companies into the fold reflects StratexSystems’ concerted efforts to acquire clients across the various facets of the financial services industry.

Additionally, wins within the defence and water industry reflect the success StratexSystems are having with building and expanding their partner channels.

Adoption by a defence company to use StratexSystems’ solution is of particular interest as StratexPoint was selected as the software platform to enable the deployment of a business-led, information asset-centric, enterprise-wide cyber security framework.

This builds on StratexPoint’s strength as an operational risk management tool and highlights the importance of cyber risk management as a critical component of an overall operational risk management framework and solution.

These client wins are the result of continued efforts to increase their profile through a co-ordinated sales & marketing approach. Included within the approach was an Executive Breakfast Briefing in the City [London] during which two existing clients, Aldermore Bank & HML presented their risk journey and experiences with StratexSystems. They are also finding success via their sponsorship of the Institute of Operational Risk (Scottish Chapter).

Andrew Smart, CEO, StratexSystems stated, "The first half of the year has seen our team and solution gain real traction and momentum. Our clients continue to face challenges around delivering their numbers in the face of higher capital charges and a wave of regulation. The introduction of a twin peaks regime has added to their challenges, with conduct risk being a new area where StratexPoint is helping.

Adding such important organisations to our client list is a strong endorsement of our solution and its on-going development in response to market and customer demands."

Guy Sutton, Sales Director, StratexSystems said, “We are extremely pleased with our successful start to 2013. With the success achieved to date and the momentum built, we are looking to make 2013 a break-through year, both for our business and for clients."

Ends

Notes to Editor

To interview a spokesperson, please contact: james.reeve@stratexsystems.com

For more information about StratexSystems visit: www.stratexsystems.com

About StratexSystems

StratexSystems is the only software company in the world to provide an integrated, Risk-based Performance solution powered by Microsoft's SharePoint platform.

Their goal is simple – to help businesses execute strategy while operating within their acceptable level of risk exposure.

About StratexPoint

StratexPoint is an integrated Strategy Execution and Risk Management solution built on the ubiquitous Microsoft SharePoint platform. With support for each of the three lines of defence; the solution is comprehensive in nature but modular in deployment, delivering a high ROI, high user adoption and high levels of assurance to your Board and Regulator(s) that you are operating within appetite.

Download the PDF Version HERE

Enabling Effective Conduct Risk- Webinar JULY 10th

Eliza Hawthorn June 28, 2013

July 10th 2013 "Enabling Effective Conduct Risk"

Webinar 17:00-18:00 GMT

Focusing on the FCA and the Conduct Risk agenda, in this webinar, "Enabling Effective Conduct Risk", StratexSystems will demonstrate how firms can effectively manage conduct risk by taking an integrated approach to strategy and risk management, and how the StratexPoint solution can support firms as they seek to meet the challenges of conduct risk and engage effectively with the new regulator around this agenda.

During the webinar, StratexSystems will outline:

‘The Seven Key Challenges of Conduct Risk Management’;

Managing and embedding Governance into the business
Definition and embedding the Business Model
Definition and execution of the Business Strategy with customers at its heart
Enabling & embedding Conduct Risk specific processes
Process Management, and specifically New Product Development
Product level performance and risk management
Conduct incident reporting and analysis

StratexSystems will demonstrate during the webinar that Enabling Effective Conduct Risk Management is not about throwing everything that one currently does away and starting afresh but rather building on existing strategy execution and risk management processes and tools.

Additionally, during the webinar we will demonstrate that if firms approach Conduct Risk from the right perspective, they can generate significant value, beyond simply satisfying a regulatory compliance demand.

This webinar is FREE of charge to attend.

CLICK HERE TO REGISTER YOUR INTEREST

Microsoft Teams Up With Oracle

Eliza Hawthorn June 28, 2013

MICROSOFT TEAMS-UP WITH ORACLE AND WILL SUPPORT THEIR SOFTWARE ON ITS CLOUD-BASED PLATFORMS.

LONDON, UK (26th June, 2013) – The public collaboration announcement between two major technology pioneersmarks a symbolically important partnership milestone. Traditionally, the two firms have been rivals in a very competitive tech field, however this enterprise partnership deal will provide both sets of their customers with confidence in the cloud computing environment by providing them with a greater choice and adaptability.

Oracle will be providing their customers with the ability to run Oracle software on Windows Server Hyper-V and in Windows Azure. They will also provide certification and support for Oracle applications , middleware, databases, Java and Oracle Linux on Windows Azure & Hyper-V.

StratexSystems would like to welcome Oracle to the Microsoft cloud services family and envisage a very productive partnership between the two companies that will give consumers the ability to best utilise Microsoft’s elastic online computing services in the cloud.

As a Microsoft Certified Partner & Cloud Services Partner, StratexSystems recognises the value of the Windows Azure platform for cloud services. Its scalability, flexibility and supportresources provides the perfect platform for the Microsoft & Oracle alliance. This hybrid solution can offer customers from across the world the ability to meet their needs within the technology business field. As it becomes increasingly dynamic in terms of customers demands and a rise in fragmentation of devices and systems, this collaboration in the cloud looks to offer customers a flexible solution that can benefit everyone.

MICROSOFT TEAMS-UP WITH ORACLE AND WILL SUPPORT THEIR SOFTWARE ON ITS CLOUD-BASED PLATFORMS.

StratexSystems

Enterprise Governance, Risk and Compliance Software