GRC Roundup - October 2022 I What's New in the GRC Universe?

Introduction

With the constantly growing volume, pace, and complexity of risks, strengthening business continuity and organizational resilience continues to be a top concern for businesses, industry bodies, and regulators.

Speaking at the Central Bank of Nigeria’s Second National Risk Management Conference, Joshua Rosenberg, Executive Vice President and Chief Risk Officer, Federal Reserve Bank of New York, said:

“Of course, risk management should help us reduce the frequency and size of negative events and then recover more quickly and effectively when negative events occur. But, risk management, in my view, should also help the right things happen by giving us tools to work more effectively.”

October is observed as Cybersecurity Awareness Month in the U.S. This year, we saw a surge in state leaders' desire to combat cybercrime not just in the U.S., but globally. As remote work and bring-your-own-device (BYOD) becomes the norm, there is a rising awareness of unseen dangers that lie behind cloud solutions, remote work, and increasing phishing and ransomware attacks.

At the same time, regulators continue to issue ESG guidance and recommendations to help organizations drive growth with purpose. The U.S. Federal Reserve is emerging as a pioneer with its pilot program that will see six global systemically important banks running climate change scenarios, wherein they will incorporate climate change risks into their risk management frameworks.

At MetricStream, we are celebrating an important update for our growing ecosystem of customers and partners. In October, we launched Euphrates, our latest release, which includes multiple pathbreaking product and platform innovations and enhancements that help customers accelerate their GRC program performance. To learn more about Euphrates, click here.

We cover all of this and more in our monthly roundup of the latest updates and insights viewed through the GRC lens.

In the World of Risk, Regulation, and Resilience

Risks today are interconnected, requiring comprehensive solutions and a holistic approach to governance, risk, and compliance (GRC). As the risk landscape expands, developing organizational resilience through enterprise and operational risk management and keeping a close eye on critical third parties are emerging as top priorities.

The European Systemic Risk Board (ESRB) has warned about vulnerabilities in the Union Financial System, which will require private sector institutions, market participants, and relevant authorities to prepare for the materialization of tail-risk scenarios. It has identified three severe systemic risks to financial stability:

• the deterioration in the macroeconomic outlook combined with the tightening of financing conditions
• risks to financial stability arising from a sharp fall in asset prices
• the impact of the deterioration in macroeconomic prospects on asset quality and the profitability outlook of credit institutions.

Here is the top news in the areas of enterprise risk, resilience, and regulations:

• According to the 2022 Global State of Enterprise Risk Oversight, 5th edition, released jointly by the North Carolina State University, the AICPA, & CIMA, 61% of respondents from Europe and UK, 77% of respondents from Asia and Australia, 76% of respondents from Africa and Middle East, and 64% of U.S.-based respondents said that the volume and complexity of risks have increased “mostly” or “extensively,” suggesting that no specific region appears to be noticeably less risky.
• In BCI’s latest Continuity & Resilience report, 37.3% of respondents said that a board-level role for promoting and coordinating resilience efforts had been created and occupied in their organization.
• Compliance units within financial services firms are under pressure to do more with less, reports Thomson Reuters, with respondents to the recent Cost of Compliance survey saying they expect their budget to increase in 2022.
• Inflation, financial crisis, energy supply, cyber attacks, and supply chain disruptions are the top five risks identified by all business leaders responding to Aon’s 2022 Executive Risk Survey.

Getting Tough on Cyber Risks

Heads of state are urging cybercrime prevention. The White House observed Cybersecurity Awareness Month with President Biden urging people, businesses, and institutions to recognize the importance of cybersecurity and take proactive steps to protect themselves from cyber threats to support national security and resilience.

The European Commission also plans to impose strict new security rules on IT businesses that will hold them liable for the security of their goods. The Cyber Resilience Act, the first EU-wide cybersecurity regulation, will require cybersecurity safeguards for products with digital elements.

Cloud security incidents are a recurring source of concern, according to recent data from Venafi. 51 percent of the study's security decision-makers (SDMs) think that cloud-based security threats are greater than those associated with on-premise security. Ransomware attacks on SaaS data are also becoming more widespread. Gartner reported that with the increase in remote and hybrid work, the transition from virtual private networks (VPNs) to Zero Trust Network Access (ZTNA), and the shift to cloud-based delivery models, worldwide spending on security & risk management will grow 11.3% in 2023.

Here’s a quick look at the major headlines from cyberspace:

• Announcing the theme for the year as See Yourself in Cyber, the Cybersecurity and Infrastructure Security Agency (CISA) encouraged ordinary citizens to take up the fight against cybercrime.
• At the Ferma Forum, the European Union Agency for Cybersecurity stated that it is establishing cybersecurity guidelines for small and midsize firms to improve cyber risk management throughout Europe and within supply chains. EU SMEs struggling to create cybersecurity policies will benefit from the "reference" cyber standard.
• According to a recent Bank of England study, cyberattacks pose the greatest danger to the UK financial system. The rapid increase in this perceived risk can be attributed to changes in the industry that favor remote employment and cloud-based services.
• At the Gartner IT Symposium/Xpo, October 17-20, application and integration strategies, security and risk management, and infrastructure and operations were identified as the top three technology priorities for midsize enterprises (MSEs) in 2022. The top 10 strategic technology trends for 2023 highlight how investments in sustainable technology provide operational and financial benefits and can create growth opportunities to help enterprises.
• A new IBM survey reveals that more than 77 percent of cybersecurity incident responders feel a strong sense of service when reporting cyber threats. That most respondents sought mental health therapy as a result of their experiences responding to cyberattacks suggests that cyberattacks have unintended repercussions.
• Findings from the 2023 Global Digital Trust Insights by PwC indicate that cumulative investments and C-suite collaboration are among the top reasons for improvements in cybersecurity in the past year. The C-suite playbook on cybersecurity and privacy sheds more light on how CISOs and cyber teams can work together for cyber-ready futures.
• Reflecting the rapidly weaponized cyber attack landscape and escalating geopolitical uncertainty, cybersecurity tops the Risk in Focus 2023 research report which identifies the top risks facing organizations for the year ahead.
• The Deloitte/NASCIO 2022 Cybersecurity Study, "State Cybersecurity in a Heightened Risk Environment," highlighted the role of chief information security officers (CISOs) in swiftly moving government processes and services online and speeding digital transformations. It also underscored the need for state CISOs to adopt emerging technologies, collaborate with local government agencies and higher education institutions, upskill state employees, and change hiring policies to attract the next generation of highly skilled cyber professionals.
• In its Cyber Risk Trends 2022 report, Allianz said that ransomware continues to be top cyber risk for organizations. It also underscored the emerging threats posed by the growing dependencies on cloud services, the evolving third-party liability landscape, and the impact of a shortage of cyber security professionals.

ESG Regulations Taking Center Stage

Regulators are prioritizing environmental, social, and governance (ESG) issues. The importance of addressing climate risks, social equity, and environmental threats is gaining traction. As the board and executives across levels pay attention to ESG, corporate investors rely on ESG pledges and ratings to decide where to invest. Standardizing and implementing ESG reporting and ratings have become more crucial.

The Task Force on Climate-related Financial Disclosures (TCFD) reported a five-year increase in climate change awareness. Since 2017, climate change and climate-related reporting requirements have become more common in financial markets, and more companies are publicly committing to net-zero emission transition plans.

Here’s a quick recap of ESG-related news from around the world:

• In a Federal Reserve-run pilot program, six global systemically important banks (GSIBs) in the US, will be asked to run climate change scenarios. Banks will need to incorporate climate change risks into their risk management frameworks and provide full disclosures. The pilot is expected to provide insight into climate risk management and assess the resilience of institutions under different climate hypotheticals.
• The Financial Stability Board (FSB) has finalized the recommendations for standard-setting bodies to address climate-related financial risks at financial institutions in its new report, titled "Supervisory and Regulatory Approaches to Climate-Related Risks."
• Updated guidelines from the European Securities and Markets Authority (ESMA) ensure a common, uniform, and consistent implementation of the MiFID II requirements. While several guidelines remain constant, most have been updated to reflect new developments in the sustainability criteria, and take into consideration various factors, including risks and client preferences.
• The Japan Financial Services Agency released supervisory guidance on climate-related risk management and client engagement. The JFSA will present concepts and approaches for each specific theme and area in the form of discussion papers which will serve as a reference point in dialogue between the FSA and financial institutions.
• The Asset Management Association Switzerland (AMAS) has issued new ESG self-regulation that establishes a new ESG framework for Swiss collective investment scheme producers and investment managers. The new regulations will affect the release and reporting of sustainability-related data and the governance and internal operations of such collective investment schemes.
• According to a report by global law firm Dechert and global advisory StoneTurn, organizations that adopt and integrate ESG elements into their business model are more likely to create value and accelerate development while reducing legal and regulatory concerns.

Last but not least, we are gearing up to celebrate the 10th anniversary of our premier event, GRC Summit, in London on November 8-9. The two days are packed with insightful and engaging sessions on risk, resilience, compliance, cyber, and ESG, and will provide you with opportunities to network and connect with the best in the industry. Register today to become a part of the thriving GRC community. Click here.