Comments
Description
Transcript
P a g e 1
Page |1 International Association of Risk and Compliance Professionals (IARCP) 1200 G Street NW Suite 800 Washington, DC 20005-6705 USA Tel: 202-449-9750 www.risk-compliance-association.com Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next Dear Member, We shouldn't be fatalistic. We're not doomed to repeat the past. Yes, the cycle is a force of human nature. But resilience to it can be nurtured. It will be a battle of nurture against human nature. This is such an interesting speech! It is about "Nurturing resilience to the financial cycle" by Alex Brazier, Executive Director for Financial Stability Strategy and Risk of the Bank of England. Alex continued: "The time to start it is when people most feel like celebrating: when _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |2 your market is on the up. We have to start now. And if we're going to have any success, we - the Bank of England, you - the industry, and us - together, need to step up and act. So this evening I want to set out what is being done. At the heart of it is the need to ensure finance supports you through the whole cycle. The need to avoid the pattern - all too familiar to you - of financing conditions going from conservative to careless and then to completely closed, all too rapidly." Read more at Number 4 below. Welcome to the Top 10 list. Best Regards, George Lekatis President of the IARCP General Manager, Compliance LLC 1200 G Street NW Suite 800, Washington DC 20005, USA Tel: (202) 449-9750 Email: [email protected] Web: www.risk-compliance-association.com HQ: 1220 N. Market Street Suite 804, Wilmington DE 19801, USA Tel: (302) 342-8828 _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |3 National Cyber Security Awareness Month Best Practices for Victim Response and Reporting of Cyber Incidents Version 1.0 Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs. This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident. National Cyber Security Awareness Month Growing Global Coalition Urges Internet Users Everywhere To STOP. THINK. CONNECT. The 2015 National Cyber Security Awareness Month (NCSAM) is emphasizing “Our Shared Responsibility,” the month’s official theme and call to action for all global citizens to take basic steps to make the Internet – a vital resource for our personal, public and professional lives – safer and more secure. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |4 Panel remarks at the Brookings Institution William C Dudley, President and Chief Executive Officer of the Federal Reserve Bank of New York, at "The Fed at a crossroads: Where to go next?", Brookings Institution, Washington DC It is a great pleasure to be here today to participate in this panel with John Taylor. I am going to take today's topic - "Where to go next?" - to address the issue of how monetary policy should be conducted. This is an issue that is getting considerable attention among policymakers here in Washington, D.C. To put succinctly the question I wish to tackle: Is it better for policymakers to start with a formal rule as the default position, or for policymakers to have a more flexible approach that considers a broader set of factors in setting the monetary policy stance? Nurturing resilience to the financial cycle Alex Brazier, Executive Director for Financial Stability Strategy and Risk of the Bank of England, at the Property Investor's Banquet, London "It's clear why you are celebrating. A crane-filled skyline to the City. New office space completion in Central London: a ten-year high; More than thirty schemes underway: a twenty-year high; And transactions that are near a record high. Half of them financed by capital attracted from overseas." _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |5 EIOPA advices to set up a new asset class for high-quality infrastructure investments under Solvency II The European Insurance and Occupational Pensions Authority (EIOPA) published its Advice to the European Commission on the identification and calibration of infrastructure investments risk categories. Robust criteria have been put forward to identify eligible infrastructure projects; Risk charges for investing in qualifying infrastructure projects have been carefully calibrated to the respective risks leading to a different treatment; To benefit from a different treatment insurers will need to conduct adequate due diligence as part of an effective risk management of this complex and heterogeneous asset class. Progress on prudential regulation and three areas to complete Andrew Bailey, Deputy Governor of Prudential Regulation and Chief Executive Officer of the Prudential Regulation Authority at the Bank of England, at the City Banquet, Mansion House, London "This evening I want to describe the progress we have made on prudential regulation and then examine a number of topical issues for the PRA and the Financial Services industry: the Senior Managers and Certification Regime; structural reform and ring fencing; and what the PRA is doing to pursue its secondary objective on competition. A common theme here is getting the incentives right to support good outcomes in relation to both prudential and conduct objectives." _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |6 Game changers in financial markets regulation, innovation and cybersecurity François Groepe, Deputy Governor of the South African Reserve Bank, at the STRATE, PASA and GIBS Conference, Johannesburg "A game changer can be defined as "a newly introduced element or factor that changes an existing situation or activity in a significant way". Another way of thinking about game changers may be in terms of what the well-known Austrian-born economist, Joseph Schumpeter, called "creative destruction". Schumpeter, writing on economic and social evolution in his work Capitalism, socialism and democracy in 1942, wrote: The opening up of new markets, foreign or domestic, and the organisational development from the craft shop to such concerns as US Steel illustrate the same process of industrial mutation - if I may use that biological term - that incessantly revolutionises the economic structure from within, incessantly destroying the old one, incessantly creating a new one. This process of creative destruction is the essential fact about capitalism. NCSA statement following report of data breach at Experian, Exposing T-Mobile Customer Data Following a massive data breach at Experian, 15 million current or former T-Mobile customers woke up this morning to unsettling news: their sensitive personal information – names, addresses, Social Security numbers, birthdays and unique identification numbers – is now likely in the hands of malicious hackers. According to news reports, this is not the first time Experian has faced a data breach of this nature. It’s not surprising that data brokers or credit bureaus ‒ who collect millions of people’s most private details – are prime targets for cybercriminals, but it is disconcerting. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |7 Hearing at the Economic and Monetary Affairs (ECON) Committee of the European Parliament Gabriel Bernardino, Chairman of EIOPA "I am happy to be here just less than four months before the full implementation of EIOPA’s top-priority project - Solvency II, which will start on 1 January 2016. Since the end of 2014, the strategic focus of EIOPA’s work on Solvency II has been on supervisory convergence, with the aim to ensure the highest consistency possible in the implementation of Solvency II across the EU. This is a project that has delivered state-of-the-art risk-based regulation in Europe, and which is the outcome of joint efforts by the co-legislators, regulators, supervisors and industry and consumer representatives. The European Parliament has played a key role in this process. As a first step towards ensuring this consistency, in the past 12-month period, EIOPA delivered in total 18 Implementing Technical Standards (ITS), of which six have already been endorsed by the European Commission (EC). " Tips from the National Counterintelligence Executive Traveling Overseas with Mobile Phones, Laptops, PDAs, and other Electronic devices You should know : • In most countries you have no expectation of privacy in Internet cafes, hotels, offices, or public places. Hotel business centers and phone networks are regularly monitored in many countries. In some countries, hotel rooms are often searched. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |8 National Cyber Security Awareness Month Best Practices for Victim Response and Reporting of Cyber Incidents Version 1.0 Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs. This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident. It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents. It was drafted with smaller, less well-resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it. I. Steps to Take Before a Cyber Intrusion or Attack Occurs Having well-established plans and procedures in place for managing and responding to a cyber intrusion or attack is a critical first step toward preparing an organization to weather a cyber incident. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |9 Such pre-planning can help victim organizations limit damage to their computer networks, minimize work stoppages, and maximize the ability of law enforcement to locate and apprehend perpetrators. Organizations should take the precautions outlined below before learning of a cyber incident affecting their networks. A. Identify Your “Crown Jewels” Different organizations have different mission critical needs. For some organizations, even a short-term disruption in their ability to send or receive email will have a devastating impact on their operations; others are able to rely on other means of communication to transact business, but they may suffer significant harm if certain intellectual property is stolen. For others still, the ability to guarantee the integrity and security of the data they store and process, such as customer information, is vital to their continued operation. The expense and resources required to protect a whole enterprise may force an organization to prioritize its efforts and may shape its incident response planning. Before formulating a cyber incident response plan, an organization should first determine which of their data, assets, and services warrants the most protection. Ensuring that protection of an organization’s “crown jewels” is appropriately prioritized is an important first step to preventing a cyber intrusion or attack from causing catastrophic harm. The Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) provides excellent guidance on risk management planning and policies and merits consideration. B. Have an Actionable Plan in Place Before an Intrusion Occurs Organizations should have a plan in place for handling computer intrusions before an intrusion occurs. During an intrusion, an organization’s management and personnel should _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 10 be focused on containing the intrusion, mitigating the harm, and collecting and preserving vital information that will help them assess the nature and scope of the damage and the potential source of the threat. A cyber incident is not the time to be creating emergency procedures or considering for the first time how best to respond. The plan should be “actionable.” It should provide specific, concrete procedures to follow in the event of a cyber incident. At a minimum, the procedures should address: - Who has lead responsibility for different elements of an organization’s cyber incident response, from decisions about public communications, to information technology access, to implementation of security measures, to resolving legal questions; - How to contact critical personnel at any time, day or night; - How to proceed if critical personnel is unreachable and who will serve as back-up; - What mission critical data, networks, or services should be prioritized for the greatest protection; - How to preserve data related to the intrusion in a forensically sound manner; - What criteria will be used to ascertain whether data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen; and - Procedures for notifying law enforcement and/or computer incident-reporting organization. All personnel who have computer security responsibilities should have access to and familiarity with the plan, particularly anyone who will play a role in making technical, operational, or managerial decisions during an incident. It is important for an organization to institute rules that will ensure its _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 11 personnel have and maintain familiarity with its incident response plan. For instance, the procedures for responding to a cyber incident under an incident response plan can be integrated into regular personnel training. The plan may also be ingrained through regularly conducted exercises to ensure that it is up-to-date. Such exercises should be designed to verify that necessary lines of communication exist, that decision-making roles and responsibilities are well understood, and that any technology that may be needed during an actual incident is available and likely to be effective. Deficiencies and gaps identified during an exercise should be noted for speedy resolution. Incident response plans may differ depending upon an organization’s size, structure, and nature of its business. Similarly, decision-making under a particular incident response plan may differ depending upon the nature of a cyber incident. In any event, institutionalized familiarity with the organization’s framework for addressing a cyber incident will expedite response time and save critical minutes during an incident. C. Have Appropriate Technology and Services in Place Before An Intrusion Organizations should already have in place or have ready access to the technology and services that they will need to respond to a cyber incident. Such equipment may include off-site data back-up, intrusion detection capabilities, data loss prevention technologies, and devices for traffic filtering or scrubbing. An organization’s computer servers should also be configured to conduct the logging necessary to identify a network security incident and to perform routine back-ups of important information. The requisite technology should already be installed, tested, and ready to deploy. Any required supporting services should either be acquired beforehand or be identified and ready for acquisition. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 12 D. Have Appropriate Authorization in Place to Permit Network Monitoring Real-time monitoring of an organization’s own network is typically lawful if prior consent for such monitoring is obtained from network users. For this reason, before an incident takes place, an organization should adopt the mechanisms necessary for obtaining user consent to monitoring users’ communications so it can detect and respond to a cyber incident. One means of accomplishing this is through network warnings or “banners” that greet users who log onto a network and inform them of how the organization will collect, store, and use their communications. A banner can also be installed on the ports through which an intruder is likely to access the organization’s system. A banner, however, is not the only means of obtaining legally valid consent. Computer user agreements, workplace policies, and personnel training may also be used to obtain legally sufficient user consent to monitoring. Organizations should obtain written acknowledgement from their personnel of having signed such agreements or received such training. Doing so will provide an organization with ready proof that they have met legal requirements for conducting network monitoring. Any means of obtaining legally sufficient consent should notify users that their use of the system constitutes consent to the interception of their communications and that the results of such monitoring may be disclosed to others, including law enforcement. If an organization is a government entity (e.g., a federal, state, or local agency or a state university) or a private entity acting as an instrument or agent of the government, its actions may implicate the Fourth Amendment. Consequently, any notice on the system of such an entity or organization should also inform users of their diminished expectation of privacy for communications on the network. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 13 E. Ensure Your Legal Counsel is Familiar with Technology and Cyber Incident Management to Reduce Response Time During an Incident Cyber incidents can raise unique legal questions. An organization faced with decisions about how it interacts with government agents, the types of preventative technologies it can lawfully use, its obligation to report the loss of customer information, and its potential liability for taking specific remedial measures (or failing to do so) will benefit from obtaining legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. § 1030), electronic surveillance, and communications privacy laws). Legal counsel that is accustomed to addressing these types of issues that are often associated with cyber incidents will be better prepared to provide a victim organization with timely, accurate advice. Many private organizations retain outside counsel who specialize in legal questions associated with data breaches while others find such cyber issues are common enough that they have their own cyber-savvy attorneys on staff in their General Counsel’s offices. Having ready access to advice from lawyers well acquainted with cyber incident response can speed an organization’s decision making and help ensure that a victim organization’s incident response activities remain on firm legal footing. F. Ensure Organization Policies Align with Your Cyber Incident Response Plan Some preventative and preparatory measures related to incident planning may need to be implemented outside the context of preparing a cyber incident response plan. For instance, an organization should review its personnel and human resource policies to ensure they will reasonably minimize the risk of cyber incidents, including from “insider threats.” Proper personnel and information technology (IT) policies may help prevent a cyber incident in the first place. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 14 For instance, a practice of promptly revoking the network credentials of terminated employees—particularly system administrators and information technology staff—may prevent a subsequent cyber incident from occurring. Furthermore, reasonable access controls on networks may reduce the risk of harmful computer misuse. G. Engage with Law Enforcement Before an Incident Organizations should attempt to establish a relationship with their local federal law enforcement offices long before they suffer a cyber incident. Having a point-of-contact and a pre-existing relationship with law enforcement will facilitate any subsequent interaction that may occur if an organization needs to enlist law enforcement’s assistance. It will also help establish the trusted relationship that cultivates bi-directional information sharing that is beneficial both to potential victim organizations and to law enforcement. The principal federal law enforcement agencies responsible for investigating criminal violations of the federal Computer Fraud and Abuse Act are the Federal Bureau of Investigation (FBI) and the U.S. Secret Service. Both agencies conduct regular outreach to private companies and other organizations likely to be targeted for intrusions and attacks. Such outreach occurs mostly through the FBI’s Infragard chapters and Cyber Task Forces in each of the FBI’s 56 field offices, and through the U.S. Secret Service’s Electronic Crimes Task Forces. H. Establish Relationships with Cyber Information Sharing Organizations Defending a network at all times from every cyber threat is a daunting task. Access to information about new or commonly exploited vulnerabilities can assist an organization prioritize its security measures. Information sharing organizations for every sector of the critical infrastructure exist to provide such information. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 15 Information Sharing and Analysis Centers (ISACs) have been created in each sector of the critical infrastructure and for key resources. They produce analysis of cyber threat information that is shared within the relevant sector, with other sectors, and with the government. Depending upon the sector, they may also provide other cybersecurity services. The government has also encouraged the creation of new information sharing entities called Information Sharing and Analysis Organizations (ISAOs) to accommodate organizations that do not fit within an established sector of the critical infrastructure or that have unique needs. ISAOs are intended to provide such organizations with the same benefits of obtaining cyber threat information and other supporting services that are provided by an ISAC. II. Responding to a Computer Intrusion: Executing Your Incident Response Plan An organization can fall victim to a cyber intrusion or attack even after taking reasonable precautions. Consequently, having a vetted, actionable cyber incident response plan is critical. A robust incident response plan does more than provide procedures for handling an incident; it also provides guidance on how a victim organization can continue to operate while managing an incident and how to work with law enforcement and/or incident response firms as an investigation is conducted. An organization’s incident response plan should, at a minimum, give serious consideration to all of the steps outlined below. A. Step 1: Make an Initial Assessment During a cyber incident, a victim organization should immediately make an assessment of the nature and scope of the incident. In particular, it is important at the outset to determine whether the incident is a malicious act or a technological glitch. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 16 The nature of the incident will determine the type of assistance an organization will need to address the incident and the type of damage and remedial efforts that may be required. Having appropriate network logging capabilities enabled can be critical to identifying the cause of a cyber incident. Using log information, a system administrator should attempt to identify: The affected computer systems; The apparent origin of the incident, intrusion, or attack; Any malware used in connection with the incident; Any remote servers to which data were sent (if information was exfiltrated); and The identity of any other victim organizations, if such data is apparent in logged data. In addition, the initial assessment of the incident should document: Which users are currently logged on; What the current connections to the computer systems are; Which processes are running; and All open ports and their associated services and applications. Any communications (in particular, threats or extortionate demands) received by the organization that might relate to the incident should also be preserved. Suspicious calls, emails, or other requests for information should be treated as part of the incident. Evidence that an intrusion or other criminal incident has occurred will typically include logging or file creation data indicating that someone improperly accessed, created, modified, deleted, or copied files or logs; changed system settings; or added or altered user accounts or permissions. In addition, an intruder may have stored “hacker tools” or data from _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 17 another intrusion on your network. In the case of a root-level intrusion, victims should be alert for signs that the intruder gained access to multiple areas of the network. The victim organization should take care to ensure that its actions do not unintentionally or unnecessarily modify stored data in a way that could hinder incident response or subsequent criminal investigation. In particular, potentially relevant files should not be deleted; if at all possible, avoid modifying data or at least keep track of how and when information was modified. B. Step 2: Implement Measures to Minimize Continuing Damage After an organization has assessed the nature and scope of the incident and determined it to be an intentional cyber intrusion or attack rather than a technical glitch, it may need to take steps to stop ongoing damage caused by the perpetrator. Such steps may include rerouting network traffic, filtering or blocking a distributed denial-of-service attack, or isolating all or parts of the compromised network. In the case of an intrusion, a system administrator may decide either to block further illegal access or to watch the illegal activity to identify the source of the attack and/or learn the scope of the compromise. If proper preparations were made, an organization will have an existing back-up copy of critical data and may elect to abandon the network in its current state and to restore it to a prior state. If an organization elects to restore a back-up version of its data, it should first make sure that the back-up is not compromised as well. Where a victim organization obtains information regarding the location of exfiltrated data or the apparent origin of a cyber attack, it may choose to contact the system administrator of that network. Doing so may stop the attack, assist in regaining possession of stolen data, or help determine the true origin of the malicious activity. A victim organization may also choose to blunt the damage of an ongoing _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 18 intrusion or attack by “null routing” malicious traffic, closing the ports being used by the intruder to gain access to the network, or otherwise altering the configuration of a network to thwart the malicious activity. The victim organization should keep detailed records of whatever steps are taken to mitigate the damage and should keep stock of any associated costs incurred. Such information may be important for recovering damages from responsible parties and for any subsequent criminal investigation. C. Step 3: Record and Collect Information 1. Image the Affected Computer(s) Ideally, a victim organization will immediately make a “forensic image” of the affected computers, which will preserve a record of the system at the time of the incident for later analysis and potentially for use as evidence at trial. This may require the assistance of law enforcement or professional incident response experts. In addition, the victim organization should locate any previously generated backups, which may assist in identifying any changes an intruder made to the network. New or sanitized media should be used to store copies of any data that is retrieved and stored. Once the victim organization makes such copies, it should writeprotect the media to safeguard it from alteration. The victim organization should also restrict access to this media to maintain the integrity of the copy’s authenticity, safeguard it from unidentified malicious insiders, and establish a chain of custody. These steps will enhance the value of any backups as evidence in any later criminal investigations and prosecutions, internal investigations, or civil law suits. 2. Keep Logs, Notes, Records, and Data _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 19 The victim organization should take immediate steps to preserve relevant existing logs. In addition, the victim organization should direct personnel participating in the incident response to keep an ongoing, written record of all steps undertaken. If this is done while responding to the incident or shortly thereafter, personnel can minimize the need to rely on their memories or the memories of others to reconstruct the order of events. As the investigation progresses, information that was collected by the organization contemporaneous to the intrusion may take on unanticipated significance. The types of information that the victim organization should retain include: ● a description of all incident-related events, including dates and times; ● information about incident-related phone calls, emails, and other contacts; ● the identity of persons working on tasks related to the intrusion, including a description, the amount of time spent, and the approximate hourly rate for those persons’ work; ● identity of the systems, accounts, services, data, and networks affected by the incident and a description of how these network components were affected; ● information relating to the amount and type of damage inflicted by the incident, which can be important in civil actions by the organization and in criminal cases; ● information regarding network topology; ● the type and version of software being run on the network; and ● any peculiarities in the organization’s network architecture, such as proprietary hardware or software. Ideally, a single, designated employee will retain custody of all such records. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 20 This will help to ensure that records are properly preserved and can be produced later on. Proper handling of this information is often useful in rebutting claims in subsequent legal proceedings (whether criminal or civil) that electronic evidence has been tampered with or altered. 3. Records Related to Continuing Attacks When an incident is ongoing (e.g., during a DDOS attack, as a worm is propagating through the network, or while an intruder is exfiltrating data), the victim organization should record any continuing activity. If a victim organization has not enabled logging on an affected server, it should do so immediately. It should also consider increasing the default size of log files on its servers to prevent losing data. A victim organization may also be able to use a “sniffer” or other network-monitoring device to record communications between the intruder and any of its targeted servers. Such monitoring, which implicates the Wiretap Act (18 U.S.C. §§ 2510 et seq.) is typically lawful, provided it is done to protect the organization’s rights or property or system users have actually or impliedly consented to such monitoring. An organization should consult with its legal counsel to make sure such monitoring is conducted lawfully and consistent with the organization’s employment agreements and privacy policies. D. Step 4: Notify 1. People Within the Organization Managers and other personnel within the organization should be notified about the incident as provided for in the incident response plan and should be given the results of any preliminary analysis. Relevant personnel may include senior management, IT and physical security coordinators, communications or public affairs personnel, and legal counsel. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 21 The incident response plan should set out individual points-of-contact within the organization and the circumstances in which they should be contacted. 2. Law Enforcement If an organization suspects at any point during its assessment or response that the incident constitutes criminal activity, it should contact law enforcement immediately. Historically, some companies have been reticent to contact law enforcement following a cyber incident fearing that a criminal investigation may result in disruption of its business or reputational harm. However, a company harboring such concerns should not hesitate to contact law enforcement. The FBI and U.S. Secret Service place a priority on conducting cyber investigations that cause as little disruption as possible to a victim organization’s normal operations and recognize the need to work cooperatively and discreetly with victim companies. They will use investigative measures that avoid computer downtime or displacement of a company's employees. When using an indispensable investigative measures likely to inconvenience a victim organization, they will do so with the objective of minimizing the duration and scope of any disruption. The FBI and U.S. Secret Service will also conduct their investigations with discretion and work with a victim company to avoid unwarranted disclosure of information. They will attempt to coordinate statements to the news media concerning the incident with a victim company to ensure that information harmful to a company’s interests is not needlessly disclosed. Victim companies should likewise consider sharing press releases regarding a cyber incident with investigative agents before issuing them to avoid releasing information that might damage the ongoing investigation. Contacting law enforcement may also prove beneficial to a victim _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 22 organization. Law enforcement may be able to use legal authorities and tools that are unavailable to nongovernmental entities and to enlist the assistance of international law enforcement partners to locate stolen data or identify the perpetrator. These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data. In addition, a cyber criminal who is successfully prosecuted will be prevented from causing further damage to the victim company or to others, and other would-be cyber criminals may be deterred by such a conviction. In addition, as of January 2015, at least forty-seven states have passed database breach notification laws requiring companies to notify customers whose data is compromised by an intrusion; however, many data breach reporting laws allow a covered organization to delay notification if law enforcement concludes that such notice would impede an investigation. State laws also may allow a victim company to forgo providing notice altogether if the victim company consults with law enforcement and thereafter determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed. Organizations should consult with counsel to determine their obligations under state data breach notification laws. It is also noteworthy that companies from regulated industries that cooperate with law enforcement may be viewed more favorably by regulators looking into a data breach. 3. The Department of Homeland Security The Department of Homeland Security has components dedicated to cybersecurity that not only collect and report on cyber incidents, phishing, malware, and other vulnerabilities, but also provide certain incident response services. The National Cybersecurity & Communications Integration Center (NCCIC) serves as a 24x7 centralized location for cybersecurity information sharing, incident response, and incident coordination. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 23 By contacting the NCCIC, a victim organization can both share and receive information about an ongoing incident that may prove beneficial to both the victim organization and the government. A victim organization may also obtain technical assistance capable of mitigating an ongoing cyber incident. 4. Other Potential Victims If a victim organization or the private incident response firm it hires uncovers evidence of additional victims while assessing a cyber incident—for example, in the form of another company’s data stored on the network—the other potential victims should be promptly notified. While the initial victim can conduct such notification directly, notifying victims through law enforcement may be preferable. It insulates the initial victim from potentially unnecessary exposure and allows law enforcement to conduct further investigation, which may uncover additional victims warranting notification. Similarly, if a forensic examination reveals an unreported software or hardware vulnerability, the victim organization should make immediate notification to law enforcement or the relevant vendor. Such notifications may prevent further damage by prompting the victims or vendors to take remedial action immediately. The victim organization may also reap benefits, because other victims may be able to provide helpful information gleaned from their own experiences managing the same cyber incident (e.g., information regarding the perpetrator’s methods, a timeline of events, or effective mitigation techniques that may thwart the intruder). III. What Not to Do Following a Cyber Incident A. Do Not Use the Compromised System to Communicate The victim organization should avoid, to the extent reasonably possible, using a system suspected of being compromised to communicate about an incident or to discuss its response to the incident. If the victim organization must use the compromised system to _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 24 communicate, it should encrypt its communications. To avoid becoming the victim of a “social engineering” attack (i.e., attempts by a perpetrator to convince a target to take an action through use of a ruse or guile that will compromise the security of the system or data), employees of the victim organization should not disclose incident-specific information to unknown communicants inquiring about an incident without first verifying their identity. B. Do Not Hack Into or Damage Another Network A victimized organization should not attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack. Regardless of motive, doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability. Furthermore, many intrusions and attacks are launched from compromised systems. Consequently, “hacking back” can damage or impair another innocent victim’s system rather than the intruder’s. IV. After a Computer Incident Even after a cyber incident appears to be under control, remain vigilant. Many intruders return to attempt to regain access to networks they previously compromised. It is possible that, despite best efforts, a company that has addressed known security vulnerabilities and taken all reasonable steps to eject an intruder has nevertheless not eliminated all of the means by which the intruder illicitly accessed the network. Continue to monitor your system for anomalous activity. Once the victim organization has recovered from the attack or intrusion, it should initiate measures to prevent similar attacks. To do so, it should conduct a post-incident review of the organization’s response to the incident and assess the strengths and weaknesses of its performance and incident response plan. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 25 Part of the assessment should include ascertaining whether the organization followed each of the steps outlined above and, if not, why not. The organization should note and discuss deficiencies and gaps in its response and take remedial steps as needed. Cyber Incident Preparedness Checklist Before a Cyber Attack or Intrusion Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered security measures to appropriately protect those assets. Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cybersecurity Framework. Create an actionable incident response plan. o Test plan with exercises o Keep plan up-to-date to reflect changes in personnel and structure Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident. Have procedures in place that will permit lawful network monitoring. Have legal counsel that is familiar with legal issues associated with cyber incidents Align other policies (e.g., human resources and personnel policies) with your incident response plan. Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cybersecurity firms that you may require in the event of an incident. During a Cyber Attack or Intrusion Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 26 Minimize continuing damage consistent with your cyber incident response plan. Collect and preserve data related to the incident. o “Image” the network o Keep all logs, notes, and other records o Keep records of ongoing attacks Consistent with your incident response plan, notify— o Appropriate management and personnel within the victim organization should o Law enforcement o Other possible victims o Department of Homeland Security Do not— o Use compromised systems to communicate. o “Hack back” or intrude upon another network After Recovering from a Cyber Attack or Intrusion Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network. Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 27 National Cyber Security Awareness Month Growing Global Coalition Urges Internet Users Everywhere To STOP. THINK. CONNECT. The 2015 National Cyber Security Awareness Month (NCSAM) is emphasizing “Our Shared Responsibility,” the month’s official theme and call to action for all global citizens to take basic steps to make the Internet – a vital resource for our personal, public and professional lives – safer and more secure. Led by the National Cyber Security Alliance (NCSA), the nation's leading nonprofit, public-private partnership promoting online safety, and the U.S. Department of Homeland Security (DHS), NCSAM marks its 12th anniversary this October. Launching the month with the recognition that securing the Internet is a global imperative, the General Secretariat of the Organization of American States (OAS) will also host an international event in Washington, D.C. promoting a culture of cybersecurity among its member states’ 250 million Internet users in Latin America and the Caribbean as well as other countries around the globe. OAS is a long-time STOP. THINK. CONNECT. partner and has championed participation in education and awareness by a diverse group of stakeholders in Latin America. The theme of the month resonates with young people internationally. According to the recently released Cyber Safety for the Digital Generation survey by the Raytheon Company, 82 percent of young adults globally believe that keeping the Internet safe and secure is our shared responsibility. They are clear on the roles everyone should play in keeping them safe and secure online: _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 28 75 percent think they themselves should be significantly involved; 69 percent think the commercial websites they visit and use should be significantly involved; 51 percent think the government should be significantly involved; 47 percent think the people they interact with on social networks should be significantly involved. “We live in a global, digital age where people, networks and devices are increasingly interconnected, and everyone needs to be taking steps to use the Internet safely and more securely,” said Michael Kaiser, NCSA’s executive director. “Practicing good cybersecurity empowers Internet users to reap the benefits of connectivity with greater confidence. National Cyber Security Awareness Month succeeds when we work together to build a safer, more secure and trusted Internet. Awareness month is a must.” NCSAM 2015 also marks the fifth anniversary of STOP. THINK. CONNECT., the preeminent global cybersecurity education and awareness campaign. Driven by NCSA, the Anti-Phishing Working Group (APWG) and DHS, which leads the federal government’s campaign, STOP. THINK. CONNECT. continues to extend its international impact with a simple but increasingly important message to stay safer and more secure online. The campaign’s partners include 271 large companies, small- and medium-sized businesses, colleges and universities, regional banks and a collection of other organizations as official partners. Currently, STOP. THINK. CONNECT. has official partnerships in Canada, Australia, Panama, the European Union, India, Japan, Mexico and other countries and regions, with its materials translated into five languages — Spanish, French (Canadian), Portuguese (Brazilian), Japanese and Russian — and several more translations on the way. Check out NCSA’s new infographic, “5 Years of STC” and learn more about how to get involved: http://ncsam.info/1JCDXlT “While NCSA and its many partners work year round to create awareness _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 29 around the safe and secure use of the Internet, National Cyber Security Awareness Month unites everyone in a concentrated effort to promote a culture of cybersecurity in everything we do,” said Jacqueline Beauchere, Chief Online Safety Officer of Microsoft and Chair of NCSA’s Board of Directors. “We are thrilled to see the adoption of Cybersecurity Awareness Month and STOP. THINK. CONNECT. across the globe. When industry, government and civil society work together, we can help every digital citizen access and act on the information they need to be safer and more secure online.” Ready, Set, Get #CyberAware Under the umbrella theme of “Our Shared Responsibility,” NCSAM 2015 will explore five weekly themes addressing a cross section of cybersecurity issues. They include STOP. THINK. CONNECT., cybersecurity in the workplace, connected communities and families, our evolving digital lives/the Internet of Things and building the next generation of cyber professionals. Individuals and companies and organizations of all sizes can show their support for NCSAM by becoming a Champion. Currently there are more than 475 NCSAM Champions who will play an active role in sharing important cybersecurity messages with their local communities, corporations, governments and individuals internationally. For more information on how to become a champion, visit https://www.staysafeonline.org/ncsam/champions. Using the new hashtag, #CyberAware, NCSAM’s Champions and supporters are also encouraged to join the conversation by posting tips, advice and information and participating in weekly Twitter chats occurring every Thursday at 3:00p.m. EDT and keeping up on the latest updates on http://www.facebook.com/staysafeonline. To stay safer online everyone should implement these simple, actionable steps: _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 30 Keep a clean machine: Keeping all web-connected devices ‒ including PCs, mobile phones, smartphones, and tablets ‒ free from malware and infections makes the Internet safer for you and more secure for everyone. Get two steps ahead: Turn on two-step authentication ‒ also known as two-step verification or multi-factor authentication ‒ on accounts where available. When in doubt, throw it out: Links in email, posts and texts are often the ways cybercriminals try to steal your information or infect your devices. Share with care: Before posting something online, think about how it could be perceived now and in the future. Check out NCSA’s tips infographic: http://ncsam.info/1VoT4X7. About National Cyber Security Awareness Month National Cyber Security Awareness Month (NCSAM) was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online. Now in its 12th year, NCSAM is co-led by the Department of Homeland Security and the National Cyber Security Alliance, the nation's leading nonprofit public-private partnership promoting the safe and secure use of the Internet and digital privacy. Recognized annually in October, NCSAM involves the participation of a multitude of industry leaders ‒ mobilizing individuals, small- and medium-sized businesses, non-profits, academia, multinational corporations and governments. Encouraging digital citizen around the globe to STOP. THINK. CONNECT., NCSAM is harnessing the collective impact of its programs and resources to increase awareness about today’s ever-evolving cybersecurity landscape. Visit the NCSAM media room: https://www.staysafeonline.org/about-us/news/media-room/ About The National Cyber Security Alliance The National Cyber Security Alliance (NCSA) is the nation's leading nonprofit public-private partnership promoting the safe and secure use of _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 31 the Internet and digital privacy. Working with the Department of Homeland Security (DHS), private sector sponsors and nonprofit collaborators to promote cybersecurity awareness, NCSA board members include representatives from ADP, AT&T, Bank of America, BlackBerry, Comcast Corporation, EMC Corporation, ESET, Facebook, Google, Intel, Logical Operations, Microsoft, PayPal, PKWARE, Raytheon, Symantec, Verizon and Visa. Through collaboration with the government, corporate, nonprofit and academic sectors, NCSA's mission is to educate and empower digital citizens to use the Internet securely and safely, protect themselves and the technology they use, and safeguard the digital assets we all share. NCSA leads initiatives for STOP. THINK. CONNECT., a global cybersecurity awareness campaign to help all digital citizens stay safer and more secure online; Data Privacy Day, celebrated annually on January 28 and National Cyber Security Awareness Month, launched every October. For more information on NCSA, please visit staysafeonline.org/about-us/overview/. About STOP. THINK. CONNECT. STOP. THINK. CONNECT. is the national cybersecurity education and awareness campaign. The campaign was created by an unprecedented coalition of private companies, non-profits and government organizations with leadership provided by the National Cyber Security Alliance (NCSA) and the Anti-Phishing Working Group (APWG). The Department of Homeland Security leads the federal engagement in the campaign. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 32 Panel remarks at the Brookings Institution William C Dudley, President and Chief Executive Officer of the Federal Reserve Bank of New York, at "The Fed at a crossroads: Where to go next?", Brookings Institution, Washington DC It is a great pleasure to be here today to participate in this panel with John Taylor. I am going to take today's topic - "Where to go next?" - to address the issue of how monetary policy should be conducted. This is an issue that is getting considerable attention among policymakers here in Washington, D.C. To put succinctly the question I wish to tackle: Is it better for policymakers to start with a formal rule as the default position, or for policymakers to have a more flexible approach that considers a broader set of factors in setting the monetary policy stance? As always, what I have to say today reflects my own views and not necessarily those of the Federal Open Market Committee (FOMC) or the Federal Reserve System. To get right to the punch line, I favor a more flexible approach that incorporates a broader set of factors into the monetary policy decision-making process. The world is complex and ever-changing. There are many factors that can affect the economic outlook and the attainment of the Federal Reserve's mandated objectives and, thereby, the appropriate stance of monetary policy. At the same time, I do not favor total discretion in which the monetary policy strategy is determined in an ad hoc fashion as we go along. For monetary policy to be most effective, market participants, households and businesses need to be able to anticipate how the Federal Reserve is likely to respond to evolving conditions. That is because the transmission of monetary policy to the real economy depends not only on what policymakers decide to do today, but also on _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 33 what the public anticipates that the FOMC is likely to do in the future as the economic outlook changes and evolves. Our experience at the zero lower bound in recent years underscores how important expectations are in influencing the effectiveness of monetary policy. Policymakers thus need to act in a systematic and consistent manner so that expectations are formed accurately and economic behavior can respond consistently with those expectations. In my view, this consideration rules out a totally discretionary monetary policy. Before I critique the use of prescriptive rules in monetary policy-making, I'd like to make it clear at the start that the Taylor Rule (by which I mean the formulation based on John's 1993 and 1999 papers) has a number of positive attributes that make it a useful reference for policymakers. First, it has two parameters - the long-term inflation objective and the level of potential output - that map directly to the Federal Reserve's dual mandate objectives. Second, the Rule has the desirable feature that when economic shocks push the economy away from the central bank's objectives, the Taylor Rule prescribes a policy response that can help push the economy back toward the central bank's goals. Third, a number of studies have shown that Taylor Rules are robust in the sense that they generally perform quite well across a range of different assumptions about how the economy is structured and operates. Despite these attractive features, I don't believe that any prescriptive rule, including the Taylor Rule, can take the place of a monetary policy framework that incorporates the FOMC's collective assessment of the large number of factors that impact the economic outlook. As I see it, the Taylor Rule has several significant shortcomings that can be detrimental to the attainment of the Federal Reserve's mandated objectives. These shortcomings are not just theoretical; they have been very relevant to monetary policy in recent years. First, the Taylor Rule is not forward-looking. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 34 Its policy prescription is based on the current size of the output gap and the deviation of current inflation from the Fed's objective, not on how these variables are likely to evolve in the future. So, in a rapidly changing environment, the Taylor Rule and other similar prescriptive rules will wind up being "behind the curve." For example, in the fall of 2008, Taylor Rule prescriptions were well above the level of rates that was appropriate given the sharp and persistent deterioration in the economic outlook and the sharp tightening in financial conditions that occurred during that period. Of course, many economists at that time recognized that such prescriptions would have been inappropriate and suggested various ad hoc modifications to the prescriptions - in fact, John himself suggested that modifications to his rule were appropriate at that time. Nonetheless, there was no consensus about the "right" modification to the rules at that time, in part, because the circumstances were unprecedented and the outlook so uncertain. If the FOMC had been required to justify to Congress deviations from a reference rule at that time, I believe that this would have slowed down how we responded to the crisis and would have resulted in a monetary policy that was not sufficiently accommodative. The consequence could have been a longer financial crisis and a deeper recession. Second, the Taylor Rule, as typically used, assumes that a 2 percent real short-term interest rate is consistent with a neutral monetary policy. However, a large literature concludes that the equilibrium real short-term rate is very unlikely to be constant, with its value affected by many factors, including the pace of technological change, fiscal policy and the evolution of financial conditions. Sometimes it can be much higher than 2 percent. Presumably, this was the case during the late 1990s as rapid technological change lifted productivity growth. Sometimes it can be well below 2 percent. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 35 For example, when credit availability dried up during the financial crisis in late 2008, this drove down the equilibrium real rate far below 2 percent. More recently, the slow growth rate of the economy and the low rate of inflation are evidence that the equilibrium real short-term rate today is well below the 2 percent rate assumed in the Taylor Rule. If 2 percent really was consistent with a neutral monetary policy, then the very low real rates of recent years - buttressed by our large-scale asset purchases - should have been extraordinarily accommodative. As a result, we should have grown much faster than the 2½ percent pace evident over the past couple of years and seen an inflation rate much higher than what we experienced. This conclusion is supported by a number of more formal models. For example, the Laubach-Williams model currently estimates that the equilibrium real short-term rate is around zero percent. Third, the Taylor Rule - and more broadly, any prescriptive rule for the systematic quantitative adjustment of the policy rate to changes in intermediate policy inputs such as real GDP or inflation - is incomplete because it does not fully account for factors that are crucial to how monetary policy impulses are transmitted to the real economy. Monetary policy affects economic activity through its impact on financial conditions - including the level of equity prices, bond yields, the foreign exchange value of the dollar and credit conditions. If the relationship between the federal funds rate and other indicators of financial conditions were stable, then one could just focus on the level of short-term rates. But, because financial conditions vary considerably relative to short-term rates, as we have seen in the financial crisis and its aftermath, one needs to consider developments in financial conditions more broadly in setting monetary policy. In fact, at times, when short-term rates have been pinned at the zero lower bound, the Federal Reserve has taken actions that eased financial conditions without changing short-term interest rates. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 36 Such actions have included forward guidance that the FOMC was likely to keep short-term rates low for a long time and large-scale asset purchases that led to lower bond term premia. Now, as I said at the start, just because I don't want to follow a rule mechanically does not mean that I favor the polar opposite - that is, a fully discretionary monetary policy in which market participants, households and businesses cannot anticipate how monetary policy is likely to evolve as economic and financial market conditions and the economic outlook change. If households and businesses do not have a good notion of how the Federal Reserve will respond to changing economic and financial market conditions, then this would loosen the linkage between short-term rates and financial conditions. This would also likely lead to greater uncertainty about the outlook and higher risk premia, and it would make it more difficult for policymakers to attain their objectives. Instead, what I favor is a careful elucidation of those factors that influence the economic outlook and how monetary policy is likely to respond to changes in the outlook. This includes fiscal policy, productivity growth, the international outlook and financial conditions, as well as how much employment and inflation deviate from the Fed's objectives. By conducting policy in a transparent way and communicating what is important in determining the central bank's reaction function, I think policymakers can strike the best balance between a monetary policy that fully incorporates the complexity of the world as it is, while, at the same time, retaining considerable clarity about how the FOMC is likely to respond to changing circumstances. A formal policy rule such as the Taylor Rule misses this balance by going too far in one direction. What is important for attaining the Federal Reserve's mandated objectives is not that monetary policy is described in terms of a formal prescriptive rule, but rather that the FOMC's intentions and strategy are well understood by the public. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 37 This argues for clear communication through the FOMC meeting statements and minutes, the FOMC's statement concerning its longer-term goals and monetary policy strategy, the Chair's FOMC press conferences and testimonies before Congress, and speeches by the Chair and other FOMC participants. But it also is important that the strategy be the "right" reaction function. This means a policy approach that responds appropriately to important factors beyond the two parameters of the Taylor Rule - the output gap estimate and the rate of inflation. Thank you for your kind attention. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 38 Nurturing resilience to the financial cycle Alex Brazier, Executive Director for Financial Stability Strategy and Risk of the Bank of England, at the Property Investor's Banquet, London I am grateful to Martin Arrowsmith, Oliver Burrows, Neil Crosby, Kishore Kamath, Magda Rutkowska and Robert Sturrock for their assistance in preparing these remarks. My Lord Mayor, Lady Mayoress, Ladies and Gentlemen. It is a great honour to join you this evening. It's clear why you are celebrating. A crane-filled skyline to the City. New office space completion in Central London: a ten-year high; More than thirty schemes underway: a twenty-year high; And transactions that are near a record high. Half of them financed by capital attracted from overseas. Commercial property is punching well above its weight in attracting capital to Britain. Those capital inflows are helping to sustain steady growth while our major trading partners lag behind. So your industry is contributing to the livelihoods of people up and down the country. But while that's true in the good times, it's true in the bad times too: when commercial real estate catches a cold, the whole economy starts to shiver. It's not just that the construction industry suffers and jobs are lost, or that banks are injured, impairing their lending to the rest of the economy. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 39 It's that small businesses see their own property fall in value - assets that are vital to secure their borrowing. And if the flow of foreign capital were to dry up or even reverse, there would be wider consequences for spending, output and exchange rates. So your continued success is important to everyone. And yet, as you know all too well, the UK's commercial property market hardly has a record as a beacon of stability. But we shouldn't be fatalistic. We're not doomed to repeat the past. Yes, the cycle is a force of human nature. But resilience to it can be nurtured. It will be a battle of nurture against human nature. The time to start it is when people most feel like celebrating: when your market is on the up. We have to start now. And if we're going to have any success, we - the Bank of England, you - the industry, and us - together, need to step up and act. So this evening I want to set out what is being done. At the heart of it is the need to ensure finance supports you through the whole cycle. The need to avoid the pattern - all too familiar to you - of financing conditions going from conservative to careless and then to completely closed, all too rapidly. The need to replace financing that magnifies cycles of sentiment with financing that mutes them. And in this, the measures I'll outline this evening constitute one aspect of a broader post-crisis endeavour to build, and maintain, a financial system that supports, and does not disrupt, the real economy. It goes by the name of macroprudential policy. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 40 Banking system resilience The first step to nurturing a resilient environment is to reduce the prospect of a sudden crunching of credit supply from an injured banking system. In the financial crisis, as banks were holed below the waterline and new lending seized up, the flow of new lending to commercial property collapsed to a third of its earlier level. Since the crisis, the Bank of England has been building a safer banking system. Measured on a consistent basis, major banks hold 10 times more capital than they did before the financial crisis1. And through stress testing, we're making sure they're able to withstand severe stresses. By withstand, I don't just mean survive. I mean continue to lend, including to you. Last year, we tested whether the banking system could withstand a snap back of long-term interest rates, a sharp fall in residential and commercial real estate prices, and a deep recession - all without cutting lending. This year we're testing whether they can withstand a synchronised, sharp slowdown in China, emerging markets and Europe, and sharp falls in asset and commodity prices - all while increasing lending to the UK real economy by 10%. We showed last year that, where the tests say a bank needs more capital, we're prepared to take action. And where the system needs strengthening as a whole, we can change capital requirements to put additional resilience in, either across the board through countercyclical requirements, or to particular sectors, through sectoral capital requirements. We are matching the strength of the banking system to the scale of risk it faces, so you can be more confident that credit will be there when you need it. Resilient underwriting standards We have to nurture more than the resilience of the banking system. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 41 Your balance sheets have to be resilient too. Over-gearing of your industry has been a major driver of instability in the past, making you vulnerable to the slightest change in sentiment. In part that's the result of lenders offering deals in the good times that present even the most responsible investors with an impossible choice: gear up to uncomfortable levels or be forced out of the market. To avoid that Hobson's choice, any slipping of lenders' standards has to be addressed. That's why we're now reviewing the standards of major lenders regularly. This year we found loan-to-value ratios rising and interest cover ratios falling, but from a very conservative starting point. We'll keep watching this, and there will be a new survey in coming months. We know that the importance of major UK lenders in financing you has almost halved since the crisis. While that diversity should be welcome - it should be a source of strength it can be a source of weakness if it simply moves gearing into a shadow on our radar screen. It's essential that our radar technology keeps up. The Bank's Commercial Property Forum, ably chaired by Ian Marcus, helps us minimise the shadow on the screen. But we also want systematic data. That's why I welcome the efforts of your industry, in partnership with us, to build a database of CRE loans: a dataset that will be run and managed for the public good, while respecting commercial confidentiality. It can give you, and us, the information we need to manage the risk of loosening underwriting standards. Long-term valuations But still more is needed to nurture a resilient market environment. You can become over-geared without technical slipping of underwriting standards. We've seen in the past how a change in sentiment can drive commercial property prices up even without the prospect of improvement in the cashflows which the property will generate. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 42 That creates headroom for those already in the market to borrow more without breaching their loan-to-value standards. And the use of that headroom drives prices up further. An ultimately pernicious spiral of sentiment and debt begins. Valuations and debt increase sharply relative to the cashflows that support them. When the music stops, the process goes into sudden reverse. As valuations fall, borrowers are left struggling to service loans that are greater than the value of the property. Firesales begin. Sentiment deteriorates. And market valuations collapse. In short, finance magnifies the cycle. This is detrimental to you, to lenders, and to the rest of the economy. And to your great credit, your industry has been in the vanguard of thinking to deal with this. The proposal of the cross-industry Vision for Real Estate Finance, led by Nick Scarles of Grosvenor, was that everyone - lenders, borrowers and regulators - should consider appropriate levels of debt not relative to market prices but relative to cash flows capitalised at long-term, cycle-neutral, rates. Put simply, if prices rise because of sentiment rather than cashflow prospects, that should result in greater reliance on equity, rather than debt, finance. So when the inevitable reverse in sentiment happens, it won't be magnified by an over-indebted industry. The industry proposal is music to our ears. If you apply it, it will stop debt running away unsustainably in the good times. And it will cushion the bad times. It's countercyclical, mirroring the way capital requirements for banks will now operate. And it's completely in tune with the broader aim of reducing the way finance magnifies cycles. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 43 So we want to help you make progress with it. As capitalisation rates come down from their post-crisis highs, the need to do so is increasing. So in a matter of months, the Bank of England will start reporting market-wide indicators of valuations and gearing based on cashflows capitalised at cycle-neutral rates. It will help you to measure the risks. And risk that gets measured can get managed, by you and by us. These measures aren't a panacea. They can't guarantee occupancy rates or rents for you. But had they been used to guide your decisions and our policy, they would have made a real difference in the run-up to the crisis. In fact, the last commercial real estate cycle could have been severely curbed and loss rates for some banks dramatically reduced. So your industry really does deserve great credit for taking the lead in developing the answers. Now - when you most feel like celebrating - is the time to start applying them. Resilience in the future If we continue to work together there is a real prospect of nurturing a market that keeps up with the cycles of human nature. But nature will fight back. The drivers of cycles will evolve. History may rhyme, but it rarely repeats. Just look in this cycle at the rapid inflows of finance to commercial property from retail investors in open-ended funds. More than 6% of the stock of commercial real estate finance is now held in these funds, and is growing rapidly. Now, a shift in finance, from bank debt to fund equity can be good for stability. It's one part of the broader inflow of equity in this cycle, which is helping to keep gearing down as prices rise. But it's not risk free. Fund investors offered redemption at short notice can create problems if prompted to herd to the exit. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 44 In the 2008 crisis, we saw redemptions from property funds reach more than one half of assets under management. Many of you saw the consequences - firesales of assets, magnifying the market downturn. Open-ended property funds now have 80% more assets under management than they did on the eve of the crisis. So the growing importance of funds offering short notice redemption and investing not just in property but in other potentially illiquid markets too, is a focus of regulators in the UK and internationally. The Bank of England, along with the FCA, is looking closely at the ways these funds might contribute to broader instability. And it's in part thanks to working closely with you that we're alert to this. By working together, our nurturing of resilience can keep up with nature's inevitable fight back. We can together create an environment that gives you the best chance of success. Whether you succeed will be down to you. But one thing is for sure. Your success is important to everyone. For its part, the Bank of England is committed to ensuring the financial system serves you - the real economy. That's why, here at Guildhall, in 23 days' time, we're hosting an Open Forum to bring together policymakers, financial market users, academics, and wider society. The aim is to chart the way for financial markets so that they serve their users and contribute to prosperity. You can sign up on our website. Please do. Because your industry has taken a lead in learning from the past, in leading the changes needed and in having a sense of your responsibility to the wider economy. Yours is a model of engagement for others to emulate. And I look forward to continuing to work together. Thank you. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 45 EIOPA advices to set up a new asset class for high-quality infrastructure investments under Solvency II The European Insurance and Occupational Pensions Authority (EIOPA) published its Advice to the European Commission on the identification and calibration of infrastructure investments risk categories. Robust criteria have been put forward to identify eligible infrastructure projects; Risk charges for investing in qualifying infrastructure projects have been carefully calibrated to the respective risks leading to a different treatment; To benefit from a different treatment insurers will need to conduct adequate due diligence as part of an effective risk management of this complex and heterogeneous asset class. EIOPA has suggested a more granular approach by advising to create a separate asset class under Solvency II standard formula for investments in infrastructure projects. This new asset class seeks to capture high quality infrastructure, whilst recognising the complex and heterogeneous nature of such investments. The proposed approach meaningfully reduces risk charges for qualifying infrastructure project investments in equity and debt. At the same time EIOPA proposes robust risk management requirements including active monitoring of exposures to infrastructure projects as well as sound stress testing of their cash flows. Gabriel Bernardino, Chairman of EIOPA, said: “EIOPA has made remarkable progress in proposing a new asset class and a prudentially sound regulatory treatment within a very short timeframe. Investments in infrastructure could be very important for the insurance business because, due to their long-term nature, they may be a good fit to match long-term liabilities while also increasing portfolio diversification. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 46 However, infrastructure projects can be very complex and require specific risk management expertise. It is very important that risks of infrastructure investments are properly managed and monitored over time. Under such conditions, I believe that the proposed calibrations reflect the risk profile of high-quality infrastructure projects”. According to the Advice, qualifying infrastructure investments will need to satisfy conditions relating to the predictability of the cash flows to investors, the robustness of the contractual framework, and their ability to withstand relevant stress scenarios. Regarding calibrations, EIOPA recommends that the spread risk charge within the Solvency II standard formula is amended for qualifying infrastructure debt investments according to a modified credit risk approach (reduction of around 30% in the risk charge for BBB rated qualifying infrastructure). Risk charges for infrastructure equity investments are proposed to be in a range between 30% and 39%. In terms of risk management, insurers should in particular conduct adequate due diligence prior to the investment; establish written procedures to monitor the performance of their exposures and regularly perform stress tests on the cash flows and collateral values supporting the infrastructure project. The Advice: https://goo.gl/JaK1x2 Note The European Insurance and Occupational Pensions Authority (EIOPA) was established on 1 January 2011 as a result of the reforms to the structure of supervision of the financial sector in the European Union. EIOPA is part of the European System of Financial Supervision consisting of three European Supervisory Authorities, the National Supervisory Authorities and the European Systemic Risk Board. It is an independent advisory body to the European Commission, the European Parliament and the Council of the European Union. EIOPA’s core responsibilities are to support the stability of the financial _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 47 system, transparency of markets and financial products as well as the protection of insurance policyholders, pension scheme members and beneficiaries. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 48 Progress on prudential regulation and three areas to complete Andrew Bailey, Deputy Governor of Prudential Regulation and Chief Executive Officer of the Prudential Regulation Authority at the Bank of England, at the City Banquet, Mansion House, London My Lord Mayor, Ladies and Gentlemen - it is a great pleasure to be here again at the regulators dinner, and it is very good of you to entice so many people here tonight with the prospect of an evening with regulators. I won't speculate on how this ranks on the scale of evenings spent in our cosmopolitan capital city. It is also a great pleasure to be speaking here tonight with Tracey. This evening I want to describe the progress we have made on prudential regulation and then examine a number of topical issues for the PRA and the Financial Services industry: the Senior Managers and Certification Regime; structural reform and ring fencing; and what the PRA is doing to pursue its secondary objective on competition. A common theme here is getting the incentives right to support good outcomes in relation to both prudential and conduct objectives. Progress It is over eight years now since the financial crisis began in this country. And to continue Tracey's theme for a moment, it is possibly salutary to recall that amidst the many bad events of Autumn 2007, England reached the Final of the Rugby World Cup. I didn't expect to say "those were the days" about 2007. It was natural that the first response to the financial crisis in terms of reforms was focused on the bedrock prudential issues of capital and liquidity in banks. This has been supplemented by the drive both internationally and domestically to solve the too big to fail problem through a combination of resolution measures at the centre of which is agreement on total loss _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 49 absorbing capacity for those banks which require such a bulwark to ensure orderly resolution in the event of failure. This is crucial to break the dependence of failing banks on injections of public money and likewise to break the impact of solvency problems in banks on the public finances. This is an international as well as domestic agenda of reforms aimed at fixing the fault lines that caused the financial crisis, building a more resilient and open global financial system, and deepening and building trust across jurisdictions. I have said before, but I think it justifies repeating, that we are unwavering supporters of an open global financial system which finances the investment and trade necessary to support strong, sustainable and balanced growth. As we see and seek to deal with new risks to the world economy and to global financial stability it is always important to remember that free trade and free capital flows are the foundation of a successful world economy with all the benefits that brings for the welfare of people. So, it should be no surprise that our focus is on three things: first, full, consistent and prompt implementation of the already agreed reforms across the financial system, and here I would note that the largest single activity for the PRA this year is to complete the implementation of Solvency 2 for insurers for the end of this year, something I believe we are on course to do; secondly, finalising the design of the remaining post-crisis reforms and thus providing the much needed clarity around the future regulatory system; and thirdly, scanning the horizon for new risks and vulnerabilities that appear on our landscape, ones such as the risk of cyber disruption. I think there is solid evidence of progress in all of these three areas. Internationally, there is plenty of evidence of shared objectives and effective co-operation among national authorities to solve common problems and "own" and thus implement the resulting reforms. An example over the last year has been the building of strong working relations between the PRA and our colleagues at the Single Supervisory Mechanism of the ECB. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 50 This can only be for the good, and represents the much needed close working of people who are on the front line supervising the system. We also want to encourage sound market-based finance and we are, for example, strong supporters of the EU initiative on simple, transparent and standardised securitisation. Finalising design When I look at the remaining agenda of post-crisis reforms to be agreed, it is striking that they are not about capital levels in the same way that we saw immediately post-crisis. True, there is work in Basel but that is much more about refining the framework than a step change in capital requirements. As part of this there is work to agree and implement the leverage ratio internationally, and to improve the use of models to estimate capital requirements so that they are used only for asset classes that lend themselves to modelling of this sort and we have an acceptable degree of consistency across banks. There are two important points I want to draw out which are by no means uncontroversial. First, it is sometimes said that the banking system still needs markedly more capital, and that a focus on other issues is a distraction from tackling a system that is still over-leveraged. The second, closely-related, point is that we should focus much more exclusively on non-risk based measures of capital requirements. I don't agree with either of these positions, and nor would I say do most supervisors I know. I have been and remain a strong supporter of the reforms to date and the higher levels of capital put in place, and I am a strong supporter of having the leverage ratio in our toolkit and that for some assets it is the "biting" approach and therefore it is not just a backstop. But I disagree with those who want to go much further, for reasons which are at the heart of what we are doing. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 51 First, because to argue for much higher capital on top of what has been done since the crisis is to argue that what is being done on resolution and loss absorbency is of little use. This misses the point that resolution is about being able to stabilise and then where necessary close or restructure failing banks. In other words, resolution is a much more extensive approach, and in my view very necessary. The design of international policy measures to end too big to fail is now largely complete for banks, but substantial work remains to put these into effect in terms of resolution plans. Second, understanding how banks take and manage risk, the controls they have and the quality of risk management, is at the heart of the job of a prudential supervisor. That's what we do every day, and the standards of this work have been raised extensively since the crisis, which was very necessary. Now, it is possible I suppose to argue that a focus on oversight of risk management should be pursued alongside a sole focus on a non-risk based capital measure like the leverage ratio. But in my view that is a flawed argument because the prevailing capital regime has a strong influence on how firms take and manage risk, in other words it creates the incentives. And, if we only used a non-risk based system, we would incentivise firms to disregard the amount of risk per unit of assets on their balance sheet. The leverage ratio is firmly in the camp of necessary but not sufficient, as is the risk-based approach. The third reason why I disagree with the much more capital school of thought is because there are more important things for us to do, which revolve around getting the incentives for behaviour right in firms. This is why as supervisors, both prudential and conduct, we spend so much time on governance in firms and on getting the incentives aligned for individuals through our approach to remuneration and to the responsibility of individuals. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 52 We have achieved much progress towards strengthening the resilience of the global banking system, with stronger capital ratios, and this has demonstrated in my view the important principle that appropriately strong capital positions support rather than deter lending by banks. Jobs still to finish: three topical issues The Senior Managers Regime The Senior Managers and Certification regime for banks is a product of the Parliamentary Commission on Banking Standards chaired by Andrew Tyrie, put into legislation and to be implemented by the PRA and FCA by next March, so not long to go now. The current approved persons regime has not delivered effective incentives and thus behaviour. As part of last week's announcement on the Bank of England and Financial Services Bill, the Government put forward an important change to the senior managers regime for banks, by removing the "presumption of responsibility" and replacing it with a "duty of responsibility". I can tell you from my postbox in all its many forms, that the "presumption" is the most controversial element of the new regime. On its own that is not a good reason for change. I want therefore to explain why the change does make sense, and why the new regime should create the right incentives. In the current Approved Persons regime, the PRA and FCA can take formal action for misconduct against an approved person either if that person has failed to comply with the statements of principle (which will become in the new regime common rules of professional conduct) or they have been knowingly concerned in a breach of a regulatory requirement by the firm. The burden of proof in an enforcement action falls on the regulator. The Banking Reform Act adds a third reason to take enforcement action against senior managers (not others) in these firms if: the firm (and I emphasise here the firm - going beyond the individual) has breached regulatory requirements; and the senior manager is responsible for the area of the firm in which the breach occurred. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 53 The Act goes on to say that the person would not be guilty of misconduct if they satisfy the Regulator that they have taken such steps a person in that position could reasonably be expected to take to prevent the breach. For the first two limbs the burden of proof would fall on the Regulator in the same way as the continuing provisions I mentioned earlier. But, crucially, it would be for the senior manager to satisfy the Regulator on the question of reasonableness - thus the presumption is created until it is rebutted. The change that the Government has announced to create "the duty of responsibility" will, if Parliament approves it, replace the presumption with a statutory duty on senior managers to take reasonable steps to prevent breaches of regulatory requirements by their firms from occurring. Thus it will be for the Regulator to show that the senior manager did not take such steps as it was reasonable for a person in that position to take to prevent the breach of regulatory requirements. In my view this does not represent a watering down of the requirement. Why? Well the "duty of responsibility" creates a positive duty on senior managers to take reasonable steps to prevent regulatory breaches occurring. This will be on a statutory footing, which hardwires the concept in the very fabric of the regulatory regime, rightly reflecting the importance which society places on this issue. Let me be very clear, substituting "duty" for "presumption" changes the mechanism of enforcement not the substance of the requirement on senior managers, and I would not support changing the latter. There has been a lot of noise around the new regime in recent months, and I have asked people involved whether their problem was with the "presumption", or with the regime more broadly. The universal answer has been that the difficulty was with the "presumption" not the regime which appears to have broad support. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 54 So, if Parliament is in agreement, and I do not presume to take that for granted, I expect that the new regime will be put into effect in the spirit with which it is intended, and that the focus will shift to that spirit and away from finding ways to circumvent the "presumption". To be blunt, I hope that those within firms and their advisors will respect the will of Parliament on this crucial point. The new regime matters hugely for getting the right incentives for people running firms. The important word is not "presumption" or "duty but rather "responsibility", it's about holding people more personally to account. If there are people who wish to argue that they should not take on the responsibilities of the job they do, then I believe they have no place in the industry, it's that simple. We all want well-run firms where senior people lead and take responsibility. And I know that this is how the vast majority of people do behave, because I observe it. The senior managers and certified persons regime is also not purely, or in my view even primarily, a tool of enforcement. Our job is always to apply forward-looking judgement to prevent problems occurring; and the new regime will ensure that the incentives on senior managers in the roles that they perform align with that approach. But, just as Parliament has recognised that it is not the PRA's role to ensure that no firm fails, likewise we should not expect the Regulators to prevent all failures, or misconduct, by individuals. The PRA's enforcement powers are a necessary part of its toolkit, and we will use those tools when the circumstances warrant it. But they are not our primary mode of operating. Also, the Government announced last week that - subject to agreement by Parliament - it plans to extend the Senior Managers regime to other firms across the industry. This is a further step in the right direction. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 55 There is no doubt that one regime will be better than many. Lastly on the senior managers regime, there is one other very important broad reason for putting it into place. On and off I have been involved in regulation for over twenty five years. During that time a few regimes have come and gone, and there have been debates about self-regulation versus a regime more purely in the hands of public authorities. This debate strikes me as a gross over-simplification. Self-regulation doesn't work if there is no clear and consistent allocation of responsibility for the public interest objectives of financial regulation to public bodies that are answerable to the government and to parliament. But likewise, public bodies cannot seek to take on the responsibility of managing within firms, something that has to be the responsibility of boards and management. The senior managers and certification regime is vital here because it creates the framework to establish effective responsibility within firms, while maintaining the role of the public authorities, the PRA and FCA, for supervising and enforcing the public interest. A very good example of how this should work can be seen in the recommendations of the Fair and Effective Markets Review, which provide a means to establish and maintain high conduct standards in financial markets. Structural reform I want now to turn to structural reform and ring fencing. This is a subject in its own right, but I can assure you that I intend to be brief on this one tonight. We are now well into implementation. Last week we issued our second consultation paper on implementing the regime, and we plan one more such paper which will be more in the form of a wrap up of points raised and a few outstanding actions. Any structural reform measure involves complex implementation, the devil is always in the detail, and we need to get that right. I read from time to _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 56 time that we are apparently watering the regime down via the implementation. I can assure you that we are not doing so, and we should not because that would go against the will of Parliament. But, sensibly, the regime sensibly allows for a degree of flexibility in how the requirements are implemented, recognising the differences in business models, legal structure and strategy of various firms. That was essential and sensible because a rigid definition of the fence would not work well for all firms. To ensure balance, I should say that I also get the opposite commentary, that the implementation is too rigid. One particular form of this commentary is that our rules on the governance of the ring fenced bank within a group mean that it will be independent in all respects, and that, proverbially, it will be able to stick two fingers up at its parent. No. The ring fenced bank will have to observe the law in respect of the requirements of ring fencing, not more than that. This is not really different from the position for banks that have subsidiaries operating in other countries, they have to respect the laws of the country in which they operate. But, let me be clear what it does not mean: it does not mean that the ring fenced bank can set its own strategy and thereby ignore the group to which it belongs; it does not mean that it can set its risk appetite in isolation of the group to which is belongs; it does not mean that it can refuse to pay a dividend to its parent if it is adequately capitalised both now and looking forwards using stress tests (in other words, it does not have a reason to trap excess capital); and it does not mean that its CEO can ignore the Group CEO. But, and this is crucial, the group cannot require the ring fenced bank to break the rules of ring fencing. I hope this is clear. If you think we have watered down the regime, please let me know. Competition I want to finish on an equally important subject, namely competition in the banking industry, which is of course topical today in view of the CMA's report. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 57 The PRA has been given by Parliament a so-called secondary objective which I think is best described as requiring us to act in respect of the competitive implications of our own actions and inactions but only to the extent that we are not undermining our primary objective for banks of safety and soundness. We have been working to embed the secondary objective in the PRA, and to date our most publicised actions have been in the area of new bank authorisations. The PRA has authorised ten banks in the last two years, and currently we have a substantial pipeline of interested parties. We are thinking about competition in our domestic work, but also about how we approach international policy issues. For instance, this week our response to the European Commission's consultation on the impact of the new capital regime has been published. It is quite often said that aspects of the capital regime discriminate against smaller banks and building societies that use the so-called standardised capital approach versus larger banks that use their own models. The consequence of this is that smaller banks and building societies cannot compete effectively in lower risk asset markets such as prime mortgages because the capital requirements are too far apart and in favour of large banks. This forces them into riskier assets and undermines their position. This is an area where the leverage ratio acts to counterbalance the difference, a point that is not well enough understood. But in our response to the European Commission we said that while the financial stability benefits from regulation of large, internationally-active banks mean these firms should meet global standards, a differentiated approach for smaller firms would recognise the high costs and smaller benefits of applying global standards to them, and should enable us to find ways to create a regime which is more simple and which reduces their reporting burden. This would help to foster competition and would be good for the European Single Market. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 58 This is an important issue, and one that matters if we are to have growing challenger banks. We want to put such a regime into effect, and thus demonstrate that at the PRA we are very serious about our competition objective. I hope the European authorities will likewise pursue this important change. We will also be arguing in Basel and in the EU to narrow the gap between standardised and internally modelled capital requirements for prime mortgages including by having more risk sensitivity in the standardised approach. And, we have also tightened the standard for models. I also want to be clear that we welcome internal model applications by smaller banks and we will do what we can to help them meet the required prudential standards, which are largely set out in the EU legislation. Lord Mayor, a year in your office is never dull, and likewise our world is certainly full of interest. I have ranged quite widely this evening to give a report on a number of our key areas of activity. There are however some very important core principles at the heart of our work, getting the incentives right for firms and individuals, and establishing the importance of personal responsibility within an appropriate setting. I have been blunt on one or two points and this may provoke debate. This is a good thing, and we will have the opportunity to return to the debate on these issues at The Open Forum being organised at the Guildhall on November 11th. I know you will be there, as will Tracey and I. Please, will everyone participate, and to find out more consult the Bank of England website. Thank you. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 59 Game changers in financial markets regulation, innovation and cybersecurity François Groepe, Deputy Governor of the South African Reserve Bank, at the STRATE, PASA and GIBS Conference, Johannesburg Introduction Good day, ladies and gentlemen. I would like to thank the organisers of the STRATE, PASA and GIBS Conference for inviting me to give this keynote address. I look forward to sharing my views on the developments that can be considered game changers that may affect financial markets and shall focus primarily on regulation, innovation and cybersecurity in this context. A game changer can be defined as "a newly introduced element or factor that changes an existing situation or activity in a significant way". Another way of thinking about game changers may be in terms of what the well-known Austrian-born economist, Joseph Schumpeter, called "creative destruction". Schumpeter, writing on economic and social evolution in his work Capitalism, socialism and democracy in 1942, wrote: The opening up of new markets, foreign or domestic, and the organisational development from the craft shop to such concerns as US Steel illustrate the same process of industrial mutation - if I may use that biological term - that incessantly revolutionises the economic structure from within, incessantly destroying the old one, incessantly creating a new one. This process of creative destruction is the essential fact about capitalism. Inventive economists have since adopted this term to describe the disorderly manner in which the free market delivers progress. The disruptive nature of innovation is essential for both progress and prosperity, and the theory of "creative destruction" gives us some insights _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 60 into understanding this phenomenon and the evolutionary changes that follow in its aftermath. Disruptive innovation brings opportunity in the form of productivity gains, for example, but it also brings challenges such as increased cyber-threats and vulnerabilities stemming from the greater degree of interconnectedness and, in the latter case, increased risks of contagion. Regulation, by necessity, has to keep pace and respond to the changing environment. Unfortunately, regulators often play catch-up due to the speed of technological change and innovation as well as their lagging ability to fully understand the technology and the risks that it may give rise to. Despite this, regulators should promote an environment that is conducive to technological change and at the very least not become a hindrance or frustrate innovation as it supports economic development and growth. In this regard, the OECD opines: One of the important lessons of the past two decades has been the pivotal role of innovation in economic development. The build-up of innovation capacities has played a central role in the growth dynamics of successful developing countries. These countries have recognised that innovation is not just about high-technology products and that innovation capacity has to be built early in the development process in order to possess the learning capacities that will allow "catch-up" to happen - Ultimately a successful development strategy has to build extensive innovation capacities to foster growth. 1. Regulatory developments affecting financial markets The most recent global financial crisis has impacted negatively on the global economy and financial markets, and has revealed significant deficiencies in the policy frameworks of many countries. In an attempt to address these deficiencies, the G-20 has called for financial markets and regulation to be reformed, with the objective of making financial systems more resilient. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 61 This initiative has accelerated the rate of reform, with governments putting increasing pressure on regulatory authorities to adhere to and implement international best practice and standards. Activities offered by financial service providers in the financial system are highly interconnected, and these services are inseparably integrated into both the domestic and the international economy, which means that regulatory authorities had to take note of the way in which these markets are developing and the role they play within the broader global context. The magnitude of the financial system and regulatory reform has been unprecedented. The reforms have focused mainly on the banking, insurance and financial markets and providers of financial services, as well as on the infrastructure supporting these sectors. As regulatory frameworks develop and reforms are implemented, new aspects to financial regulation come to the fore. Previously, regulators were mainly concerned with the supervision of banks and the oversight of payment systems. Now they have to contend with a much broader universe (which includes non-bank participants in the financial markets) and consider shadow-banking, how it affects the financial system and financial stability, and how to regulate these activities. The focus, however, is no longer narrowly on prudential regulation. In this age where we are confronted with a society that is well informed and digitally connected, that proactively engages in consumer activism and that places great emphasis on values such as fairness, the spotlight shines brightly on issues such as market conduct, transparency and calls to "level the playing fields". It is indeed so that regulation and liberalisation happen in cycles, and periods of deregulation are often followed by periods of re-regulation. Given the devastating effects of the most recent global financial crisis, the astronomical social costs resulting from it, and the perceptions around the role that financial engineering and technology alongside deficient supervision and regulation played in the run-up to the crisis, we have inevitably been catapulted into an epoch of re-regulation. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 62 Regulators and economic agents alike face a number of challenges at this point in time. These include: 1. International standards have been developed - for markets, regulators and participants - to assist with the management of risks and even behaviour. Whether they are encapsulated in the new Basel III requirements for capital or liquidity, or in the Principles for financial market infrastructures, or in the codes of conduct, these standards are introducing requirements that require adherence. Non-compliance with these standards is likely to lead to hefty penalties. There is a strong demand for participants to be accountable and responsible, and to incur liability if they are not playing by the rules. This has resulted in numerous large financial-sector firms being slapped with fines running into billions of dollars. 2. Standards are inextricably linked to the next point, which is governance arrangements and remuneration. Governance arrangements have been a focal point for some time now, and recent events in international markets have highlighted the importance of good governance and of ethical behaviour from all stakeholders. The global financial crisis has also refocused the attention of regulators on the remuneration structures of management and other individuals participating in financial markets and systems. This, in some ways, can be related to what economist describe as the "agency problem" and which under certain conditions may result in risk-shifting. This is a key area of focus of reform in attempts to promote the soundness of the financial sector in particular, hence governance arrangements and remuneration continue to be intensely discussed at various international regulatory forums. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 63 3. "Shadow-banking" and "new (non-bank) participants" have come into sharp focus since the global financial crisis due to their role in the run-up to the global financial crisis and in financial regulatory arbitrage. Efforts to regulate these entities will intensify. This is likely to draw criticism from certain quarters but is entirely justifiable. The reason is that shadow-banking has the potential to transform the financial environment, to open up markets, to promote financial inclusion, to reduce frictional costs, and so forth. Hence, the further development of shadow-banking should be encouraged, simultaneously mitigating any risks that these entities may pose to the financial system and ensuring that the playing fields are level. 4. Financial market infrastructures (or FMIs), resolution and cross-border issues constitute a further challenge. Central banks have traditionally fulfilled the role of lender of last resort to commercial banks. The global financial crisis has shown that central banks may need to reconsider this function and consider the role of FMIs. Financial markets are interconnected and integrated internationally, creating a further challenge for central banks as they need to consider the position and cross-border transactions of global FMIs. 5. Conduct has already been raised in terms of standards, codes and governance. As much as financial market participants must come to terms with the fact that there are now a multitude of regulators to contend with, regulators need to consider the mandates of other regulators and agree on arrangements or memorandums of understanding to work with one another to create an enabling environment for a safer financial sector. It is also vitally important that regulators do not merely regulate because that is their mandate. It is vital that the impact of regulation is properly assessed ex ante and that careful consideration is lent to the possible unintended consequences and the economic costs of unnecessary regulation or so-called "red tape". Regulators should strive towards smart and effective regulation as opposed to simply issuing more regulations. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 64 2. Innovation and financial markets Regulators should not inhibit innovation. However, as custodians of financial stability, central banks in particular are tasked with the safety and efficiency of financial systems, and should act appropriately to address any risks that may emerge. Electronic trading in South African bonds During 2012, the Bond Market Development Committee, under the auspices of the Financial Markets Liaison Group, embarked on an initiative to enhance liquidity in the South African bond market. The Bond Market Development Committee, chaired by National Treasury, and in consultation with the World Bank and bond market stakeholders, has made considerable progress and is currently at an advanced stage of the development of an electronic trading platform; it is envisaged that the platform will be introduced before the end of this year. The initial phase will, however, include only government bonds; it will be expanded to corporate bonds at a later stage. Initially in the electronic trading platform, primary dealers will be the only "price makers" while the rest of the market will be "price takers" but with full access to trading and pricing information. In addition to the general benefits of enhanced market transparency, credit risk management and trading, the electronic trading platform also aims to improve liquidity by expanding this platform to include other market participants complying with the requirements as market makers, in addition to the primary dealers. Competition among market makers is paramount to supporting liquidity at an instrument level and to minimising transaction cost. The introduction of the electronic trading platform will enable National Treasury and the South African Reserve Bank to monitor market-making activities in the secondary bond market, which could result in the enhanced monitoring of liquidity conditions. Enhancements to over-the-counter trading _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 65 In response to the recommendations of the G-20 and the subsequent Principles for financial market infrastructures, the South African Central Securities Depository, known as STRATE, is in the process of addressing the lack of transparency and risk management in over-the-counter (or OTC) instruments. To address these concerns, the Financial Markets Act was promulgated and regulation was passed to include the clearing through a central counter party and to record all the financial transactions of OTC derivatives contracts in a Trade Repository. Collateral optimisation In collateral markets, "collateral optimisation" has become a key objective. Not only do banks invest in systems that optimise the way in which their collateral can be utilised, but vendors and central securities depositories now also provide these services to their clients. These smart systems have built-in intelligence which optimises the way in which the collateral is applied and will substitute assets if required. An example is the Clearstream collateral management system, which is gaining momentum globally. The speed of transactions The need for faster services, trading, transactions and payments is stimulated by a generation demanding access and speed, accommodated by the proliferation of new technologies, growing familiarity with technology, and expectations of real-time satisfaction if not gratification - not only in financial market transactions and payments, but also in communication, services, social media and entertainment. Participants in financial markets have created systems which enable the "trawling" of financial markets to detect opportunities within markets and then to transact on these opportunities within milliseconds - also termed "high-frequency trading". Not only do these transactions take place within seconds; the system development and innovation within financial markets makes it possible to transact from anywhere in the world 24 hours a day, seven days a week. Blockchain technology _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 66 Blockchain technology, another example of the recently trending phraseology, enables the ordering (grouping) of various transactions in an inexpensive decentralised manner by making use of a number of servers. These transactions are not only limited to near-real-time payments but can also include financial market transactions and information relating to the settlement thereof. Blockchain has the ability to reduce transaction costs, as it takes away the requirement for intermediaries and is completely decentralised. Blockchain is still in its infancy and while regulators and markets are still trying to get to grips with the concept of Bitcoin, newer or more innovative technologies are already on our doorstep. 3. Cybersecurity The developments in cyberspace are a cause of concern for regulators, financial market participants, business and informed consumers. With the interconnectedness of systems and the ease of Internet access, regulators need to understand the cyber-threats that the financial system is exposed to. Nearly every week one reads about the latest victim of a cyberattack, and the targets range from banking systems through consumer information held by retailers to social media facilitators and even governments. The rapid developments in technology and the cyber-world have opened the doors to a new and uncharted frontier. Companies and countries alike are trying to get to grips with this latest threat and to find ways in which to mitigate the risk while protecting their information and reputation at the same time. Governments, central banks, financial service providers and companies are expanding their cyber-protection capabilities. This means there is a growing demand for the limited technical skills available in this environment. The focus is, however, not only on prevention. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 67 In responding to security breaches, one has to respond with agility and speed while trying to limit the damage done and importantly to ensure continuity of service. Conclusion In conclusion, I would like to revisit the idea of a "game changer". A game changer can be the discovery of something as small as a molecule or the invention of something that transforms the way in which we communicate, like mobile telephony. The way in which one looks at game-changing innovations will alter the way in which one sees the world and will affect one's strategies and business plans. Game changers can be perceived as opportunities or threats, and both the number and the frequency are likely to increase in the future. No country can afford to have a myopic view and narrow national focus when it considers the game changers in financial market developments. Equally, regulators cannot afford to be left behind and only react to the changes in financial markets. Regulators must work alongside all stakeholders and not only the incumbents to try to understand the disruptive innovations and the policy implications thereof. It is important to emphasise the point of incumbents, as Rajan and Zingales eloquently set out the role that incumbent coalitions play in financial system developments but also underline how such coalitions may hold back financial sector development. Lastly, regulators need to be agile and forward thinkers and appreciate that their role extends beyond simply regulating. Their role is to help facilitate progress with the ultimate objective of improving the quality of peoples' lives. Thank you. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 68 NCSA statement following report of data breach at Experian, Exposing T-Mobile Customer Data Following a massive data breach at Experian, 15 million current or former T-Mobile customers woke up this morning to unsettling news: their sensitive personal information – names, addresses, Social Security numbers, birthdays and unique identification numbers – is now likely in the hands of malicious hackers. According to news reports, this is not the first time Experian has faced a data breach of this nature. It’s not surprising that data brokers or credit bureaus ‒ who collect millions of people’s most private details – are prime targets for cybercriminals, but it is disconcerting. More than 80 percent of data breach victims firmly place the responsibility of protecting their information on data brokers, according to a new victim impact survey by the Identity Theft Resource Center. Following a string of recent attacks on Experian and others, it is clear that data brokers need to do more to meet consumers’ expectations. “When consumers entrust companies with their personal information, they expect their data to be stored as safely and securely as possible and their privacy protected,” said Michael Kaiser, executive director of the National Cyber Security Alliance. “Learning that this trust has been broken – through no fault of their own – can be highly distressing. As much as we have come to rely on technology, we must do so with the understanding that it is not risk-free. We urge anyone impacted by this incident to take actionable steps to better protect their digital data, such as by turning on two-factor authentication on email and financial accounts, not clicking on suspicious links, and using public WiFi wisely.” This breach occurs at the National Cyber Security Awareness Month, co-led _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 69 by the Department of Homeland Security and the National Cyber Security Alliance, and serves as a reminder of the need for everyone to take steps to be safer and more secure online. It is a good time to remind consumers impacted by this breach – and everyone else – to take the following proactive steps to better secure their digital lives: 1. Get two steps ahead and protect core accounts ‒ such as email, financial services, and social networks ‒ with multifactor authentication. Multifactor authentication requires a second step, such as a text message to a phone or the swipe of a finger to be used in addition to a password to log on to an account. This second step makes it significantly harder for accounts to be accessed by others. Email accounts in particular are extremely important to protect as once breached, hackers can use them to reset passwords and credentials for other accounts. For more information visit www.stopthinkconnect.org/2stepsahead 2. Clean and keep clean all machines. Immediately update all software on every Internet-connected device. All critical software including PCs and mobile operating systems, security software and other frequently used software and apps should be running the most current versions. 3. Monitor activity on your financial and credit cards accounts. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post breach). _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 70 For more information, visit the Federal Trade Commission website: www.identitytheft.gov. 4. Change passwords on accounts that don’t offer multifactor authentication. Change and make better passwords. Passwords should be strong and easy to remember. It is always better if they are longer and consist of combinations of passphrases, numbers and symbols. Important accounts should have unique passwords not used to access any other accounts. 5. When in doubt, throw it out. Scammers and others have been known to use data breaches and other incidents to send out emails and posts related to the incident to lure people into providing their information. Delete any suspicious emails or posts and get information only from legitimate sources. Data breaches have become more commonplace, and everyone should take these simple, actionable steps to protect themselves online. It is also important to respond quickly in the wake of hearing or suspecting that personal information has been lost or stolen. Other helpful resources include: www.stopthinkconnect.org (general online safety and security information) www.identitytheft.gov (the Federal Trade Commission’s website to guide consumers after your information is lost www.bbb.org (resources for small and medium businesses and information about consumer scams and fraud) www.idtheftcenter.org (for help with identity theft) If you believe you have been the victim of a cybercrime you can report it to: The Internet Crime Complaint Center at www.Ic3.gov _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 71 Hearing at the Economic and Monetary Affairs (ECON) Committee of the European Parliament Gabriel Bernardino, Chairman of EIOPA Mr Chairman, Honourable members of the Committee on Economic and Monetary Affairs, Thank you for inviting me to our regular exchange of views which plays a fundamental role in honouring our accountability towards the European Parliament. This hearing provides me with the opportunity to report to you on how we are achieving our objectives and delivering on the tasks assigned to us during the last year and to highlight some of the challenges that we are facing going forward. Supervisory convergence I am happy to be here just less than four months before the full implementation of EIOPA’s top-priority project - Solvency II, which will start on 1 January 2016. Since the end of 2014, the strategic focus of EIOPA’s work on Solvency II has been on supervisory convergence, with the aim to ensure the highest consistency possible in the implementation of Solvency II across the EU. This is a project that has delivered state-of-the-art risk-based regulation in Europe, and which is the outcome of joint efforts by the co-legislators, regulators, supervisors and industry and consumer representatives. The European Parliament has played a key role in this process. As a first step towards ensuring this consistency, in the past 12-month period, EIOPA delivered in total 18 Implementing Technical Standards (ITS), of which six have already been endorsed by the European Commission (EC). We also delivered two sets of Guidelines that cover the most relevant areas _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 72 and elements of the Solvency II framework. Some of these Guidelines concern the basic alignment of supervisory processes, while others provide clarity to firms on supervisors’ expectations, while reducing the risk of divergent interpretations by national supervisors. While regulatory stability is paramount in the run up to the Solvency II implementation date, EIOPA quickly responded to a request to take a more granular look at the treatment of infrastructure projects. During the first half of this year EIOPA published a discussion paper; consulted representatives of public authorities, insurance and infrastructure industries, asset managers and academics; and finally launched a public consultation in early July. In the consultation paper we propose new definitions and criteria for identifying qualifying infrastructure debt and equity investments, which may warrant more specific treatment in the standard formula capital calculation. We made some proposals for a better calibration of the treatment for these qualifying infrastructure investments and additional risk management requirements. Currently we are considering the feedback received during the public consultation and our final advice will be submitted to the European Commission by the end of September. One thing is clear to me: calibrations need always to be based on evidence, and we should stand firm against privileging or incentivising specific asset classes. A regime that creates incentives that are not properly aligned with risks will see the emergence of price distortions and vulnerabilities. Knowing that new legislation is always more burdensome for smaller companies, we have made the proportionality principle a cornerstone of our work. EIOPA’s goal in this regard is to make sure that Solvency II is implemented in a manner which would be proportionate to the nature, scale and complexity of companies’ risk profiles. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 73 Proportionality is embedded for example in the Solvency II regulatory templates, a significant area of potential costs. So, we have ensured that companies with simple business models, few business lines and simple investment strategies will see their reporting requirements significantly diminished. SMEs will see reduced frequency in reporting, with quarterly reporting concerning only some core elements. Furthermore EIOPA worked very closely with the European Central Bank (ECB) to align the new ECB statistical reporting requirements with the Solvency II reporting requirements. The result is that a large part of the ECB requirements will be met by the Solvency II data and the additional reporting in the form of ECB add-ons will be provided within the same reporting framework. This avoids, to the maximum extent possible, any unnecessary burden on the industry. In order to support SMEs even further, in summer 2015 EIOPA published the Tool for Undertakings (T4U) related to XBRL reporting under Solvency II. With this tool we assist SMEs in creating, editing and validating XBRL reporting documents. The Tool is offered for free and will help firms without knowledge and resources to implement Solvency II harmonized quantitative reporting. Estimations show that approximately 1,200 undertakings will make use of the T4U. The Tool is also widely used for quality assurance purposes both at SME and NCA level. The availability of relevant Technical Information is also of great importance for the industry and supervisors during the preparations for full implementation of Solvency II. Since February 2015 – well ahead of the actual implementation date - we have therefore been publishing the relevant risk free interest rate term _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 74 structures and related components. This information is a key input for the assessment of the (re)insurance companies’ solvency and financial positions. The use of harmonised relevant risk free interest rate term structures will ensure the consistent calculation of technical provisions by (re)insurance companies throughout the European Union. EIOPA also adds value to Solvency II implementation by strengthening the oversight of cross-border groups, and in general upgrading the quality and consistency of overall supervisory processes in the EU. Our oversight activities are structured in 3 main areas: Colleges of Supervisors, the Centre of Expertise in Internal Models and Supervisory Oversight. Colleges of supervisors across the EU have been fundamental in increasing the exchange of information between supervisors, moving towards a more common analysis and measurement of risks. EIOPA’s actions ensured consistent processes at college level and are now focused on more substantial aspects of supervision and supervisory decisions, for instance closely following the discussions around internal model approval. Created two years ago, our Centre of Expertise in Internal Models proved to be very instrumental in developing new tools and practices in the area of internal models. In December 2014, we published the Common Application Package, which supported insurers in understanding the granularity of documentation and evidence that is required for the formal internal model application process. In April 2015, EIOPA issued a supervisory Opinion on Internal Models covering some key areas where we found inconsistencies in approaches, for example risks related to Sovereign Exposures and the absence of formal decisions on equivalence. We provided relevant guidance to NCAs and plan to engage with them in a follow-up exercise. Currently the Centre focuses on the development and testing of sound _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 75 on-going appropriateness indicators and benchmarking for internal models. In 2014, we created a Supervisory Oversight Team to continue building our relations with NCAs on a basis of mutual trust, while providing NCAs also with a chance for independent and challenging feedback on supervisory practices. In the period under reference this team already conducted 18 bilateral visits to the national supervisory authorities. As part of its oversight role, EIOPA has in particular been engaged with the national competent authority in strengthening supervision in Romania. EIOPA contributed to a balance sheet review and stress test of insurance companies representing more than 80% of the Romanian market. Both exercises were completed in July 2015, and in full transparency a report was published that identified a need for significant adjustments to the balance sheets and corresponding prudential ratios of a number of insurance undertakings, followed by a number of supervisory measures. This was a credible exercise that proved fundamental for enhancing consumer protection and confidence in the Romanian insurance sector. Underpinning all the supervisory convergence agenda, EIOPA is also developing a Supervisory Handbook. The objective is to build an array of good supervisory practices on the different areas of Solvency II. EIOPA expects and encourages NSA’s to adequately implement these good practices in their supervisory processes. Finally a reference to the important work performed by EIOPA on the development of international standards in insurance. EIOPA’s presence in the IAIS has been a catalyst for a stronger and more aligned representation of EU supervisors. Consumer protection Consumer protection is since day one an integral part of EIOPA’s DNA and _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 76 continues to guide our priorities. EIOPA pursued works simultaneously on different issues that are crucial for consumer protection: transparency, conflicts of interest and conduct risks. Preparing the future implementation of the new Insurance Distribution Directive EIOPA developed work on product oversight and governance by insurance undertakings. Insurers need to implement proper processes to deal with product design, development and marketing as well as to identify and manage consumer risks. Furthermore, EIOPA started to develop a comprehensive risk-based and preventive framework for conduct of business supervision on a European level. Failures in business conduct can pose a serious threat to the stability of the financial sector, while mis-selling on a mass scale can lead to serious detriment to individual consumers. This can result in significant reputational damage for companies and for consumers in a material loss of confidence in the financial market. To address these concerns, EIOPA is developing a framework which anticipates emerging consumer detriment, rather than just reacting to problems after they have occurred. This entails putting in place systematic monitoring to identify conduct risks as these develop, and proportionate processes for assessing those situations in which additional supervisory measures should be considered, including the use of thematic reviews, for instance to „deep-dive“ into specific market segments. Monitoring should be developed on the basis of appropriate risk-based indicators. On the pensions side EIOPA worked on the response to the Call for Advice from the European Commission on the development of an EU-wide framework for personal pension products. In July 2015, we launched a public consultation where we suggested the _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 77 creation of a simple, trustworthy, standardised and fully transparent pan-European personal pension product, the PEPP. Creating a truly single market for personal pensions in the EU can reduce costs and provide better returns to consumers by increasing economies of scale. It can also help the provision of long-term stable funding to the EU economy and be a catalyst of the Capital Markets Union. Ultimately it can reinforce the trust and confidence of EU citizens in the EU project. After the public consultation is completed, we intend to submit our final advice to the Commission in the beginning of 2016. Financial Stability In line with its mandate, EIOPA continued to initiate and coordinate EU-wide stress tests with the purpose to assess the resilience of financial institutions to adverse market developments. In November 2014, we completed an EU-wide stress test for insurance companies based on the upcoming Solvency II regime. We tested a range of credible adverse market scenarios, developed in conjunction with the ESRB, complemented by a set of independent insurance-specific shocks covering mortality, longevity, insufficient reserves and catastrophe shocks. An additional stress test module addressed the impact of a low yield environment. The EIOPA insurance stress test has provided EU supervisors with an updated picture of undertakings’ preparedness to comply with the upcoming Solvency II capital requirements. By applying a set of rigorous and severe stresses we were able to identify the areas where companies are most vulnerable, in a coordinated and consistent way across the entire EU. EIOPA’s stress test results showed that the insurance sector is vulnerable to a “double hit” scenario that combines a readjustment of risk “premia” with decreases in asset values due to a continued lower risk free rate. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 78 In the current market situation, action is clearly needed from the industry to deal with the vulnerabilities of “in-force” business and to restructure product mixes. Especially within the context of the low interest rate environment, it is important that firms use the time given under Solvency II transitional measures to take the necessary steps to restructure their business models. As a follow up to the stress test EIOPA issued a set of Recommendations to NCAs. Our recommendations ensured that identified vulnerabilities are addressed by NCAs in a coordinated and consistent way. Supervisors must continue to monitor the situation very closely and challenge the industry on the sustainability of their business models. In May 2015, EIOPA launched a stress test for occupational pensions. In cooperation with the ESRB, we designed a stress test that considers the key vulnerabilities of pension funds. We highlight as two adverse market scenarios the effects of a prolonged low-interest rate environment together with an independent fall in asset prices. Moreover, we have included a stress scenario analysing further increases in life expectancy. The objective of the exercise is to test the resilience of Defined Benefit (DB) and hybrid pension schemes to adverse scenarios as well as to identify potential vulnerabilities for Defined Contribution (DC) schemes. The results of the stress test analysis will be disclosed in December 2015. As part of our work on the solvency of pension funds, we are collecting quantitative information on the impact of different supervisory approaches. We aim to finalize our own initiative work in the first quarter of 2016 with an EIOPA Opinion on a possible framework to access the sustainability of pension promises. Both the stress test and quantitative assessment were launched simultaneously and have the same reporting template. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 79 This was done on purpose in order to limit the burden on IORPs and supervisors and to avoid the duplication of calculations. Way Forward Looking back over the last 12 months, I can proudly state that EIOPA has been instrumental in progressing the EU regulatory agenda in insurance as well as occupational and personal pensions. We have reinforced our oversight activities for the sake of stronger supervisory convergence. We have taken fundamental steps towards enhancing consumer protection for the future. Our stress tests serve as a very important supervisory and risk management tool not only for competent authorities but also for the insurance and pensions industry. And finally such work streams as the treatment of infrastructure investments and a pan European personal pension product contribute to one of the Europe’s priority goals – the Capital Markets Union. Taken together, our work of the last year and the coming period shows our continued commitment to preserve financial stability in the EU and enhance the protection of European consumers. Looking forward, I would like to focus on two main challenges: 1. The post-evaluation of regulation EIOPA will be very attentive to any material loopholes or unintended consequences of the implementation of Solvency II, especially if they have a negative impact on consumers. Areas like the investment behaviour of insurers and product availability and suitability for consumers will receive special attention. In a period of low interest rates it is of course rational to engage in a “search for yield” but this can create additional risks for insurers, in particular if they invest in unfamiliar asset categories or increase concentrations in certain specific assets. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 80 Furthermore, insurers will need to adapt their product design in a sustainable way, pricing correctly the different guarantees and options included in the contracts. In order to be prepared to perform this evaluation EIOPA needs to ensure the collection and processing of relevant data from the supervisory reporting system being developed for Solvency II. Appropriate market evidence will also need to be collected. 2. The convergence of supervisory practices In spite of the significant progress that we already made in building up a common European supervisory culture, the way towards supervisory convergence remains a tremendous challenge. Convergence is a journey and often implies change and movement for each party from their status quo. But the benefits of convergence are clear. Our oversight work is starting to prove its vital importance by helping to improve the quality and consistency of supervision in the EU. As we are in an internal market, the quality of national supervision is not only a local issue; it is an EU issue. The EU supervisory system is only as strong as its weakest link. Stronger and more coordinated supervision at the EU level is therefore needed. Credible and independent supervision is also key for improving the confidence of consumers and investors. It is in all stakeholders’ interest that EIOPA has sufficient human and financial resources to ensure that NSA’s apply proper and convergent risk-based supervision. EIOPA’s drive towards convergence and dialogue amongst NCAs, is essential for avoiding a “mechanistic” and “tick the box” approach to supervision, detrimental both to consumers and the industry. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 81 Indeed, the very success of Solvency II depends on a systematic move away from just such mechanistic supervision, and I believe EIOPA has a crucial role in driving forward this change in practice. Our work on these two challenges will be central, I think, to the coming years. Finally, allow me to use this opportunity to thank the European Parliament for its continuous support to EIOPA. I sincerely hope that we can continue to carry on our efforts in the spirit of fruitful discussions and cooperation. I look forward to answering your questions. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 82 Tips from the National Counterintelligence Executive Traveling Overseas with Mobile Phones, Laptops, PDAs, and other Electronic devices You should know : • In most countries you have no expectation of privacy in Internet cafes, hotels, offices, or public places. Hotel business centers and phone networks are regularly monitored in many countries. In some countries, hotel rooms are often searched. • All information you send electronically – by fax machine, personal digital assistant (PDA), computer, or telephone – can be intercepted. Wireless devices are especially vulnerable. • Security services and criminals can track your movements using your mobile phone or PDA and can turn on the microphone in your device even when you think it’s off. To prevent this, remove the battery. • Security services and criminals can also insert malicious software into your device through any connection they control. They can also do it wirelessly if your device is enabled for wireless. When you connect to your home server, the“malware” can migrate to your business, agency, or home system, can inventory your system, and can send information back to the security service or potential malicious actor. • Malware can also be transferred to your device through thumb drives (USB sticks), computer disks, and other “gifts.” _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 83 • Transmitting sensitive government, personal, or proprietary information from abroad is therefore risky. • Corporate and government officials are most at risk, but don’t assume you’re too insignificant to be targeted. • Foreign security services and criminals are adept at “phishing” – that is, pretending to be someone you trust in order to obtain personal or sensitive information. • If a customs official demands to examine your device, or if your hotel room is searched while the device is in the room and you’re not, you should assume the device’s hard drive has been copied. BEFORE YOU TRAVEL • If you can do without the device, don’t take it. • Don’t take information you don’t need, including sensitive contact information. Consider the consequences if your information were stolen by a foreign government or competitor. • Back up all information you take; leave the backed-up data at home. • If feasible, use a different mobile phone or PDA from your usual one and remove the battery when not in use. In any case, have the device examined by your agency or company when you return. • Seek official cyber security alerts from: www.onguardonline.gov and www.us-cert.gov/cas/tips Prepare your device: • Create a strong password (numbers, upper and lower case letters, special characters – at least 8 characters long). Never store passwords, phone numbers, or sign-on sequences on any device or in its case. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 84 • Change passwords at regular intervals (and as soon as you return). • Download current, up-to-date antivirus protection, spyware protection, OS security patches, and a personal firewall. • Encrypt all sensitive information on the device. (But be warned: In some countries, customs officials may not permit you to enter with encrypted information.) • Update your web browser with strict security settings. • Disable infrared ports and features you don’t need. WHILE YOU’RE AWAY • Avoid transporting devices in checked baggage. • Use digital signature and encryption capabilities when possible. • Don’t leave electronic devices unattended. If you have to stow them, remove the battery and SIM card and keep them with you. • Don’t use thumb drives given to you – they may be compromised. Don’t use your own thumb drive in a foreign computer for the same reason. If you’re required to do it anyway, assume you’ve been compromised; have your device cleaned as soon as you can. • Shield passwords from view. Don’t use the “remember me” feature on many websites; re type the password every time. • Be aware of who’s looking at your screen, especially in public areas. • Terminate connections when you’re not using them. • Clear your browser after each use: delete history files, caches, cookies, URL, and temporary internet files. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 85 • Don’t open emails or attachments from unknown sources. Don’t click on links in emails. Empty your “trash” and “recent” folders after every use. • Avoid Wi-Fi networks if you can. In some countries they’re controlled by security services; in all cases they’re insecure. • If your device or information is stolen, report it immediately to your home organization and the local US embassy or consulate. WHEN YOU RETURN • Change your password. • Have your company or agency examine the device for the presence of malicious software. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 86 Disclaimer The Association tries to enhance public access to information about risk and compliance management. Our goal is to keep this information timely and accurate. If errors are brought to our attention, we will try to correct them. This information: is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity; should not be relied on in the particular context of enforcement or similar regulatory action; - is not necessarily comprehensive, complete, or up to date; is sometimes linked to external sites over which the Association has no control and for which the Association assumes no responsibility; is not professional or legal advice (if you need specific advice, you should always consult a suitably qualified professional); - is in no way constitutive of an interpretative document; does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. It is our goal to minimize disruption caused by technical errors. However some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems. The Association accepts no responsibility with regard to such problems incurred as a result of using this site or any linked external sites. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 87 The International Association of Risk and Compliance Professionals (IARCP) You can explore what we offer to our members: 1. Membership – Become a standard, premium or lifetime member. You may visit: www.risk-compliance-association.com/How_to_become_member.htm If you plan to continue to work as a risk and compliance management expert, officer or director throughout the rest of your career, it makes perfect sense to become a Life Member of the Association, and to continue your journey without interruption and without renewal worries. You will get a lifetime of benefits as well. You can check the benefits at: www.risk-compliance-association.com/Lifetime_Membership.htm 2. Weekly Updates - Subscribe to receive every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next: http://forms.aweber.com/form/02/1254213302.htm 3. Training and Certification - Become a Certified Risk and Compliance Management Professional (CRCMP) or a Certified Information Systems Risk and Compliance Professional (CISRSP). The Certified Risk and Compliance Management Professional (CRCMP) training and certification program has become one of the most recognized programs in risk management and compliance. There are CRCMPs in 32 countries around the world. Companies and organizations like IBM, Accenture, American Express, USAA etc. consider the CRCMP a preferred certificate. You can find more about the demand for CRCMPs at: www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 88 You can find more information about the CRCMP program at: www.risk-compliance-association.com/CRCMP_1.pdf (It is better to save it and open it as an Adobe Acrobat document). For the distance learning programs you may visit: www.risk-compliance-association.com/Distance_Learning_and_Certificat ion.htm For instructor-led training, you may contact us. We can tailor all programs to specific needs. We tailor presentations, awareness and training programs for supervisors, boards of directors, service providers and consultants. 4. IARCP Authorized Certified Trainer (IARCP-ACT) Program - Become a Certified Risk and Compliance Management Professional Trainer (CRCMPT) or Certified Information Systems Risk and Compliance Professional Trainer (CISRCPT). This is an additional advantage on your resume, serving as a third-party endorsement to your knowledge and experience. Certificates are important when being considered for a promotion or other career opportunities. You give the necessary assurance that you have the knowledge and skills to accept more responsibility. To learn more you may visit: www.risk-compliance-association.com/IARCP_ACT.html 5. Approved Training and Certification Centers (IARCP-ATCCs) - In response to the increasing demand for CRCMP training, the International Association of Risk and Compliance Professionals is developing a world-wide network of Approved Training and Certification Centers (IARCP-ATCCs). This will give the opportunity to risk and compliance managers, officers and consultants to have access to instructor-led CRCMP and CISRCP training at convenient locations that meet international standards. ATCCs use IARCP approved course materials and have access to IARCP Authorized Certified Trainers (IARCP-ACTs). To learn more: www.risk-compliance-association.com/Approved_Centers.html _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 89 RiskMinds International is the world’s largest and most prestigious risk management conference and is fully established as the most senior gathering of the global risk management community. 600+ CROs, global supervisors, renowned academics and expert industry practitioners will gather together this December to discuss strategic risk management, capital allocation and practical risk modelling. I will be providing information about the CRCMP training course during the event. I am pleased to be able to offer you a special 15% discount off the booking fee for RiskMinds International. Just quote the discount VIP Code: FKN2436IARCPE to claim your discount. The latest agenda can be found on the website here, as well as the speaker line-up to date. For more information or to register for the 22nd annual RiskMinds, please contact the ICBI team on: Tel: +44 (0) 20 7017 7200 Fax: + 44 (0) 20 7017 7806 Email: [email protected] Web: http://www.riskmindsinternational.com/FKN2436IARCPE I look forward to meeting those of you attending this conference. Best Regards, George Lekatis President of the IARCP 1200 G Street NW Suite 800, Washington DC 20005, USA Tel: (202) 449-9750 Email: [email protected] Web: www.risk-compliance-association.com HQ: 1220 N. Market Street Suite 804, Wilmington DE 19801, USA Tel: (302) 342-8828 _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 90 CISRCP and Cybersecurity courses in Europe and Asia Dear Member, We are pleased to announce our upcoming instructor-led training courses commencing in Doha, Qatar during November. Further to our recent and highly successful Cyber Security training course for a leading government entity in Qatar, we are pleased to announce details of two Cyber Security public training courses being held in Doha on November 22-24 and November 25 at Hilton Doha. Certified Information Systems Risk and Compliance Professional (CISRCP), November 22-24, 2015 The first is a three-day comprehensive training course which focusses on an enterprise-wide approach to Cyber Security incorporating the latest developments in International Standards, Principles and Best Practices in IT Risk Management, Information Technology, Information Security, Cyber Security, Risk Management, Corporate Governance and Compliance (full details attached). The course comprises of 12 main subject areas including: Information Technology and Information Security Critical Infrastructure Protection: International Standards, Principles and Best Practices Risk Management and Compliance The Frameworks: COSO, COSO ERM, COBIT National Institute of Standards and Technology - Special Publication 800-39 Assessing Security and Privacy Controls CERTs (Computer Emergency Response Teams) and Security Incident Response The Sarbanes Oxley Act: New International Standards Basel II and Basel III Amendment Designing and Implementing an Enterprise-wide Risk and Compliance Program Threat Landscape and Good Practice Guide for Smart Home and Converged Media The Cyber Security elements Include: _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 91 The Critical Infrastructure Protection Principles in the USA, EU and comparison with Qatar The National Institute of Standards and Technology Cybersecurity Framework The Cybersecurity Strategy of the European Union The Presidential Policy Directive (PPD) 21 - Critical Infrastructure Security and Resilience Executive Orders 13587, 13636 ______________________________________________ The target is the bank: From hacking to cybercrime to cyberespionage, November 25, 2015 The second course is a 1 day interactive training course with hands-on problem-solving exercises, role-plays and present day case studies to ensure organisations maintain a cyber-environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality and privacy. ______________________________________________ Upcoming Schedule Qatar – November 22-24 and November 25, 2015 Bahrain – November 29 – December 1 and December 2, 2015 Dubai – January 24-26 and January 27, 2016 London – February 1-3 and February 4, 2016 Amsterdam – February 22-24 and February 25, 2016 Kuala Lumpur – March 14-16 and March 17, 2016 Hong Kong – March 21-23 and March 24, 2016 IARCP Member Discount Members of International Association of Risk and Compliance Professionals (IARCP) are entitled to a 20% discount using IARCP20 when registering online through our training partner Regulatory Intellect. For more information and to register you may visit: http://www.regulatoryintellect.com/view_instances.php?CourseID=11 _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP)