Ben Saunders, VP Consulting EMEA at Contino
According to the Financial Conduct Authority (FCA) guidelines on outsourcing IT, firms must be able to “know how [they] would transition to an alternative service provider and maintain business continuity”.
For organisations that realise that the future of digital services belongs to the cloud but want to remain in line with key financial guidelines, this could mean only one thing: multi-cloud.
So, what do the regulations mean for your business’ multi-cloud? The guidance given by the FCA is trying to do one thing: reduce risk. This can be approached from four main angles: operational, concentration, data and exit risk.
Reducing Operational Risk
The operational perspective is all about securing day-to-day operations. Key requirements to meet this include documented and tested risk assessments, skills and resources to mitigate risk and a documented business case justifying risks. The central pillar of an operational risk strategy must be a solid risk assessment.
This must identify all the critical or important functions that the financial institution provides (e.g. current accounts, payments, loans, credit cards, savings accounts) and the risks associated with these services (e.g. technical, financial, political etc.).
Your risk assessment must be documented and reviewed on a regular basis. All the risks that are identified must be assigned to someone to be accepted, managed or mitigated with a clear action plan, with a Material Risk Taker (MRT) wholly accountable for the risks identified as part of the overarching cloud strategy.
The key takeaway here is that many financial organisations, upon first adopting the cloud, struggle to fully understand how their core products, business service lines and customer journeys hang together architecturally. So, the starting point is always to understand the as-is state is and what your provisional to-be architecture could look like.
As a starter for ten, choose one business service line across each of your core product sets. Identify the components where value could be derived through the adoption of public cloud and establish a repeatable framework that can be used by other sections of the organisation.
Mitigating Concentration Risk
Concentration risk is defined as “the reliance that firms themselves may have on any single provider.” It’s about making sure that you don’t put yourself in a situation where you have all your mission-critical eggs in one basket.
So, what do businesses need to do to mitigate concentration risk in the eyes of the FCA? They need to know the criticality of workloads in the cloud, know where these workloads are and test a plan for how you can transfer these to a different provider in the event of provider failure.
Regarding workloads, note that different requirements apply to different functions. Most important here is whether the function being outsourced is “critical or important”. A critical or important function is one whose failure would “materially impair the continuing compliance of a firm”. Undertake a discovery assessment so you know what workloads you have where and what level of material importance they carry.
When it comes to creating a tested plan for moving to a different provider, one suggested method is:
- Identify a small, low-risk workload in your organisations existing cloud that would make a good candidate for an experimental migration to a new cloud
- Execute the experimental low-risk migration
- Whether you fail or succeed: learn from what went well and what didn’t go so well
- Apply the lessons learned to the next experiment
- Continue experimenting, scaling the migration more widely each time
- Write up the results of your experiments into a documented strategy along with evidence of the experiments
- Consult with the FCA to see if they approve of your battle-tested strategy!
Being transparent is a crucial part of an effective engineering culture and here it applies as much externally as internally. Update the FCA frequently and ensure a tight feedback loop between them and your cloud teams.
Reduce Data and Security Risk
How you approach data and security are critical when it comes to reducing risk. Firms “should carry out a security risk assessment that includes the service provider and the technology assets administered by the firm … [c]onsider data sensitivity and how the data are transmitted, stored and encrypted, where necessary”.
Regarding security readiness for public cloud, a poorly thought-out method is taking existing ‘on-premise’ security and compliance controls and enforcing them in a cloud environment.
As part of a cloud adoption strategy, businesses should consider which of your existing security controls should be adopted, which should be adapted, and which should be retired. Using frameworks such as the Cloud Security Alliance (CSA), Centre for Internet Security (CIS) and National Institute for Standards Technology (NIST) and embedding these using practices such as compliance-as-code will provide organisations with a consistent security pattern that can be applied across each of the major cloud providers, in turn establishing a heterogeneous way of handling security in the cloud.
Regarding data, it’s important to build a view of data tiering and sensitivity of data you’re prepared to push into cloud. This assessment must be wide reaching and include a data residency policy, a data loss strategy, and a data segregation strategy.
Reduce Exit Risk
What if you need to leave a cloud? Your organisation needs to be prepared. Regulations make it clear that you need a documented and tested exit strategy that will, crucially, enable you to meet the regulated level of service for a given workload.
Say, for example, that you had a critical payments system that regulations mandated be 99.99999% available, with a recovery point objective of zero. Your exit strategy would have to ensure that you can still meet this level of service, while you exit your cloud provider.
Achieving this goes back to having really good configuration management practices and architectural principles. No one wants to deal with a monolithic app here! Make sure all applications are as modular as possible, which will support incremental migration patterns to maintain system uptime.
Critical here is that when you are in negotiations with a cloud service provider that you have a contractual agreement in place that guarantees that they will help you to exit with minimal disruption and provide you with the required support to do so.
Most financial institutions are already considering embarking on a multi-cloud journey, however the FCA guidelines should be the prompt everyone needs to really get started. If organisations consider operational, concentration, data and exit risk, they can meet the FCA guidelines and ensure they are running a dependable, profitable and forward-thinking operation.
HOW CHARITIES CAN MEET TOMORROW’S DIGITAL CHALLENGES?
By Steve Georgiou, Business Consultant at Xpedition
Charities are under constant scrutiny for how they handle their finances. Budgets are often squeezed and as a result, it can be hard to justify spending on mediums such as new technology, which aren’t always seen as “necessities.”
And yet, there’s a new generation of workers waiting in the wings who have grown up using technology in all aspects of life. There are also 57% of charity employees who believe the sectors’ development is being hindered by lack of embracing new technology. For those that are willing, a digital strategy has never been more important for a charity’s future outlook.
The Next Generation
Many organisations are not prioritising the technological expectations of today’s younger generation. -. Everything outside of the workplace for the upcoming generation is already technology-driven, including the skills they’re learning right now. It’s already disrupting industries and career plans, and by the time this generation steps into employment, the way we live and work will have become even more advanced.
Competition in the Third Sector has always been on the up. Donation methods have changed, securing funds has never been more competitive, reporting is now a lot more stringent, and the next generation of employees have defined efficient methods of ensuring the organisation they are employed by is not left behind.
For charities that are using legacy financial systems that are often old, outdated and costly to maintain, if they do not take the steps now to digitally transform, they’ll fall further behind. Good governance dictates Charities should be investing in modern technology to support the organisation in both its medium- and long-term digital strategy. Ultimately, Charities want to engage stakeholders and employees, simplify processes, streamline efficiency and guide change – but they cannot do this without investing in modern technology to enable change in this fast-moving digital world we live in.
A Digital Future
In times gone by, financial systems were predominantly used to support the back-office finance function. This has all changed. With advances in technology, such as the latest all-in-one financial management solutions, there are now tangible benefits that add value to the whole organisation.
These tools can strengthen decision making, reduce administration time and provide real-time, accurate reporting, all of which are valuable assets for tomorrow’s demands.
There is a real case to be made for a fully digital third sector using financial technology one which thrives and gives not-for-profits huge benefits:
Data Management and Analysis
The contemporary digital landscape is all about big and beautiful data. Job roles are evolving to cater for the data boom, organisations are now hiring increasing numbers of Data Analysts and Business Analysts. And one of the most significant benefits that the third sector can expect to see by taking on digital methods is greater data transparency.
The world’s most valuable resource is no longer oil, but data. Data is being transformed into a core asset, one which is being used to tackle charity-wide challenges. Daily admin duties such as data analysis and entry are being taken over more and more by financial management solutions. This not only removes the need for online time-heavy tedious tasks, but also reduces the number of different sources people have to use to find and analyse data.
Whether it is finance, fundraising, HR or anything else, the efforts of the organisation should be in the analysis of the data to make better informed decisions in the best interests of the charity.
Use Cloud to Reduce TCO
The resistance to change and the associated investment have been barriers to digital transformation for charities. Every organisation wants to achieve greater efficiency and free-up further funding for their frontline
Activities, such as maintaining hardware and the disruption of upgrading are all a thing of the past.
From maintenance to mobility, cloud computing can help you to significantly reduce the Total Cost of Ownership (TCO). With the cloud, there is no need for onsite hardware or expensive upgrades – you are simply sent a URL for storage. This offers you the flexibility to scale your data storage capacity depending on your needs at the time, avoiding the need for expensive hardware. This on-demand, “pay as you grow” approach avoids hedging your bets on unnecessary data storage. The cloud also has greater mobility, allowing for remote workers to access communications from anywhere, with no further technology needed. Backup and restore can be initiated from any location, using multiple devices, and does not need maintenance – reducing the need for a dedicated IT person.
Consider Digital, before your Charity becomes marginalised.
With a new generation of workers waiting in the wings, and financial management technology that has the power to provide value for all aspects of the organisation, a digital strategy has never been more important for a charity’s financial efforts. They will not settle for a business that is stuck a decade behind due to not embracing change.
COUNTING THE COST OF SILENT CYBER
– Akber Datoo, Founding Partner, D2 Legal Technology
Damaged reputation. Financial loss. Punitive capital adequacy provision. Silent cyber is one of the biggest issues facing the insurance industry. Yet despite the Prudential Regulatory Authority’s (PRA) demands for robust action plans, few firms have put in place the document digitisation required to truly understand the level of risk. Further, it is somewhat ironic that an industry that is predicated on pricing risk, is failing to assess and understand this risk that exists today in its back catalogue. From determining the current silent cyber position to identifying policy wording changes and analysing the legacy book, Akber Datoo, Founding Partner, D2 Legal Technology, highlights the need to digitise policy documents.
Non Affirmative Loss
“Silent Cyber” is the term given to cyber related losses that may/or may not fall under a traditional property and liability policies that were not designed for that purpose.
The concerns of silent cyber have recently come to the fore and the shock waves created by the Mondelez / Zurich Insurance case have reverberated around the market. Whilst publicity may have temporarily abated over the past few months, very few insurance companies have begun to truly address the risk posed by silent cyber. In an industry predicated on strong reputation, the decision by Zurich to reject a claim from a client whose business had been devastated by the NotPetya cyber-attack in 2017 made headlines around the world – not least for citing exclusion for ‘hostile or warlike action in time of peace or war’ by a ’government or sovereign power’.
Yet as the cost of such attacks are being counted, the impact of silent cyber on the industry as a whole is becoming painfully apparent. PCS Global Cyber has recently attributed 90% of the insurance industry’s losses relating to the NotPetya cyber-attack to non-affirmative (silent) cyber, and the rest to affirmative losses.
Certainly, the PRA believes the UK insurance industry can do more to ensure the effective management of affirmative and non-affirmative cyber risk exposures. It has ordered firms to develop an action plan, with clear milestones and dates by which action will be taken.
Despite the cost to the industry, there remains a concerning lack of consistency in terms of risk awareness and planning as well as risk appetite and understanding. The PRA’s own survey in 2018 revealed significant divergence in firms’ views of the potential exposure to silent cyber. Within Marine, Aviation and Transport (MAT), Property and Miscellaneous lines, exposure was rated at anywhere between zero and the full limits.
With PCS Global Cyber believing the cost to the industry of NotPetya associated claims has now exceeded $3 billion, there is ever greater focus on insurance companies’ cyber stress tests. Fears that gross losses could run into the multiples of annual cyber premiums are very real. However, to date such exercises are based on minimal fact: firms lack robust or reliable claims data relating to silent cyber. As a result, models are immature and there is little faith in the resultant capital adequacy calculations. Just how much capital should the regulator demand firms to set aside against possible exposures when the silent cyber risk is so poorly understood?
In addition to the model and assessment demanded by the PRA, firms need to look closely at existing policy documentation to gain better insight into risk. What is the current position? Does wording need to be amended to address silent cyber risk? How can the legacy book be analysed and key data and wording from the contracts extracted to assess the potential silent cyber exposure going forward?
In many ways, the insurance industry is better placed than many for the challenges ahead. Document digitisation has been on the agenda for some time and the industry has already created clause libraries to make it easier for firms to gain access to vetted policy wordings and regularly used clauses. However, the low take-up of these libraries is disappointing. Not only do firms have a somewhat confusing choice – between the Lloyd’s Wording Repository, the IUA (International Underwriting Association) Clauses Document Library and the Xchanging Model Wordings Library, but the checklist structure is not providing the required solution.
Insurance companies and brokers need to better understand how to use these clause libraries within current business models, preferably in tandem with a document generation tool to improve data management. The goal is to create data driven contracts, where documents are drafted based on known outlooks. But to get to that point, firms need to actively embrace document digitisation to gain a better handle over the current risk position and create a foundation for rapidly changing wording to avoid any ambiguity regarding silent cyber. Moreover, we need the link wordings in clause libraries to classified business outcomes, and then derive business intelligence from policy portfolios.
No firm wants to risk the reputational damage associated with refusing a high profile claim – nor endure the huge losses associated with attacks such as NotPetya. With the rise in cyber attacks, this is an issue that has to be addressed immediately: firms need to act now and embrace the opportunity of digitisation strategies within policy documentation to mitigate the potentially devastating silent cyber risk.
BANKS UNDER ATTACK: HOW FINANCIAL INSTITUTIONS CAN PROTECT DIGITAL GROWTH
By Victor Acin, Threat Intelligence Analyst, Blueliv Financial services firms are increasingly being told to embrace disruption in order...
THE ROLE OF NEW TECHNOLOGY IN DEVELOPMENT OF MYANMAR’S BANKING INDUSTRY
U Htoo Htet Tay Za, Managing Director, AGD Bank Myanmar’s economy is one of the fastest growing in Asia...
WHY 2020 IS THE RIGHT TIME FOR FS MODERNISATION
Chris McLaughlin is chief product and marketing officer at Nuxeo Few would argue against the notion that the UK...
WHAT DOES 2020 LOOK LIKE FOR P2P LENDING?
By Roberts Lasovskis, Investment Platform Lead, TWINO It’s a new year; time for resolutions and forward planning, positivity and...
WHY MAKING MONEY ON YOUR MOBILE IS EASIER THAN YOU MIGHT THINK
Aaron Brooks, Co-Founder of Vamp For Millennials and Generation Z, becoming a social media influencer is an increasingly desired...
DIFFERENTIATION – THE KEY TO THRIVING IN A SATURATED MARKET
Graham Glass, CEO of Cypher Learning What has enabled Cypher to continue to grow in an increasingly saturated market?...
WILL BLOCKCHAIN REVOLUTIONIZE FINANCE?
By Ken Timsit, ConsenSys Over the last 10 years, researchers, software developers, start-ups, and large companies have been conducting...
FIVE FINANCIAL SERVICES TRENDS FOR 2020: BIGTECHS SWOOP IN, BANKS GO ON THE OFFENSIVE AND CRYPTOCURRENCY STALLS
Rahul Singh, president of financial services at HCL Technologies We’ve just finished a very exciting decade in financial services, with new...
COMBATING INSURANCE FRAUD WITH MACHINE LEARNING
By Georgios Kapetanvasileiou, Analytical Consultant at SAS Most insurance companies depend on human expertise and business rules-based software to...
DELIVERING SUCCESSFUL IT SYSTEMS THROUGH THE POWER OF PARTNERSHIPS
By Mike Smith, Executive Director, Virgin Media Business (Direct) Is there anything more frustrating than finding out your bank account...
BATTLEFACE RECEIVES INVESTMENT FROM FINTECH VENTURES FUND
battleface Inc., a rapidly growing tech-enabled insurance startup focused on providing travel insurance products for unconventional travellers worldwide, announced today...
VANQUIS BANK PARTNERS WITH HOOYUTO DIGITALISE KYC PROCESSES
HooYu KYC digital journey deployed during the customer lifecycle on a risk-based approach Leading customer onboarding and KYC technology...
WHY NEOBANKS ARE ON THE RISE IN THE UK
New research by SmallBusinessPrices.co.uk analyses how neobanks are on the rise and why they’re so popular amongst consumers compared to...
RECOLLECTING 2019 CRYPTOCURRENCY TRENDS & LOOKING FORWARD TO 2020
Marie Tatibouet is the CMO at Gate.io It has been a bold and progressive year for the digital asset...
WILL HONG KONG REMAIN THE JURISDICTION OF CHOICE FOR OFFSHORE BANKING?
Hong Kong has traditionally been seen as a tax haven and the financial hub of Asia, if not the world....
HOW CHARITIES CAN MEET TOMORROW’S DIGITAL CHALLENGES?
By Steve Georgiou, Business Consultant at Xpedition Charities are under constant scrutiny for how they handle their finances. Budgets...
RECALL YOUR REPUTATION: HOW TO HANDLE PRODUCT RECALLS
By Alex Balcombe, Partner at Harris Balcombe John Lewis, Tesco, and Hotpoint have all been in the news in...
THE WORLD’S MOST ENTREPRENEURIAL COUNTRIES PERFECT TO START A BUSINESS IN
Latona’s has analysed The Global Entrepreneur Monitor data to reveal the world’s most entrepreneurial nation. Analysing each country by a...
MENDIX SUPPLIES RABOBANK WITH LOW-CODE PLATFORM TO BUILD NEW CORE ONLINE BANKING APPLICATION
New online portal leverages low-code’s speed and flexibility Mendix, a Siemens business and the global leader in low-code and...
RETIREMENT ANNUITIES AND THEIR ADVANTAGES EXPLAINED
By Gerard Visser, Financial Planning Consultant at Alexander Forbes There are a number of ways to save and a...