The impact of COVID-19 on financial institutions, the economic downturn, and changes to working practices have had broad implications for risk management.
One of which is a growing concern for “Cybersecurity” in recent years, which has further increased during the COVID-19 period with employees working remotely. How has risk management responded and where does it go from here?
COVID-19 has had direct financial impacts on financial institutions. The economic contraction significantly increased credit risk from both retail and commercial customers, and many institutions responded by tightening credit standards. In addition, there may be greater potential for fraud such as from misuse of customer data, invoicing for work not completed, or collusion with disreputable third parties. Deloitte’s Global Risk Management Survey, 12th edition is the latest in an ongoing survey series that assesses the industry’s risk management practices and the challenges it faces. The results found that the changed environment due to the pandemic has raised the importance of effectively managing a number of key issues, especially non-financial risks. Among these risks, cybersecurity has been ranked as one of the top three risks.
Cybersecurity has been a growing problem in recent years and is further compounded during the COVID-19 period with employees working remotely outside their institution’s protection, and thus being more vulnerable to cyberattacks.
30% of survey respondents named cybersecurity as one of the three risks that would increase the most in importance for their institutions over the next two years, the second most highly rated risk. 61% of respondents considered their institutions to be extremely or very effective at managing cybersecurity risk, and 87% mentioned that improving their ability to manage cybersecurity risk will be an extremely high priority over the next two years.
Institutions face multiple challenges in safeguarding themselves against continuously evolving cyber threats. Given the volatility in the business environment and changing consumer behavior, respondents most often considered staying ahead of changing business needs (e.g., social, mobile, analytics) (67%) to be extremely or very challenging in managing cybersecurity risk. With companies across all industries working to protect their operations against hackers and other cyber threats, there has also been fierce competition for cybersecurity talent, not only with other financial services institutions but also with companies in technology and other industries. As a result, 57% of respondents said that hiring or acquiring skilled cybersecurity talent is extremely or very challenging.
As for Thailand, cybercrime increased by 37% from February 2020 to March 2020, after the COVID-19 pandemic. Part of the reason for this staggering number is the implementation of Work-From-Home arrangement by many businesses and organizations. This surge in cybercrime suggests that Thailand may not well prepared to deal with cybersecurity risks, and is estimated to cost the economy 286 billion baht, or 2.2% of Thailand’s total GDP. With the pandemic still ongoing, there will be even more forms of cybersecurity risks emerging.
Digital risk management
The economic downturn in 2020 triggered by COVID-19 has placed pressure on revenues and the need to increase efficiency. This pressure is likely to intensify the drive at many institutions to reduce their ever increasing expenditures on risk management. One potential way to mitigate this challenge is to leverage AI and digital technologies to reduce these expenses while simultaneously boosting effectiveness.
50% of respondents reported that efficiency tools (such as RPA, cognitive intelligence, AI/machine learning) will be an extremely high priority for their institutions over the next two years. Yet, most institutions have not yet implemented these technologies. Cloud computing (46%) was used most often, with fewer institutions saying they use RPA (29%), machine learning (27%), or cognitive analytics (13%).
While these technologies can reduce operating costs by automating manual processes, their benefits go beyond cost reduction to offer substantial improvements in effectiveness and quality. Among many potential applications, they can be leveraged to build controls directly into processes, prioritize areas for testing and monitoring, allow all transactions to be reviewed rather than relying on sample testing, and identify potential risk events in real time to allow preventive action to be taken. By automating routine tasks, they can also free employees to work on higher-value activities.
However, leveraging these emerging technologies requires comprehensive, high-quality, and timely risk data. This is lacking in many institutions due to multiple legacy IT systems for different lines of business or geographic markets, often the result of a series of past acquisitions that were never fully integrated. The data challenges have only grown in the COVID-19 period, with more data being generated from more sources than before as employees work remotely.
In terms of risk data strategy, data privacy was the only area where most respondents rated their institutions as extremely or very effective (60%). The high rating for data privacy may be overly optimistic since only 31% considered their institutions to be extremely or very effective at data controls/checks, which are required to safeguard data privacy. In addition, 63% of respondents said that data privacy, protection, and risk management will be an extremely high priority for their institutions over the next two years. This is probably due to the intense focus on this issue by regulators across the globe including Thailand.
Recently, Thailand has entered two new laws regarding cybersecurity & privacy namely The Cybersecurity Act (CSA) and The Personal Data Protection Act (PDPA). The aim of the CSA, to efficiently protect cybersecurity and to establish approaches to protect, cope with, and mitigate the risk of Cyber Threats which affect the national security and public sectors. The act applies to both public and private sector entities which classify as Critical Information Infrastructure (CII). The latter act was adapted slightly from GDPR. Under PDPA act, Data Subject has the rights to control how your personal data is collected, stored, disseminated, and protected by organizations.
To conclude, the pandemic has increased the importance of effectively managing nonfinancial risks. COVID-19 tested the operational resilience of institutions and their ability to rely on digital tools to allow their employees to work virtually. Employees working remotely have created additional cybersecurity challenges. Institutions may be more vulnerable to cyberattacks, fraud, and breaches of customer data, which could expose them to greater risk of noncompliance with data privacy requirements. The potential for conduct risk can grow since conversations with customers may not be subject to the same monitoring and controls.
As the pandemic continues, institutions should consider how they can maintain productivity if the new business practices which emerged from COVID-19 become the new normal. Risk management will need the flexibility to respond quickly to volatile economic conditions and changing work practices, while continually monitoring which changes are temporary measures to the pandemic and which are to become permanent.
By Parichart Jiravachara, Partner, Risk Advisory @ Deloitte
Reference: Deloitte Insights, “Global risk management survey, 12th edition”, February 2021.