The OpRisk North America conference was disrupted by an operational risk — a late season snow storm that has snarled transportation and complicated travel plans in the mid-Atlantic and Northeast, but most attendees and speakers chose to go forward, and I’m glad they did since conference has given me a big ‘aha’ on emerging risks.
Cyber risks and cyber compliance. In almost every session presenters and the audience have cyber risks as the dominant operational risks. While for years, GRC experts have highlighted that with the increasing dependence of business models on digital technologies, cyber risks and cybersecurity strategies would become a critical element of strategic business planning. Well, now those forecasts by experts have proven out, and chief risk officers are incorporating cyber risks into their risk management strategies.
Cyber compliance is also emerging as a critical discipline of overall enterprise compliance management. From a regulatory standpoint, with the emergence of digital business models, businesses are also grappling with increased oversight from regulators. Almost all U.S. states have data breach notification laws. The first state to regulate data breach reporting was California which requires notification of consumers for any breach that affects more than 500 customers. Maryland requires notification if even just one customer is affected. The U.S. SEC was an early mover, requiring that public companies report material cybersecurity incidents.
These new rules at federal and state levels have led to greater transparency of cybersecurity. Now, broader, more encompassing state-level cybersecurity laws are rolling out. New York was the first mover in 2017 with the Department of Financial Services Cybersecurity Regulation, and in 2018 many more states are passing legislation to codify the National Association of Insurance Commissioner’s new Model Data Security Law.
Disruptive technology and conduct risks. More privacy regulations should be expected as well. Political abuse of user behavioral and profile information gathered by the new tech giants like Facebook goes back at least to the 2012 election cycle in the US, and has been brought into the limelight with the Cambridge Analytica scandal. The new European General Data Protection Regulation (GDPR) was already slated to go into effect in May 2018. No doubt, now, European authorities will be analyzing GDPR to see if it adequately addresses the abusive practices of Cambridge Analytica, and in the US, the Federal Trade Commission is investigating. Notably the scandal opens up a whole new front on the challenges of third party information risks, that is, customer risks — ensuring that buyers of information analytical services are not abusing those services.
All of these recent regulatory developments, political intrigues, and corporate scandals must have been in the minds of attendees and speakers at OpRisk when they were polled on their top emerging risks. Disruptive technology tied with cyber risks for the number one position at 47% each. All other emerging risks paled in comparison.
My big ‘aha!’ — Chief risk officers are sensing a vicious cyclone of disruptive technology, conduct risks, and cyber risks. Disruptive technology is being adopted at a faster than sustainable rate — it’s being pushed into service before the lessons from early adopters can be shared with other enterprises. Advanced automation also requires fewer people, but these people are also enabled through disruptive technology that when abused either intentionally or through ignorance or negligence, can wreak tremendous havoc. The technology is also being pushed out at such a pace that the cyber vulnerabilities are not fully known and addressed — presenting all kinds of opportunities for malicious actors to act at scales never before possible. Inevitably there are going to be problems, and it’s up to CEOs and CROs to act together to ensure that their organizations are not caught up in this vicious cyclone.