Aon  |  Financial Institutions Practice
The Evolving Digital Risk Landscape in the Banking Sector

Release Date: November 2022

Digital transformation creates many opportunities for banks and large financial institutions, but those same advances in banking technology also present new challenges.

Hybrid work, competition from fintech companies and customer expectations have combined to force banks to quickly evolve their technology operating models and customer offerings, introducing new risks for cyber security, data privacy, business disruption and intellectual property (IP) infringement.

We gathered a group of top risk management professionals in banking to discuss these emerging risks and strategies to mitigate them in a recent webinar. Read on for the highlights of that conversation.


Confronting New Forms of Risk

The need for risk mitigation in the financial sector has never been more urgent. As banks continue to rebrand themselves as technology companies, banking regulators are paying close attention to how risk management frameworks are keeping up with the pace of change. Meanwhile, financial institutions paid out about $1.2 billion in ransomware cases in 2021.

“There’s a lot more chatter in the circles from a risk and security perspective,” said Gary Kausmeyer, Executive Vice President and Chief Risk Officer at Capital Bank. Now is the time to double down on investments in cybersecurity infrastructure. “These aren’t ‘nice-to-haves,’” Kausmeyer continued.

And for institutions expanding via acquisition, cyber security can be even more challenging. When acquiring systems and assets, you’re also acquiring risk. “That opens up our spectrum in terms of technology and digital risk that we need to manage,” said Zahira (Zah) Rodriguez Gonzalvo, Senior Vice President and Head of Financial, Climate and Operational Risk at Banco Popular.

The cloud can be a resiliency network in the event of a cyber attack, but financial firms also face new aggregation risks within that environment. Customer data privacy and safety is an especially sensitive topic.

Traditional risk management exercises like scenario planning are critical. Gonzalvo and her team are adapting scenario planning exercises traditionally deployed in the event of a natural disaster or health crisis to practice their response to potential cyber threats.

Kausmeyer sees similar trends in his role. “There’s a focus on continuity and resiliency,” he said.

Your stakeholders want to see that you have the ability to anticipate and overcome future threats to cyber security. Assess your institution’s weaknesses so you know where to shore up your digital infrastructure moving forward.

U.S. federal cyber assessment tools and Aon’s tool can help you evaluate how you compare to peers when it comes to controls and preparedness for a data breach or other cyber incident that jeopardizes customer trust. Being proactive about risk and gaps in security can help you prevent damaging incidents.


Responding to a Tighter Underwriting Climate

This digital environment creates new challenges and exposures for underwriters to grapple with. Traditional insurance products allow for gaps and overlaps in coverage that need to be addressed. “Technology is being brought in-house,” said Danielle Librizzi, Head of Professional Liability and Cyber for QBE North America. “It’s the future of the banking industry.”

The insurance industry overall isn’t keeping pace with changes in banking, Librizzi said. Insurance solutions will need to be structured to more closely align with how banks view their operational risks. Insurers that instill a culture of cross-pollination across related product lines will be best positioned to support this client segment going forward.

In the near future, rates will likely start to flatten. At the same time, underwriting in the financial sector has become more disciplined, and carriers are making specific security requirements a condition for obtaining coverage. System failure is still achievable in the market, Librizzi said, but contingent business interruption is the greatest point of concern.

Implementing robust measures to control risk can differentiate your institution from an underwriter’s perspective. Be proactive in preparing for changing regulations, and demonstrate through your actions and investments how your institution thinks about risk.


Addressing a New Class of Risk: Intellectual Property Infringement

As banks invest in technology – whether developed in-house or in partnership with outside vendors – they need to consider the new IP risks this introduces, said Peter Holz, Senior Vice President and Commercial IP Risk Leader at Aon. That’s been heightened recently because of public litigation against several major banks.

One priority is bridging the knowledge gap between risk and legal, the latter of which usually better understands IP matters. Large financial institutions and banks are beginning to invest in portfolio management and heads of IP — a role many tech companies have had for years — but more importantly, in technology innovation within their firms.

Ultimately, there are two types of core IP risk solutions: homegrown or vendor products. For in-house developed technology, many financial institutions are investing in digitization and technology that now competes with the “tech” world. Similarly, when it comes to vendors, Holz says, many institutions are concerned about third-party risks because they ultimately haven’t created the product. Aon has developed over $250mm of insurance capacity to hedge infringement risk and offers a tool for vendors to become risk-certified quickly.

As your institution evaluates risk and develops a plan for managing it, ensure you include the right stakeholders in the conversation. Digital risk in the banking sector touches every aspect of your operations and processes and will require approaching digital risk solutions from a cross-functional perspective.




Contact


To discuss any of the topics raised in this article, please contact Joel Sulkes.

Joel Sulkes
Global Financial Institutions Industry Leader
New York