Category Archives: Regulatory Risk

Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Staying Ahead of the Financial Industry’s Next Wakeup Call

Posted on by

The financial services sector is no stranger to stringent regulation. At the very least, financial institutions are audited every 18 months. But without a proper security posture, complying with the likes of the Payment Card Industry Data Security Standard (PCI DSS) and others doesn’t always have the dual benefit of protecting against breaches: the PwC 2015 Global State of Information Security report noted a 141% year over year increase in the number of financial services firms reporting losses of $10 million to $19.9 million.

This tells us a few things: first, compliance is all about a company’s interpretation of the rules, which can be bent and glossed over–compliance is, after all, a minimum standard to which firms should adhere. Additionally, regulation needs to have more teeth as security threats become more sophisticated and targeted. Most importantly, with the regulated ecosystem being so complex, institutions should identify the elements prescribed most frequently across compliance mandates and put solutions in place that meet them. While doing so won’t guarantee complete security, it will put firms in the best possible position to protect against attack while simultaneously satisfying auditors.

The Cost of Compliance

The 2014 SANS Financial Services Security Survey, which examines the drivers for security-related spending in the financial services industry, reports that 32% of organizations spend more than one quarter of their IT security budget on compliance mandates. Nearly 16% of respondents say they are spending more than 50% of their security budgets on compliance.

Unfortunately, this investment in compliance doesn’t translate to investment security dollars. In fact, the survey also demonstrates that certain drivers behind firms’ information security programs are competing for resources with compliance mandates; while 69% of respondents say that demonstrating regulatory compliance is a top driver, a majority also cited drivers that tie closely to that, including reducing risk (64%) and protecting brand reputation (51%).

To ensure investment in security and compliance are not mutually exclusive, it takes effort on both sides–firms should put more effective solutions in place, while regulators should have stronger directives to encourage firms to streamline those efforts.

Securing the Endpoint

Specifically, firms should put systems in place that address endpoint vulnerabilities, including insider threat and malware on the devices, rather than on network solutions. The same SANS report elucidates that endpoint vulnerabilities were the biggest causes of security incidents among financial institutions, with abuse or misuse by internal employees or contractors (43%) and spear phishing emails (43%) the most prevalent, followed by malware or botnet infections (42%).

It doesn’t take long to find explicit use cases that corroborate these findings. The JPMorgan Breach, which impacted nearly 76 million households, came down to a hacker that gained high-level administrator privileges. Put simply, the cause for breach wasn’t necessarily the sophisticated malware, but rather, the ritual IT administrator tasks that were compromised. Clearly, while perimeter technologies like firewalls can prevent certain types of external attacks, they cannot block malware that has already found its way onto endpoints within an organization. Layering proactive solutions will be critical to preventing serious threats from occurring.

Least Privilege: The One-Two Punch

Proactive solutions should incorporate layering elements like patching, application whitelisting and privilege management. Taking this defense-in-depth approach will enable financial organizations to more effectively protect against the spread of malware, defending their valuable assets and ultimately their reputation. The dual benefit? They will satisfy auditors.

The least privilege methodology in particular, which limits administrator privileges from individuals and grants them to certain applications instead, is broadly prescribed across multiple financial mandates in the United States–from PCI DSS, to Federation of Defense and Corporate Counsel (FDCC) to the Sarbanes-Oxley Compliance (SOX) mandate. For instance, the PCI DSS has a specific requirement to log activity of privileged users and states that employees with privileged user accounts must be limited to the least set of privileges necessary to perform their job responsibilities.

Internationally, the practice is even more strictly enforced. For instance, the Monetary Authority of Singapore (MAS) has technology risk management guidelines that detail a number of system requirements–such as limiting exposure to cyber and man-in-the-middle attacks – that would be very difficult to achieve without a least privilege environment. In fact, the document presents one section dedicated entirely to least privilege. Here, requirements encourage restricting the number of privileged accounts and only granting them on a ‘need-to-have’ basis. The guidelines also encourage the close monitoring of those who are given elevated rights, with regular assessments to ensure they are always appropriately assigned.

Ultimately, limiting privileged access limits hackers’ attack vector and also prevents staff from implementing sophisticated attacks like logic bombs, knowingly or unwittingly. At the same time, the practice will help achieve compliance, driving down unnecessary spending. While progress is being made collectively between firms and regulators, more can be done; regulators can bring endpoint security top of the priority list and firms can put in practice simpler elements for a strong architecture. A next high-profile security beach shouldn’t be the industry’s wakeup call.

Is Bigger Really Better? Pros and Cons of the Reinsurance Industry’s Recent M&A Wave

Posted on by

The reinsurance industry has recently seen a rise in mergers and acquisitions among some of its biggest players, such as Axis Capital Holdings Ltd. and PartnerRe Ltd. Faced with challenges like soft market conditions and impending regulation around the globe, many companies have turned to consolidation. Case in point: In 2014, acquirers spent $17 billion on property and casualty, multi-line insurance and reinsurance deals – the most since 2011, according to data compiled by Bloomberg.

Claude Lefebrvre, chief underwriting officer at Hamilton RE, described M&A as part of a cycle that tends to take place during the soft market. Last year, about 390 insurance transactions were announced for a combined value of almost $50 billion, making it the busiest year for deals since 2008. This begs the question: Is bigger actually better?

At a recent roundtable in Bermuda, a group of executives talked about the pros and cons surrounding the current spate of mergers and acquisitions in the reinsurance and insurance markets. The discussion noted that M&A may not be as beneficial to the reinsurance market as previously conceived, and looked specifically at the long-term benefits (or lack thereof), the potential for culture clashes among merged organizations and the impact of investors.

Here is what some of the conversation entailed:

Long-term benefits of M&A

With a rise in the number of consolidations, many smaller reinsurance companies are under pressure to make a deal sooner rather than later. But does this ultimately increase shareholder value, especially in cases of like-for-like companies?

Brenton Slade, chief operating officer at Horseshoe Group, believes there would be far less M&A activity if management teams took the time to look at the rationale behind the proposed deal and how it would benefit shareholder value over the long term. With this strategy, he believes we would see more money being returned to investors or being deployed into new product lines as opposed to just expanding equity bases.

As stated by Robert Johnson, president at Aon Benfield Bermuda, being a company with $10 billion of capital does not necessarily provide access to much more business than being a $5 billion size company. Potential challenges, such as ensuring companies have the right synergies and the loss of good employees, may outweigh the benefits of a merger.

Culture Clashes

A major issue seen with the rise of mergers is combining two company cultures and their legacy systems into one cohesive unit. A recent study from Xuber showed that cultural integration and incorporation of multiple systems was the biggest challenge faced by companies following M&A.

Issues such as determining what team members stay on, what the company will be called and where the company will be based are huge decisions and can cause a great deal of tension. The integration of existing data systems, legacy systems, contracts and processes is just as challenging.

Companies need to take culture into consideration when acquiring another organization and determining how they will mitigate issues that arise. This can also be used as an opportunity to refresh old legacy systems and integrate new data storage systems to replace outdated technologies.

Additionally, it poses an opportunity for smaller companies to have an advantage when it comes to the M&A process, as they have fewer systems in place and can adjust easier. Smaller companies are also at an advantage when larger companies merge, as they can capitalize on dislocated teams and bring in new lines of business.

Investor Impact

Some believe that investors, and their desire to increase their capital base, are driving much of the current M&A activity. Previously, investors wanted to manage performance; this has changed dramatically as investors have become less focused on performance or meeting certain return or risk policies. Now investors are less involved and often do not understand the reinsurance industry. They are simply looking to increase the size of companies and in turn their capital base, without looking at the long-term impact of consolidation or the benefits of having two smaller companies.

Will Things Keep Getting Bigger?

Bloomberg predicts that we will continue to see a rise in M&A activity as the demand for bigger and more diversified portfolios increases and companies see it as the only option to remain competitive. Smaller companies will likely feel the pressure to become involved and see it as the only way of securing any kind of substantial future.

On the other hand, this may present an opportunity for smaller companies to shine. As their larger competitors struggle with the challenges brought on by the M&A process and are not able to focus on day to day activities, smaller companies can produce higher quality work and scoop up some of the larger company’s lost talent.

The debate will likely continue as to whether the pros outweigh the cons, or vice versa, in the recent spate of M&A activity in reinsurance and insurance. It is yet to be seen that we can truly prove bigger is better. What do you think?

Linking ERM and the Insurance Underwriting Process

Posted on by

Enterprise Risk Management (ERM), in one form or another, has been around for almost two decades. The number of publicly traded companies, especially those in highly regulated industry sectors, have been deploying the ERM process primarily because they were pushed (explicitly or implicitly) to do so by the major credit rating agencies, government mandates such as SEC 33-9089 or Dodd-Frank, their internal/external auditors, or members of the board of directors.  No matter where the spark came from, however, the number of companies utilizing the ERM process continues to grow.

CFOs, CROs, and risk managers that have been practicing ERM for years have been incurring the expenses for doing so. As ERM programs mature it might be time to consider, in monetary terms, the value the company and its insurers places on all the work that has been done over the years. CFOs ask questions about return on investment (ROI) all the time – why not about ERM? Linking enterprise risk management and the insurance underwriting process is one approach to produce a tangible result. Because the vast majority of commercial insurance renewals are Jan. 1, CROs and risk managers should consider initiating a discussion with some of their insurers to determine the potential credits for having a functioning ERM program.

Brokers typically represent the vast majority of larger middle-market and Fortune 1000 publicly traded accounts. Brokers start to work with their larger accounts months before renewal dates and assemble a submission package for insurance underwriters. The inclusion of a timely and relevant ERM report to the underwriting submission that demonstrates the changes to the risk profile of the company should make a stronger case for favorable rate considerations for their clients. The general headings that we recommend for discussion within the underwriting submission include:

• Risk organization and governance

• Risk appetite, tolerance and limits

• Risk metrics and measurement

• Risk management process, procedures and controls

• Risk monitoring, reporting and communication

These are the same general areas that insurers themselves are being asked to discuss with their own regulators as part of the new Own Risk and Solvency Assessment (ORSA) soon to be issued by the National Association of Insurance Commissioners. If the broker or insurer does not think that having a functioning ERM program does not merit a price reduction – especially for directors & officers liability insurance – investigate further and dig deeper. Early in the renewal process is a good time for the risk manager, CRO, or CFO to meet directly with underwriters to discuss their ERM from two different perspectives: the amount of rate reduction, or the steps that could be taken to improve the risk profile enough to warrant a premium reduction.

Executive management of a company that adopted and implemented an ERM program five years ago should be considering the return on the investment that the company has made over the years. It will be up to the CFO and risk manager to demonstrate how the ERM process has been used to either change or improve the company’s risk profile from what it had been. We suggest a close working collaboration between the company and their insurance broker to craft an underwriting submission that details the benefits of the ERM program.

The collaboration would also be enhanced by including a company representative such as the CFO on the team, to represent the company in front of underwriters that may be encountering this negotiating tactic for the first time. Since the majority of corporate insurance renewals take place on Jan. 1, initiating a conversation in the summer with the insurance broker(s) involved would not be a bad idea. One caveat however, ERM in one company is not ERM in another. Completing a risk identification and assessment does not an ERM program make.

What Employers Can Expect from the SCOTUS Decision on Same-Sex Marriage

Posted on by

On June 26, 2015, the U.S. Supreme Court issued its long-awaited decision in Obergefell, et al. v. Hodges, Director, Ohio Department Of Health; Tanco, et al. v. Haslam, Governor Of Tennesee, et al.; DeBoer, et al. v. Snyder, Governor of Michigan, et al.; and Bourke, et al. v. Bershear, Governor of Kentucky, and ruled five to four that the equal protection guarantee provided by the 14th Amendment to opposite-sex marriages extends to same-sex marriages. The SCOTUS opinion, authored by Justice Kennedy, holds that “same-sex couples may exercise the fundamental right to marry in all States [and] that there is no lawful basis for a State to refuse to recognize a lawful same-sex marriage performed in another State on the ground of its same-sex character.”

With same-sex couples now having the same rights as opposite-sex couples, how will the decision affect employers and what can employers expect as an outcome?

More Lawsuits?

With the new decision, much of what employers provide and are mandated to provide to employees, such as those rights granted by the Family and Medical Leave Act (FMLA) and other employee benefits, may change to include same-sex couples. Although the U.S. Department of Labor modified its definition of “spouse” in the FMLA back in March 2015, employers must verify they are granting all eligible employees in same-sex marriages their FMLA rights. Speaking of the U.S. Department of Labor, we expect that there will be guidance from it soon.

Employers can also expect more lawsuits under Title VII of the Civil Rights Act of 1964. Although Obergefell, Tanco, DeBoer, and Bourke are not employment cases, the Supreme Court’s decision implicates employment laws. Claims of transgender, sexual orientation, and/or gender discrimination may increase as gender identity and expression continue to be a topic of discussion. Likewise, discrimination based on marital status may give rise to lawsuits in certain states under state anti-discrimination laws.

Health and Welfare Plans Update

One of the biggest impacts the U.S. Supreme Court decision will have on employment is on employee benefits. Medical insurance coverage and taxes will change, so employers should be prepared to accommodate such changes in its policies and contracts. We expect the Internal Revenue Service will provide guidance soon.

Employee Handbook and Company Policies Update

Employers are also well-served to update their employee handbooks to reflect and extend the rights given to the opposite-sex spouses to same-sex spouses to minimize litigation risks. Employers must also revised its enrollment processes, such as updating its consent and eligibility forms, to ensure that they comply with the new rule.

We will continue to update you on the impact of the decision on employee benefits in greater detail soon.

This article previously appeared on the Seyfarth Shaw website.