By Sabeena Liconte, Chief Legal Officer & Chief Compliance Officer, Bank of China International
Sabeena, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
My career started in legal and compliance. However, given recent events in the financial services markets, such as the bankruptcy of Lehman Brothers coupled with the fall of other large industry players, such as MF Global, regulators started to place increasing emphasis on risk mitigation and have passed a whole slew of regulations aimed at controlling all areas of risk. Think about the enhanced prudential standards or living will requirements under Dodd-Frank or the risk management regulations recently passed by the SEC and CFTC. As a result, my role within legal and compliance has morphed into more of a hybrid corporate counsel, compliance officer and risk officer role.
What, for you, are the benefits of attending a Congress like the ‘Operational Risk Management USA Congress’?
Given how new many of the risk-related regulations are, this congress will be able to serve as a “look back” at the last several years to see what is working in the industry and what is not. Taking into account this experience, it will provide practical guidance on how to develop a robust risk management program with an emphasis on operational risk since this type of risk is a cross-section of several key risks that impact our industry.
You will be participating in a panel discussion to review ensuring effective and up to date data controls are in place for monitoring and mitigating insider risk and limiting insider fraud. What do you think will be the key talking points amongst panelists and why?
What will likely be a focus of this panel is the ever changing definition of “insider risk” in today’s environment vis-a-vis the growth in technology and some of the challenges that have emerged recently in mitigating insider risk, as well practices firms have found helpful traditionally as well as most recently in both monitoring and mitigating insider risk and fraud.
Can you provide an overview of the key challenges associated with monitoring and mitigating insider risk? How can financial institutions combat this?
The key challenges associated with monitoring and mitigating insider risk in my view today are two-fold. From external perspective, there is concern about cybersecurity and how this leads a firm’s systems susceptible to the exposure of its key data sources. Think about the recent case involving Equifax, for example.
Even from an internal perspective, there is concern about firm insiders both inadvertently and intentionally exposing data or information. To give you one plausible scenario, we may have an insider that receives an instruction via phone from a person who purports to be a customer with instructions to wire funds out from a client account. That insider may follow those instructions in contravention of firm policy. For example, the insider may fail to get a second level of approval and, therefore, wire the money out to what is later discovered to be a fraudster.
Alternatively, we may have insiders who work with our systems that manage key data on a daily basis and know its loopholes. Due to a range of factors (such as seeing an opportunity to personally gain or feelings of disgruntlement toward the firm and/or its management), valuable firm data may leave the firm’s infrastructure – for example, on a personal USB containing firm files, through an employee making an inordinate amount of photocopies or through an employee forwarding a company email to a personal email.
In terms of how to combat external and internal insider risk, there is no hard and fast formula that will work 100% of the time. However, there are systems firms can put in place to help control for insider risk. Firms need to identify where “informational barriers” need to be erected and limit the dissemination of information internally on a “needs to know” basis. Firms should also develop internal policy to support the infrastructure they desire to put in place and leverage their technological infrastructure to ensure that such policies are properly implemented. This should be coupled with promotion of a compliance culture that pervades all aspects of firm life. It may consist of strategies such as: the creation of one of more committees with representation across all departments that have a vested interest in managing insider risk to assess on an ongoing basis the systems put in place by the firm to manage such risk; from a technological perspective, USBs which are encrypted when used within the firm’s environment and disabled from being able to save on them, use of company provided smartphones where activities are on them are recorded and archived, and remote work on company computers is a monitored and recorded environment; robust internal training to educate firm insiders on how to effectively implement firm policy and protocols for the escalation of potential red flags and incidents involving policy breaches; and education where the consequences of violating firm policy are made clear to all firm insiders.
In your opinion, what is the most efficient way to mitigate threat of data leakage?
Through multiple mechanisms operating simultaneously, such as multi-factor authentication; implementation of biometrics; for third parties that manage key aspects of your data, conduct due diligence of such parties and include in the due diligence review the vetting of fourth parties upon which such third parties rely, as appropriate; and periodic training of staff and critical contractors, including with respect to how to use the mechanisms put in place by the firm and the identification of red flags that leave the firm susceptible to data leakage.
How do you see the risk landscape evolving over the next 6-12 months?
In a word, dramatically. The risk landscape is being impacted by technology, and technology is shaping all facets of this space, from how it is regulated, how risk is monitored and the key data sources we retain and safeguard.