Weekly Operational Risk News Update
The RiskSpotlight Portal is the world's first forward-looking operational risk content service, providing financial service organisations with comprehensive insights into emerging risks, best practices, regulatory updates, and external loss events. By leveraging daily updates from global risk news sources, it enables proactive risk management and informed decision-making across various organisational roles.
Here are some highlights of the emerging operational risks and loss events from the last week taken from the Portal. This is just a glimpse of the detailed analysis and insight available in the Portal. To find out more go to RiskSpotlight-Portal – RiskSpotlight
Emerging Operational Risk Topics
Update on EU's Digital Operational Resilience Act (DORA)
Beginning 17 January 2025, the Digital Operational Resilience Act (DORA) applied to almost all EU financial entities, including banks, insurers and reinsurers, brokers, payment and electronic money institutions, investment firms, and crypto-asset service providers. DORA establishes unified ICT risk management requirements, focusing on areas like cybersecurity governance, third-party vendor assessments, incident reporting, and resilience testing, including threat-led penetration tests. It also extends to critical ICT service providers identified by European Supervisory Authorities. Germany has aligned its Financial Market Digitization Act and BaFin’s updated guidance with DORA, while the UK has pursued operational resilience through initiatives like PS21/3 and PS24/16. Organisations with global operations are already aligning processes to meet these evolving standards, anticipating broader impacts on procurement and supply chain practices.
EU's Network and Information Systems Directive (NIS2) Expansion
The EU’s updated Network and Information Systems Directive, NIS2, introduces expanded cybersecurity requirements for sectors like energy, banking, healthcare, and manufacturing. It emphasises stricter risk management, incident reporting, and supply chain security, with significant penalties for non-compliance, akin to GDPR. The directive also impacts non-EU companies, particularly in APAC, that provide services or components to EU markets. Proactive compliance with NIS2 is becoming essential to avoid penalties, ensure business continuity, and strengthen partnerships with EU-based entities.
Non-Human Identity and Secrets Management in Cloud Security
Effective Non-Human Identity (NHI) and Secrets Management have become critical for cloud-native security. NHIs, combining machine identities with encrypted credentials, are vital for protecting sensitive data. Context-aware, industry-specific strategies are necessary for managing NHIs to ensure compliance, reduce risks, and improve visibility. Organisations in sectors like healthcare and financial services are urged to adopt proactive, ongoing management practices, including continuous monitoring and tailored approaches, to address vulnerabilities and enhance security in an increasingly digital business environment.
Rising Ransomware Threats
The increasing prevalence of ransomware continues to pose significant challenges, with groups like RansomHub employing multi-layered extortion tactics, including data encryption, public exposure threats, and Distributed Denial-of-Service (DDoS) attacks. AI-powered groups such as FunkSec are leveraging artificial intelligence to create personalised phishing lures and automate reconnaissance, necessitating a shift in defensive strategies. Financial institutions, due to the sensitivity of their data, remain high-value targets. Organisations are advised to adopt zero-trust architectures, develop comprehensive backup strategies, and implement robust incident response plans to mitigate these risks.
Evolving Cyber Fraud Tactics
Cyber fraud is escalating in sophistication, with tactics like digital e-skimming and scam e-commerce websites becoming increasingly prevalent. The CosmicSting exploit has enabled widespread Magecart attacks, particularly on Adobe Commerce and Magento platforms. Scam domains tied to networks in the UK and Hong Kong exacerbate the issue, especially during major shopping events. Threat actors are leveraging AI to bypass anti-fraud measures and create synthetic identities. Organisations are urged to strengthen anti-fraud strategies to combat these evolving threats.
Surge in "Card Delivery Scams" in South Korea
Fraud tactics are also evolving outside the digital realm. In South Korea, “card delivery scams” are on the rise, tricking victims into installing remote access apps that allow scammers to steal sensitive data. Authorities warn against unsolicited credit card deliveries, urging vigilance.
Rise in Fraud Scams – Green Mirage
In the US, the FCC has exposed a mortgage scam operation, “Green Mirage,” where fraudsters impersonate lenders and demand payments through unconventional methods. This has led to significant financial losses, highlighting the need for verifying all communications through trusted channels.
Data Security Concerns with Generative AI
Data security risks related to generative AI are gaining attention. A study by Harmonic Security reveals that 8.5% of AI prompts submitted by enterprise employees contained sensitive information, including customer and employee data. The use of free-tier AI models, often lacking robust security measures, heightens these risks. Organisations are encouraged to adopt secure workflows, utilise enterprise-approved tools, and educate employees on best practices for data privacy.
Key Operational Risk Loss Events Update
Legal Setback for Raiffeisen Bank International in Russia
A Russian court has ordered Raiffeisen Bank International to pay $2.1 billion in damages, marking a significant legal blow to the largest Western bank operating in Russia. The ruling arises from a collapsed deal involving a Russian-owned stake in an Austrian builder and underscores Moscow's intent to retaliate against Western businesses. This decision serves as a warning to other Western firms still active in the country, with experts linking it to a broader strategy of asset seizures and punitive exit terms. Raiffeisen, which has approximately €6 billion tied up in Russia, now faces substantial financial and operational challenges, highlighting the risks of continuing business ties in a volatile geopolitical environment.
Capital One Responds to Service Outage with Refund Initiative
Capital One has announced plans to refund fees incurred by customers following a significant service outage in mid-January 2025. The disruption, caused by a power loss and hardware failure at third-party vendor FIS, impacted Capital One and 26 other banks, delaying deposits, payments, and transfers. Many customers were unable to access their accounts or receive direct deposits, leading to frustration and financial stress. In response, Capital One pledged to reimburse "all reasonable fees incurred as a result of this incident," emphasising its commitment to customer recovery. This incident underscores the critical need for robust systems and contingency plans in the banking sector to minimise the impact of technical failures.
Citigroup Faces Lawsuit Over Fraud Prevention Failures
A federal judge has denied Citigroup’s request to dismiss a lawsuit filed by the New York Attorney General, alleging the bank failed to protect customers from online scams and denied reimbursement to fraud victims. Filed in January 2024, the case accuses Citibank of violating the Electronic Fund Transfer Act due to inadequate fraud prevention systems. One victim reportedly lost $40,000 in a phishing scam. The judge’s decision allows the case to proceed, potentially setting a critical precedent for how banks address fraud cases and victim compensation, with significant implications for consumer protection in the financial industry.
Weekly Round Up of RiskSpotlight’s Posts
Day 26 of "31 Days of Emerging OpRisks": AI Power Surge
Day 25 of "31 Days of Emerging OpRisks": Gender Pay Gap
Day 24 of "31 Days of Emerging OpRisks": Climate Manipulation
Day 23 of "31 Days of Emerging OpRisks": ESG in Supply Chain
Day 22 of "31 Days of Emerging OpRisks": AI Accountability Challenges
Day 21 of "31 Days of Emerging OpRisks": Expanding Whistleblower Protection
Day 20 of "31 Days of Emerging OpRisks": Increasing Investment Scams
Master AI Governance & Risk: Insights from Michael Rasmussen
Risk & Compliance Professionals: Learn & utilise AI to protect your careers against the fast-emerging AI Displacement risk
?“Tell me Manoj, how do you build a risk aware culture and proactive monitoring of emerging OpRisk threats without big consulting spend, or additional staff costs?”
Financial Services OpRisk Leader’s typically experience…
Webinar - ?AI Governance & Risk Management
领英推荐
Artificial Intelligence (AI) is transforming the financial services industry, driving innovation, operational efficiency, and customer engagement. However, the adoption of AI introduces significant governance and risk management challenges that must be addressed to ensure compliance, mitigate risks, and foster trust. As financial institutions increasingly rely on AI to make critical decisions, robust AI governance and risk management practices become essential.
Overview: Join RiskSpotlight for this insightful webinar, where internationally recognized GRC expert Michael Rasmussen will share actionable guidance on setting up AI governance frameworks and managing the associated risks. Leveraging globally recognized AI governance principles and the latest regulatory guidance from financial services regulators, this session will explore:
??Webinar Details
???Date: 11th February 2025
??Time: 2PM to 3PM (UK Time)
??Online (Microsoft Teams)
???Cost: Free (Registration Required)
??Why Attend:
??Gain insights into global regulatory expectations for AI in financial services.
??Learn how to integrate AI governance into your organization’s broader GRC strategy.
??Understand the tools and technologies available to support AI governance and risk management.
??Hear real-world examples and best practices from leading experts in the field.
?Don’t miss this opportunity to explore the intersection of AI, governance, and risk management and position your organization for success in the AI-powered future of financial services.
Training Courses
Most risk teams fail to realise Microsoft Copilot’s full potential. Here’s the missing piece to unlock productivity and outcomes.
Rolling out Microsoft Copilot and offering 30-60 minutes of generic training might feel like a step in the right direction. But let’s face it—that’s not enough to unlock enhanced productivity and improved risk outcomes.
The key to leveraging Microsoft Copilot effectively in risk management lies in mastering prompt engineering for risk and compliance use cases. Without this critical skill, your team might struggle to extract value from the tool, leaving productivity gains and operational improvements unrealised.
To bridge this gap, we’re offering the world’s first Microsoft Copilot course designed for risk and compliance professionals, where prompt engineering is a core focus.
Course Details:
?? Dates: 25th & 26th February 2025
?? Time: 2 PM to 5 PM (UK Time)
?? Format: Live, online training via Microsoft Teams
?? Fee: £450 Seats are limited to 25 participants to ensure an interactive learning experience.
??Learn more and register here: https://lnkd.in/ewaiYjK4.
Equip your team with the right skills and ensure they’re prepared for the AI-driven transformation of risk management!
Connect with us
We hope you find this newsletter informative. If so, please subscribe to receive weekly. Also follow RiskSpotlight’s LinkedIn page for further valuable operational risk content https://www.dhirubhai.net/company/riskspotlight-limited/
For further information regarding RiskSpotlight’s services visit our website RiskSpotlight
RiskSpotlight Portal
Are you and your team finding it challenging to stay on top of emerging risks?
If so, why not take a no-obligation trial of RiskSpotlight’s Portal—the first operational risk intelligence service designed to help you proactively navigate future risks.? This newsletter is produced from our news portal and represents a fraction of the content available.
Key benefits include:
??Forward-Looking Risk Intelligence: A future-oriented approach that identifies emerging operational and technology threats before they materialise, unlike other platforms focused just on past risks and loss events.
??Continuous Horizon Scanning: Real-time insights on industry best practices, regulatory updates, and major external events impacting risk landscapes.
??Monthly Deep Dives: In-depth, subscriber-driven analyses on critical, evolving topics to keep you updated on high-impact risks.
??OpRisk Radar Dashboard: A real-time, visual tool for identifying and prioritising emerging risks. Content is updated daily.
??Comprehensive Risk Libraries: Organised resources covering 126 core risks, detailed scenarios, and over 60,000 curated articles for broad risk research.
??Value-Focused, Competitive Pricing: More content and value per pound than competitors, making it an affordable choice for robust risk management resources for all sized businesses.
To request a demo please contact [email protected] or contact RiskSpotlight via LinkedIn
Disclaimer:
The content provided in this newsletter is intended for informational purposes only and reflects the best efforts of RiskSpotlight to deliver accurate and relevant information. However, as this content may include insights generated or assisted by AI, we cannot guarantee the absence of errors or omissions