Weekly Operational Risk News Update
The RiskSpotlight Portal is the world's first forward-looking operational risk content service, providing financial service organisations with comprehensive insights into emerging risks, best practices, regulatory updates, and external loss events. By leveraging daily updates from global risk news sources, it enables proactive risk management and informed decision-making across various organisational roles.
Here are some highlights of the emerging operational risks and loss events from the last week taken from the Portal. This is just a glimpse of the detailed analysis and insight available in the Portal. To find out more go to RiskSpotlight-Portal – RiskSpotlight
Emerging Operational Risk Topics
Third- and Fourth-Party Data Breaches in European Financial Institutions
A recent report by?SecurityScorecard revealed that all of Europe’s largest financial institutions experienced third- and fourth-party data breaches over the past year. With the EU’s Digital Operational Resilience Act (DORA) set to take effect in January 2025, organisations are urged to strengthen supply chain risk management. Scandinavian firms were identified as the most secure, while French firms lagged with the highest incidence of vendor-related breaches. These findings underscore the growing complexity of supply chain vulnerabilities, necessitating robust third-party risk management frameworks. Compliance with DORA, alongside collaboration among internal and external stakeholders, is essential for proactively identifying and mitigating risks.
Surge in Phishing Attacks and the Need for Enhanced Defences
The sharp rise in phishing attacks remains a pressing concern, as highlighted in SlashNext’s 2024 Phishing Intelligence Report. The report noted a staggering 703% increase in credential phishing attacks during the latter half of the year, with mobile threats and multichannel approaches gaining prominence. Attackers have also been leveraging collaboration tools like Microsoft Teams and Dropbox, necessitating the deployment of real-time threat detection and prevention tools. Training employees to identify phishing attempts, promoting secure communication practices, and adopting advanced authentication mechanisms such as biometric or device-based authentication are crucial measures to counter these evolving threats.
SEC’s Enforcement Actions on Cybersecurity and AI Misrepresentations
The United States Securities and Exchange Commission (SEC) had an active fiscal year 2024, particularly in cybersecurity disclosures and AI-related misrepresentations. Enforcement actions included cases against firms overstating their AI capabilities, such as claims of delivering above-market returns or being the first regulated AI financial adviser. These actions emphasise the importance of transparency and accuracy in public statements to avoid regulatory scrutiny and reputational damage. The SEC also pursued cybersecurity-related enforcement vigorously, exemplified by the SolarWinds case. Organisations are urged to maintain comprehensive cyber risk management programs and ensure transparent disclosures to address increasing regulatory demands.
AI’s Impact on Financial Services and Operational Risks
The Financial Stability Institute of the Bank for International Settlements has released insights on AI’s impact on financial services, highlighting existing and emerging risks such as data privacy concerns and hallucinations in generative AI. The report stresses the need for global regulatory harmonisation and draws attention to governance, third-party AI providers, and new business models. Financial institutions are encouraged to strengthen AI governance structures, incorporate risk assessments into development cycles, and develop a thorough understanding of the AI supply chain to enhance operational resilience.
India’s Escalating Cybersecurity Challenges
India’s cybersecurity landscape faced unprecedented challenges in Q3 2024, with nearly 1.2 billion attacks reported. Indusface identified the banking and utilities sectors as primary targets, attributing the rise to geopolitical tensions and increased use of AI tools by attackers. Regulatory bodies like the Reserve Bank of India are urging organisations to prioritise rapid incident response and systemic vulnerability mitigation. Investing in threat intelligence capabilities and fostering partnerships with cybersecurity experts are vital strategies for navigating the evolving threat landscape.
Rise in API Attacks and Security Imperatives
The rise in API attacks has become a critical issue, as revealed by Wallarm’s research, which found that newly deployed APIs are often targeted by attackers within 29 seconds. Exploits frequently use common ports and protocols, making robust API security essential. Organisations must adopt security measures during the development stage and continuously monitor API environments to promptly address vulnerabilities. Implementing advanced endpoint protection and network segmentation is recommended to prevent attackers from gaining lateral movement within systems.
Confidentiality Risks from AI-Powered Note-Taking Tools
The use of AI-powered note-taking tools has raised concerns over confidentiality and privilege. While these tools enhance efficiency, they pose risks such as data breaches and inadvertent loss of privileged communications. Boards are advised to implement stringent policies and conduct comprehensive vendor assessments to protect sensitive discussions. Establishing protocols for reviewing AI-generated notes and limiting their distribution can further mitigate risks associated with these tools.
DOJ’s New Whistle-blower Reward Program
The Department of Justice’s corporate enforcement efforts have been strengthened by a new whistle-blower reward program. This initiative has led to a rise in voluntary self-disclosures and new opportunities for addressing corporate misconduct. Companies are encouraged to reinforce their compliance frameworks and effectively communicate whistle-blower policies to employees. Providing anonymous reporting channels and conducting enhanced employee training on ethical practices can further bolster organisational integrity.
Data Breach Class Actions and Organisational Preparedness
Data breach class actions have emerged as the fastest-growing litigation segment, driven by cases like Marriott’s $52 million penalty in 2024. A Capitology study found that data breaches often result in significant stock price declines, with financial institutions suffering the steepest losses. Organisations are urged to adopt robust cybersecurity frameworks and proactive breach management strategies. Engaging external cybersecurity consultants and implementing comprehensive breach response plans can significantly enhance preparedness and resilience against data breaches.
Key Operational Risk Loss Events Update
Misleading Environmental Claims in Lloyds Bank Advertisement
The UK Advertising Standards Authority (ASA) recently banned a Lloyds Bank advertisement for making misleading claims regarding its environmental impact. The ad, which highlighted the bank's efforts to support a low-carbon economy, failed to disclose its ongoing financing of fossil fuel projects, contributing to approximately 32.8 million tonnes of CO2 equivalent emissions in 2022. This ruling was prompted by a complaint from the activist group Adfree Cities, which argued that consumers were misled by the omission of critical information that would have provided necessary context to Lloyds' sustainability claims.
Theft of 1 Billion Yen from Japan's MUFG Bank
A major theft incident has emerged at Japan's MUFG Bank, where a former employee allegedly stole over 1 billion yen ($6.5 million) from customers' safe deposit boxes. This incident has shaken trust in one of Japan's largest financial institutions. In response, MUFG Bank's CEO issued a public apology and pledged to strengthen compliance measures and enhance security protocols to prevent similar breaches in the future.
ASIC Lawsuit Against HSBC Australia Over Fraud Failures
Australia's corporate regulator, the Australian Securities and Investments Commission (ASIC), has taken legal action against HSBC's Australian arm for allegedly failing to protect customers from a sophisticated scam. ASIC filed a lawsuit in the Federal Court, claiming that HSBC Australia's inadequate fraud prevention measures led to 950 customers losing approximately $23 million between January 2020 and August 2024. Some customers reportedly lost over $90,000 each, while facing significant delays in fraud investigations and restoration of account access. ASIC alleges HSBC was aware of these risks but failed to address gaps in their fraud controls effectively.
Data Breach at SRP Federal Credit Union
A significant data breach has affected SRP Federal Credit Union, a prominent financial institution in South Carolina. Between September 5 and November 4, 2024, cybercriminals infiltrated SRP's computer systems, potentially accessing and exfiltrating sensitive information of over 240,000 members. This breach raises serious concerns about the credit union's cybersecurity measures and highlights the increasing risk of data breaches in the financial sector.
Weekly Round Up of RiskSpotlight’s Posts
Is Operational Risk Intelligence Priority For Your Team In 2025?
Demonstration of Writing Policies Using Microsoft Copilot
Did you know that currently there is no globally accepted definition of "AI" for financial regulatory purposes?
Wishing all our LinkedIn followers a Merry Christmas and a New Year filled with insightful, risk-informed decisions that drive success and resilience
Thought Provoking
领英推荐
AI Irony: "Too busy to save time!"
Just for Fun!
What if Santa Claus was the Head of Operational Risk Management?
A song covering emotions of an operational resilience team as the DORA deadline approaches.
Webinar - Master Emerging Operational Risks in 2025
Are you prepared for the operational risks that 2025 will bring? Join us for an exclusive free webinar designed for operational risk professionals in the financial services industry, where Michael Rasmussen (the “Father of GRC”) and Manoj Kulwal (Chief Risk & AI Officer at RiskSpotlight) will share actionable strategies to help you navigate the evolving operational risk landscape.
Webinar Details
?? Date: 14th January 2025
? Time: 2:00 PM - 3:40 PM (UK Time)
?? Format: Online (Microsoft Teams)
??? Cost: Free (Registration required)
?? Register Here - https://lnkd.in/ecyYyvXv
Can’t attend live? No problem—register now, and we’ll send you the recording!
Why Attend?
?? Discover Frameworks for Success: Learn how to design and implement proactive risk monitoring frameworks tailored to financial services.
?? Stay Informed: Gain insights into the key risks for 2025, including AI ethics, cyber resilience, ESG challenges, misconduct, and more.
?? Learn from Industry Experts:
Training Courses
??Introducing the World’s First Microsoft Copilot Course for Second-Line Operational Risk Management Stakeholders??
??Course Duration: 3 hours
???Course Format: Online or Classroom
???Course Fee: £3,800 (up to 20 attendees)
Learn More: https://lnkd.in/gaazfN5W
Email [email protected] to inquire about this course or schedule it for your 2nd line stakeholders.
RiskSpotlight Portal
Are you and your team finding it challenging to stay on top of emerging risks?
If so, why not take a no-obligation trial of RiskSpotlight’s Portal—the first operational risk intelligence service designed to help you proactively navigate future risks.? This newsletter is produced from our news portal and represents a fraction of the content available.
Key benefits include:
Forward-Looking Risk Intelligence: A future-oriented approach that identifies emerging operational and technology threats before they materialise, unlike other platforms focused just on past risks and loss events.
Continuous Horizon Scanning: Real-time insights on industry best practices, regulatory updates, and major external events impacting risk landscapes.
Monthly Deep Dives: In-depth, subscriber-driven analyses on critical, evolving topics to keep you updated on high-impact risks.
OpRisk Radar Dashboard: A real-time, visual tool for identifying and prioritising emerging risks. Content is updated daily.
Comprehensive Risk Libraries: Organised resources covering 126 core risks, detailed scenarios, and over 60,000 curated articles for broad risk research.
Value-Focused, Competitive Pricing: More content and value per pound than competitors, making it an affordable choice for robust risk management resources for all sized businesses.
To request a demo please contact [email protected] or contact RiskSpotlight via LinkedIn
Disclaimer: The content provided in this newsletter is intended for informational purposes only and reflects the best efforts of RiskSpotlight to deliver accurate and relevant information. However, as this content may include insights generated or assisted by AI, we cannot guarantee the absence of errors or omissions