Source: RSM US LLP.
ARTICLE
Heightened financial and cyber risk are unfortunate byproducts of any market disruption. As companies scramble to transition accounts from one financial institution to another and assess the impact on their supply chains and critical vendors, the unanticipated increase in transactional activity creates vulnerability to bad actors seeking to profit from the market disruption. Customers and suppliers of the affected businesses are exposed to heightened financial and cyber risk as detailed information relating to payables and receivables is transferred to new institutions.
The recent collapse of Silicon Valley Bank and Signature Bank has had a disproportionate impact on certain industries due to customer concentrations at those institutions: private equity; venture capital; life sciences; technology, media and telecoms; and commercial real estate. But the risk created by this disruption extends beyond these industries into the supply chains of other sectors, notably manufacturing and consumer products.
The impact on the affected businesses will be felt across multiple departments as efforts are undertaken to mitigate risk. Leaders of organizations with mature third-party and cyber risk management programs should leverage their existing infrastructure to support risk assessment efforts; meanwhile, those companies with limited third-party and cyber risk management programs require leaders across multiple departments to lean in to evaluate and effectively manage risk.
We have identified some critical near-term actions that businesses can take in response to the banking market disruption:
Financial and counterparty risk
Access overall counterparty risk and exposure
The first step in risk mitigation calls for assessing the exposure to your counterparties—both financial and nonfinancial. These steps will help with the assessment:
- Identify critical suppliers and financial partners required for your organization to remain operational during market disruption.
- Establish key indicators or metrics that measure quantitative and qualitative risks with your counterparties. It is important to use complete and accurate data in your qualitative assessments.
- Elevate the visibility of your counterparty risk program, including areas of identified higher risk exposure and resulting assessments of possible mitigation scenarios to senior leadership and your board of directors.
Reinforce adherence to third-party risk management policies
Performing due diligence on new banking or critical vendor relationships affected by the market disruption is important and should include more scrutiny than a business-as-usual scenario. Consider the following:
- Evaluate financial and operational resiliency across third-party relationships, including counterparty risk, and how each relationship could impact the ability of the business to operate within an economy facing strong headwinds. Consider diversifying risk by establishing additional institutional relationships.
- Assess counterparty risk policies of key partners and vendors, including banks, alternative capital sources, other financial services partners, technology partners, customers and suppliers. Review and enforce protocols for the ongoing monitoring of these relationships.
Ensure alignment on banking, payment and contracting protocols across departments
Reinforce procedural protocols across departments to ensure consistency and encourage teams to critically evaluate all new requests, including key changes to existing stakeholder information.
- Focus areas should include change management involving file maintenance for bank accounts, customers or vendors, as well as the review and authorization of fund transfers and all forms of payment.
- Leverage existing information, such as customer and vendor lists, to independently validate requests for changes to banking information with customers and vendors. Your team is under pressure to react swiftly to significant changes to ensure business continuity; speed must be balanced with caution.
Consider more controls around transactions
You may want to add additional layers of authorization for payments and fund transfers. These include the following:
- Consider updating disbursement instructions while also ensuring multiple points of authentication when changing institutions or adding customers and vendors.
- Delay payments to allow for account validation.
- Institute periodic reporting to monitor changes in instructions around accounts payables and receivables.
Cyber risk
Communicate the elevated cyber risk throughout your organization
Creating internal awareness of the threat landscape is integral to protecting your assets, as well as your proprietary information and technologies. Recommended activities include:
- Communicate the heightened threat through company-wide email and address it during an all-hands meeting hosted by your IT or information security team. Focus on specific threats, including social engineering, phishing and business email compromise schemes related to multifactor authentication of payment and vendor verification.
- Provide mandatory security awareness training.
- Implement or reinforce procedures that require employees to verify transaction-related email requests by a separate phone call or an in-person meeting.
Consider additional monitoring and controls
Your IT teams should consider stepping up surveillance around failed logins, including failed multifactor authentication attempts. Consider these additional steps:
- Departments should collaborate to monitor requests for updates to payment instructions or changes in banking information by customers and suppliers, respectively.
- Consider having touch points with critical vendors outside the normal monitoring cadence prescribed by third-party risk management policies. Doing so will address concerns related to underlying business functions affected by the third-party service provider.
During periods of market disruption, understanding the risk to your business operations from counterparty relationships becomes increasingly important. Businesses often take a departmental approach that can overlook broader enterprise risk.
We take a holistic view when assessing risk and develop a customized approach tailored to your unique third-party strategy and business goals. Our comprehensive enterprise risk methodology helps you address major risk sources.
This article was written by Brandon Koeser, Oliver Snavely and originally appeared on Mar 16, 2023.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/financial-cyber-risk-mitigation-critical-banking-disruption.html
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.