Accelerated technology adoption in the financial services sector is creating new systemic risks to the global financial system, according to a new report. Beneath the Surface: Technology-driven systemic risks and the continued need for innovation is the first publication in the World Economic Forum’s two-part Technology, Innovation and Systemic Risk research initiative.
Prepared in collaboration with Deloitte, the report explores the relationship between increased technology adoption and the potential shock of cascading risk factors – for example, the domino effect that can result when hackers, disasters or geopolitics expose interconnected financial systems to a growing array of known and unknown vulnerabilities. The research additionally examines actions that can address identified risks, including the role that technology itself can play in mitigation approaches.
“This comprehensive study aims to establish a sector-wide understanding of technology-driven risks, and deliver insights for all stakeholders,” said Drew Propson, Head of Technology and Innovation in Financial Services, World Economic Forum. “Not only is it essential that we have full awareness of what these risks are and how they are building upon one another, but equally important is true collective action around solutions. The need for continuing innovation, and for multiple financial sector entities to increase collaborative efforts, couldn’t be more critical as we work toward risk mitigation.”
Over the past year, approximately 200 financial services and technology experts engaged in a series of global workshops and interviews, insights from which formed the basis of the report findings. Research outcomes reinforce the need for leaders within the financial services ecosystem to have a solid understanding of today’s risk environment, and for them to embrace experimentation with new mitigation applications that hold the potential to enhance current efforts.
Problems highlighted in the report include lagging cyber defence mechanisms, increasing business disruptions, talent scarcity, climate change imperatives and rising geopolitical tensions. The data emphasizes that virtually any entity within the interconnected financial services ecosystem, large or small, can cause or be caught by the impact of network disruptions.
Digital interconnectedness. As the number of interlinkages between service providers grows, private and public sector leaders should remain conscious of their external relationships. Broader vendor networks with third, fourth and fifth parties can be monitored through new forms of technology while reducing over-reliance on a single vendor’s shared capabilities. However, while new monitoring capabilities can be enabled by as-a-service providers, leaders must be aware of the trade-off of adding to ecosystem dependencies that create another source of operational risk.
Regulatory alignment. Certain entities within the financial services ecosystem are not currently under the purview of financial services supervision and regulation. Tackling systemic risks outside financial networks remains in the formative stage and concerns of non-bank systemic importance grow as operational failures or cascading cyber attacks on vendors become harder to trace across the ecosystem. This is especially the case as the traditional determinant of an entity’s systemic importance is primarily based on its size of book, or total assets, which is becoming less relevant than its size of network, or total digital interconnections. Public sector players need to examine the range of emerging activities to ensure a consistent taxonomy and adequate regulatory coverage that appropriately defines the scope of oversight across these activities.
New incentives for multilateralism. While many emerging use cases of systemic risk mitigation are being developed in collaboration, there is no industry-wide vision of the future across most jurisdictions. And while the potential for technology to enhance risk mitigation is undeniable, addressing systemic risk must start with the basics. Without a common understanding in the form of frameworks, principles and standards, fragmented efforts and siloed information make global prevention of systemic risk difficult.
Closing the gaps
The report cites examples and important lessons to be learned from recent events such as the SolarWinds breach, where a digital supply chain attack compromised almost 20,000 interconnected companies including major financial institutions and IT vendors. The proliferation of such contagious, backdoor breaches is forcing a reassessment of systemic risk management strategies and the implementation of unified standards. Ideally, future gaps can be identified before destructive events occur. The ability to take collaborative action to close such gaps is equally essential.
“Among the numerous actions that our industry must take, there are two areas of immediate concern to us,” said Rob Galaski, Vice-Chair and Deputy Global Leader, Financial Services, Deloitte. “First, we must move toward safe sharing of risk-based data across institutions and jurisdictions. A global network will always be able to detect and neutralize threats more effectively than individual actors. Our second concern speaks to the modernization of regulatory frameworks. For example, ‘systemically important institutions’ are currently defined by traditional measures of balance sheet size and a dated notion of what constitutes a ‘financial institution.’ As our report points out, new measures such as size of network should also be considered when determining systemic significance.”
The report concludes with encouragement for a collaborative new risk agenda. It highlights core questions that public and private sector leaders can consider as they assess their organizations’ capabilities and resilience against systemic risks of the present and future.