Corporate Governance & Cyber Security

comply, modernize, harmonize, protect and fortify.

Protecting the Financial Industry

in the MENA Region

GSG & FusionX

Corporate Governance

• Strategic positioning

• Structure of the Board of Directors

• Reduction of agency costs

• Organizational structure Efficiency

• Definition of lines of responsibility and authorities

• Oversight by management

• Board’s role in Risk Management

• Integrated and comprehensive risk management

• Effectiveness of internal and external controls

• Ethical values and transparency

IT IS A CHALLENGING TIME FOR BANKS IN THE MENA REGION

Corporate Governance & Risk Management Will Be the Deciding Factors in Performance & Longevity

Never before has the role of key Arab financial

institutions been so significant in the

development of the regional economy.

As developed economies are restructuring to

protect themselves from future financial

turmoil, Arab banks have the ability to provide

much needed funds and support to national

economic growth. They can further position

themselves as formidable and valued sources of

stability. Without a solid foundation in

corporate governance and risk management,

this potential cannot be reached.

GOOD CORPORATE GOVRNANCE IN BANKING

CHAMPIONS THE DECISION MAKERS

The banks that decide to enforce a proper

corporate governance structure will add value

to the stakeholders, which inevitably includes:

• Improved reputation through demonstrated

transparency and social accountability

• Improved top level decision-making

processes

• Improved long-term and sustainable

performance

• Reduced risks linked to bad strategic

decisions

• Increased foreign direct investments

• Indicates improved regulatory compliance

• Helps anticipate and seamlessly integrate regulatory changes

• Mitigates the impact of future crises

Corporate Governance Signals an Adherence to Regulatory Requirements, and More Importantly, Self-Regulation

Stakeholders including fund managers, institutional investors and shareholders want to be assured that their bank genuinely cares about its own governance and long-term sustainability.

ENCOURAGES INNOVATION

One of the main benefits of effective corporate

governance is the mitigation of agency frictions.

It preserves and protects property rights, which

in turn encourages innovation and long-term

investment in human and physical capital, as

well as the creation of intellectual property.

IMPROVES PERFORMANCE AND

INVESTOR PORTFOLIO COMPOSITION

Forming a healthy board encompasses one that

is independent and accountable and thus has a

direct influence on company performance.

• Correlates positively with higher revenue

growth and lower capital expenditures

• Along with environmental and social factors,

corporate governance is increasingly more

significant for institutional investors and

fund managers’ investment analysis

• Leads to positive credit ratings

IMPROVES CONTROLS AND REDUCES RISK

Limits abuse by corporate insiders and

enhances leadership.

• Signals a better control environment and risk

culture

• Reduces firms’ cost of capital

• Dictates a monitoring of up-and-coming

types of risks, such as Cyber crime

Good and proper corporate governance means major and tangible achievements

DISCLOSURE AND TRANSPARENCY

Generally, banks continue to crowd their

financial statement with irrelevant information

and unnecessarily clutter their annual reports.

Little emphasis is placed on the quality or

relevancy of non-financial information. Reading

through some of the top bank’s annual reports

proves cumbersome and confusing to the

average shareholder.

CONCENTRATION OF OWNERSHIP

Although family- controlled or state-owned

banks helped mitigate liquidity risks during the

financial crisis of 2007, the current nature of

such institutions leaves them open to future risks

related to the preservation of shareholder rights

and succession of power to appropriate persons.

CORPORATE GOVERNANCE REPORTING

The corporate governance frameworks of major

Arab banks reveal significant discrepancies in the

extent of corporate governance implementation

across institutions. Some banks do not include

any corporate governance related material in

their annual reports, while others include

detailed accounts. Alarmingly, some of the top 15

have not posted their annual reports on their

websites since 2007. Disclosure of non-financial

information and related party transactions is

often ignored. It is vital for Arab banks to start

the transition to international standards and

practices in corporate governance for accounting,

audit and non-financial disclosures.

Proper Corporate Governance in Arab banks will mitigate problems related to agency costs

SHAREHOLDERS RIGHTS

Most banks provide assurance that all of their

shareholders are treated equally and that

supervisory and executive decisions are made for

the benefit of shareholders as a whole.

Nevertheless, few banks keep regular dialogue

with their shareholders other than the annual

shareholder's meetings and reporting. Voting

methodologies and disclosure of the voting

results is of great concern in the MENA region

and cumulative voting is far from ubiquitous.

Protection of minority shareholders must be

further strengthened.

QUALITY OF THE BOARD OF DIRECTORS

With regards to the boards’ members, this

includes lack of training, lack of diversified and

relevant backgrounds, and the lack of experience

and qualifications. There is little attention paid to

regular targeted training and development to

ensure the members’ capabilities to oversee their

intuitions. Also, there remains a teething process

surrounding committee structures and their

roles, responsibilities, compositions and

functions. The limitation in the directors’ abilities

to obtain accurate, relevant and timely

information from the bank is a severe disabler to

the power of the board to oversee the

organization.

Cyber Security

Targets Interconnected Banking and other Financial Institutions

As financial institutions become more interconnected, their vulnerabilities to cyber risk increase

It is management’s duty to protect the bank and it’s clients from known sources of probable risk

A major concern for multinationals – These risks

are now a determining factor for the continued

sustainability and competitiveness of

interconnected businesses.

Financial institutions in particular are

increasingly faced with threats surrounding:

• Theft of banks’ & clients’ money

• Destruction of information

• Disruption of operations

• Espionage

TARGETING THE MIDDLE EAST AND NORTH

AFRICA (MENA)

The MENA region is particularly susceptible to

these threats due to a lack of solid regulation

and immature information security structures,

as well as being the targets of politically

motivated attacks.

Additionally, we have witnessed sophisticated

organized criminals from other parts of the

world migrate their attacks away from western

banks and toward the MENA region, as they

present a “softer” target for not having adequate

security controls in place.

MANAGING CYBER RISK

Effective information security requires an

enterprise-specific design of solutions that

consider and tackle the ever evolving cyber

security risks. Since cyber security is also a

strategic risk management issue, an appropriate

corporate governance structure is required that

would serve to uphold such an investment as

part of the Board of Director’s duties towards

Risk Management.

Cyber security is becoming one of the primary concerns within multinational corporations and governments.

The BIS underlined that this category of risk should be considered as a strategic management issue as well as IT.

MENA is particularly vulnerable to the lack of a preventative strategy

MENA financial institutions are becoming the primary targets of information-related criminal activities

Because financial institutions and banks

operating in the developed countries have

hardened the security in their computer

systems, there is an increasing trend for large,

transnational organized criminal groups

targeting MENA banks and financial centers; this

has led to the loss of a significate amount of

funds. In addition, hostile countries in the region

are using state-sponsored offensive computer

attacks to damage and destroy the computer

systems of rival country Central Banks and

financial centers.

ARAB BANKS UNDER ATTACK

It was described as "a massive 21st-century

bank heist”. Two banks in the middle east were

targets of a gang of cybercriminals in the United

States. In a span of 10 hours, USD 45 million was

stolen by hacking into a database of prepaid

credit cards and withdrawal of customer money

from ATMs in 27 countries. Many other banks

in middle east countries have also been victims

of a variety of cyber security crimes.

Recent Events in the MENA region highlight the fact that protecting banking information is an immensely positive risk-management strategy.

Ensuring Cyber-security leads to diminishing risk exposures

them to even greater risks.

Three key cyber risks affecting banks include:

SCOPE OF THE THREAT

The rate by which cyber-attacks evolve and

diversify is very high.

INDUSTRY INTERCONNECTION

The interconnection of banks and the financial

industry, which is crucial to the financial

system's functioning, is also an area of

vulnerability when it comes to cybersecurity.

Cyber risk increased when banks contract with

third-party vendors and service providers to

expand their offerings and improve efficiency.

RISING COSTS

Banks are paying more to strengthen their

cybersecurity protections as the risks to their

institutions grow. At the same time, launching

an attack on the industry is getting cheaper.

Dimensions of Cyber Risk The majority of data gathered and compiled by financial institutions and banks is done electronically. The failure to secure the organization from evolving threats can further expose

A Wealth of Experience In the Financial Industry,

the MENA Region and Corporate Governance

SPECIALIZATION

Global Strategy & Governance S.A. (GSG)

provides advice on Global & Regional Strategic

Positioning, Risk Management Infrastructures, as

well as Securing Strategic Corporate Governance

Principles for financial institutions and central

banks.

OBJECTIVE

One of our major objectives is to play a positive

role in the global advancement of Risk

Management, Corporate Governance, and

Corporate Social Responsibility. A special

emphasis in these fields is directed to the Arab

region.

Its vision is to promote a positive socio-

economic change in the Middle East and North

Africa that can only be secured through improved

corporate strategic and governance rational.

THE GSG TEAM

The GSG team consists of experienced executives,

including former senior managers and

regulators. Thanks to an integrated and cohesive

corporate culture, GSG helps financial institutions

identify an adapted and realistic strategic

positioning.

About Us

GSG’s Leading Expert in Corporate Governance

He has directed GSG’s advisory as well as

implementation client projects for various

systematically important MENA banks as well as

central banks. These projects included Strategic

Repositioning, Mergers and Acquisitions.

CFO & Board Member Experience with plenty of

firsts in the Arab World: Previously the CFO of

one of the top Arab bank groups in the region, he

was successful in achieving several important,

goals including:

• Raising the Group’s net income after tax from

USD 228 million in 2003 to an estimated USD

one billion in 2008.

• The enhancement the Group’s equity from

USD 2.9 billion in 2003 to an estimated USD 8

billion in 2008.

• Implementing Basel II and redesigning the

Group’s related systems.

• Introducing several modern managerial tools

including Asset/liability management and

financial planning concepts.

• Reorganizing the Group's operations in

Europe.

• Restructuring of the operations of subsidiary

and sister banks.

• Acquisitions of banking and financial

institutions outside of the Group’s home

country.

• Obtaining the Group an (A-) rating from the

international rating agencies: Moody’s, S&P,

and Fitch at the time when the sovereign

rating of the home country was (BB).

Publications: He has also published various

articles focused on Corporate Governance, Risk

Management, Strategic Positioning, Sovereign

Wealth funds, and Capital Adequacy.

A U.S. Company at the Forefront of Information

Security

FusionX represents an innovative information

security, technology, intelligence, and risk

management company that utilizes a unique

approach providing holistic security solutions in

complex environments to counter the most

advanced, ever evolving, and persistent cyber

security threats.

Philosophy: “we think like your adversaries and

anticipate their next moves”. Its methodology

provides a flexible framework for addressing the

full-spectrum of the client’s computer/cyber

security risk management issues drawing from

established best practices, best-in-class

technology solutions, and unprecedented risk

assessment expertise.

Specialization: FusionX specializes in the

financial/banking sector, and currently has

clients that are some of the largest banks in the

United States, some with over $10 trillion USD

under custody. The FusionX team regularly finds

vulnerabilities that would be exploited by

criminals and provides countermeasures and

mitigation strategies to prevent and deter costly

cyber attacks.

The FusionX Team

Its computer/cyber security team has been

working together for over 15 years to provide

the highest quality technical consulting services

to international corporations and governments.

Collectively, its team has worked with hundreds

of companies and government organizations

(assessing millions of systems) to address their

information security concerns using

comprehensive risk management principles.

They have worked with every critical

infrastructure sector to provide enterprise-wide

technical vulnerability assessments including

assessments of control systems (SCADA) and

other critical networks such as the government,

transportation and financial services sectors.

FusionX team members come from companies

like UUNET, WheelGroup, BTG, Network

Solutions, Titan, SAIC, CounterPane Internet

Security, iDEFENSE, iSIGHT Partners, Security

Design International, Technical Defense, Total

Intel, and Computer Sciences Corporation.

About Us

FusionX Senior Computer Expert

Specialization: He is an international security

expert specializing in counterterrorism, critical

infrastructure protection, intelligence, risk

management and cyber security issues.

Global Experience: He has previous computer

and cyber security experience at the highest

levels of several other well-respected computer

and information technology companies that

operated in the U.S., China, India, Europe and

South America. This expert provided strategic

consulting services to select foreign governments

and corporations on issues of information

warfare and security, critical infrastructure

protection and cyber security.

Publications & Television: His research on cyber

security and security lead to a widely published

thesis entitled, “National Security in the

Information Age”, as well as having co-written or

authored chapters for several books, including

“Cyber adversary Characterization”, “Threats in

the Age of Obama”, Information Warfare Volume

2”, and “Sun Tzu Art of War in Information

Warfare”. In addition, he has appeared on CNN,

MSNBC, FOX News, NPR, CBS News, BBC

Television, NWCN, Australian television and

dozens of other domestic and international radio

and television programs as an expert on cyber

security.

Lecturer: He is an adjunct professor at

Georgetown University, and is the Founding

Director of the Cyber conflict Studies Association.

Furthermore, he has lectured on the computer

networks and cyber security to the National

Defense University, the Swedish, Australian,

Japanese and New Zealand governments, and

various universities and colleges.

FusionX Top Computer Expert

Research & Publication: FusionX’s other expert

has been recognized throughout the security

industry for his research in multiple areas

including adversary profiling and software

vulnerability research and analysis.

Four books have been published by him on the

topic of information security, including Cyber

Adversary Characterization – Auditing the

Hacker Mind and is a contributor to the popular

Stealing the Network Series.

Lecturer & Speaker: He is a frequent speaker and

subject matter expert at world-class computer

and cyber security conferences including Black

Hat. In addition, he lectures at various colleges

and universities on computer issues.

Television: He is frequently called upon to

provide his expert opinion to mass media

organizations, including BBC News, CNN, Reuters

News, Wired and Business Week.

Proposals

CORPORATE GOVRNANCE

When we work with financial institution, we

first want to understand its purpose, its people

and its culture: only then can the design for

implementation be ready for best-fit solutions.

The main elements that compose the basic

ingredients of a proper governance system

include: the board of directors and its

committees, a well-developed strategy setting

framework, a proper organization, efficient

oversight policies and procedures, a sound

information’s system, and active risk based

controls.

The existence of a good systems component is

not sufficient on its own to ensure the existence

of suitable governance. Proper governance

requires applicable as well as active

implementation and practices. We help in

developing a favourable governance culture

within the entity.

CYBER SECURITY

To mitigate your bank’s cyber risks and enhance

its management of them, we replicate the exact

cyber-attacks that your enemies will carry out

against your computer systems and network.

We will then identify the vulnerabilities of your

computer system and plug those holes making

the system impervious to attack, thus saving

your institution millions of dollars in probable

losses.

Specifically, we can provide the highest quality

services and products in the following areas:

CORPORATE GOVERNANCE

– Evaluation of the corporate governance matrix

as far as cyber security is concerned. This

exercise will consider related reporting and

responses at all governance levels, including the

Board of Directors.

– Providing a set of proposals to improve the

cyber risk governance at all levels so as to be in

line with best practices

– Help the client in implementing its cyber risk

governance proposals in line with international

best practices.

– Evaluation of the corporate governance matrix.

– Board Evaluations in accordance with regulatory

requirements.

– Help implement governance proposals in line

with international best practices.

CYBER SECURITY

– Periodic vulnerability assessment and tactical

penetration testing (“red cell scenarios”) of the

client’s computer network mimicking actual

cyber-attack methods of the client’s main threats

(whether national governments, criminal

groups, or terrorist groups) to ensure the

network is secure and to identify and quickly

resolve any network vulnerabilities.

– An initial technical threat and vulnerability

assessment of existing computer network, both

software and hardware, with recommendations

and procurement of updated hardware and

software systems based on what the client needs

the network to meet them.

– Implementation of new hardware and software

into the computer system fully integrated with

security packages, solutions and training to

ensure the computer system’s integrity and

security from all threats.

– Cyber security policy, procedures and awareness

training for all personnel who will be operating

and maintaining the computer system, and the

development of an “in-house” continuing

training program.

– On-demand incident response and threat

analysis support as well as access to subject

matter experts.

FACTS FINDING

A brief visit to the organization (2-3 days) to

conduct a preliminary assessment surrounding

the capabilities and deficiencies of the

organizations’ technical and strategic risk

management infrastructures concerning their

risks, whether cyber risk or governance risks.

A REPORT ON DEFICIENCIES AND A

PROPOSAL

The client will be sent a proposal detailing the

current status of the institution regarding the

above and proposed plans of action.

IMPLEMENTATION

A gradual implementation of the changes will be

agreed upon, specifying a clear list of tasks and

time planning. This should identify each

implementation objective, resources needed for

its implementation and the needed time frame

to accomplish it.

An appropriate and organizational

implementation task force will be formed that

will direct and oversee the implementation of

the proposal.

Implementation Process

Global Strategy & Governance S.A. info@gsgovernance.com 29, route de Pré-Bois P.O. Box 348 CH-1211 Geneva 3 Switzerland t : + 41 22 317 9650 f : + 41 22 317 9659

FusionX info@fusionx.com Reston – Arlington – Seattle – Kansas City United States t : + 1 888 7475 411 f : + 41 22 317 9659

56, Shmeisani , Prince Shaker Ben Zaid Street P.O. Box 212989 11121 Amman Jordan t : + 962 6 565 2462 f : + 962 6 567 6016

Global Strategy & Governance