draft
DESCRIPTION
ÂTRANSCRIPT
Corporate Governance & Cyber Security
comply, modernize, harmonize, protect and fortify.
Protecting the Financial Industry
in the MENA Region
GSG & FusionX
Corporate Governance
• Strategic positioning
• Structure of the Board of Directors
• Reduction of agency costs
• Organizational structure Efficiency
• Definition of lines of responsibility and authorities
• Oversight by management
• Board’s role in Risk Management
• Integrated and comprehensive risk management
• Effectiveness of internal and external controls
• Ethical values and transparency
IT IS A CHALLENGING TIME FOR BANKS IN THE MENA REGION
Corporate Governance & Risk Management Will Be the Deciding Factors in Performance & Longevity
Never before has the role of key Arab financial
institutions been so significant in the
development of the regional economy.
As developed economies are restructuring to
protect themselves from future financial
turmoil, Arab banks have the ability to provide
much needed funds and support to national
economic growth. They can further position
themselves as formidable and valued sources of
stability. Without a solid foundation in
corporate governance and risk management,
this potential cannot be reached.
GOOD CORPORATE GOVRNANCE IN BANKING
CHAMPIONS THE DECISION MAKERS
The banks that decide to enforce a proper
corporate governance structure will add value
to the stakeholders, which inevitably includes:
• Improved reputation through demonstrated
transparency and social accountability
• Improved top level decision-making
processes
• Improved long-term and sustainable
performance
• Reduced risks linked to bad strategic
decisions
• Increased foreign direct investments
• Indicates improved regulatory compliance
• Helps anticipate and seamlessly integrate regulatory changes
• Mitigates the impact of future crises
Corporate Governance Signals an Adherence to Regulatory Requirements, and More Importantly, Self-Regulation
Stakeholders including fund managers, institutional investors and shareholders want to be assured that their bank genuinely cares about its own governance and long-term sustainability.
ENCOURAGES INNOVATION
One of the main benefits of effective corporate
governance is the mitigation of agency frictions.
It preserves and protects property rights, which
in turn encourages innovation and long-term
investment in human and physical capital, as
well as the creation of intellectual property.
IMPROVES PERFORMANCE AND
INVESTOR PORTFOLIO COMPOSITION
Forming a healthy board encompasses one that
is independent and accountable and thus has a
direct influence on company performance.
• Correlates positively with higher revenue
growth and lower capital expenditures
• Along with environmental and social factors,
corporate governance is increasingly more
significant for institutional investors and
fund managers’ investment analysis
• Leads to positive credit ratings
IMPROVES CONTROLS AND REDUCES RISK
Limits abuse by corporate insiders and
enhances leadership.
• Signals a better control environment and risk
culture
• Reduces firms’ cost of capital
• Dictates a monitoring of up-and-coming
types of risks, such as Cyber crime
Good and proper corporate governance means major and tangible achievements
DISCLOSURE AND TRANSPARENCY
Generally, banks continue to crowd their
financial statement with irrelevant information
and unnecessarily clutter their annual reports.
Little emphasis is placed on the quality or
relevancy of non-financial information. Reading
through some of the top bank’s annual reports
proves cumbersome and confusing to the
average shareholder.
CONCENTRATION OF OWNERSHIP
Although family- controlled or state-owned
banks helped mitigate liquidity risks during the
financial crisis of 2007, the current nature of
such institutions leaves them open to future risks
related to the preservation of shareholder rights
and succession of power to appropriate persons.
CORPORATE GOVERNANCE REPORTING
The corporate governance frameworks of major
Arab banks reveal significant discrepancies in the
extent of corporate governance implementation
across institutions. Some banks do not include
any corporate governance related material in
their annual reports, while others include
detailed accounts. Alarmingly, some of the top 15
have not posted their annual reports on their
websites since 2007. Disclosure of non-financial
information and related party transactions is
often ignored. It is vital for Arab banks to start
the transition to international standards and
practices in corporate governance for accounting,
audit and non-financial disclosures.
Proper Corporate Governance in Arab banks will mitigate problems related to agency costs
SHAREHOLDERS RIGHTS
Most banks provide assurance that all of their
shareholders are treated equally and that
supervisory and executive decisions are made for
the benefit of shareholders as a whole.
Nevertheless, few banks keep regular dialogue
with their shareholders other than the annual
shareholder's meetings and reporting. Voting
methodologies and disclosure of the voting
results is of great concern in the MENA region
and cumulative voting is far from ubiquitous.
Protection of minority shareholders must be
further strengthened.
QUALITY OF THE BOARD OF DIRECTORS
With regards to the boards’ members, this
includes lack of training, lack of diversified and
relevant backgrounds, and the lack of experience
and qualifications. There is little attention paid to
regular targeted training and development to
ensure the members’ capabilities to oversee their
intuitions. Also, there remains a teething process
surrounding committee structures and their
roles, responsibilities, compositions and
functions. The limitation in the directors’ abilities
to obtain accurate, relevant and timely
information from the bank is a severe disabler to
the power of the board to oversee the
organization.
Cyber Security
Targets Interconnected Banking and other Financial Institutions
As financial institutions become more interconnected, their vulnerabilities to cyber risk increase
It is management’s duty to protect the bank and it’s clients from known sources of probable risk
A major concern for multinationals – These risks
are now a determining factor for the continued
sustainability and competitiveness of
interconnected businesses.
Financial institutions in particular are
increasingly faced with threats surrounding:
• Theft of banks’ & clients’ money
• Destruction of information
• Disruption of operations
• Espionage
TARGETING THE MIDDLE EAST AND NORTH
AFRICA (MENA)
The MENA region is particularly susceptible to
these threats due to a lack of solid regulation
and immature information security structures,
as well as being the targets of politically
motivated attacks.
Additionally, we have witnessed sophisticated
organized criminals from other parts of the
world migrate their attacks away from western
banks and toward the MENA region, as they
present a “softer” target for not having adequate
security controls in place.
MANAGING CYBER RISK
Effective information security requires an
enterprise-specific design of solutions that
consider and tackle the ever evolving cyber
security risks. Since cyber security is also a
strategic risk management issue, an appropriate
corporate governance structure is required that
would serve to uphold such an investment as
part of the Board of Director’s duties towards
Risk Management.
Cyber security is becoming one of the primary concerns within multinational corporations and governments.
The BIS underlined that this category of risk should be considered as a strategic management issue as well as IT.
MENA is particularly vulnerable to the lack of a preventative strategy
MENA financial institutions are becoming the primary targets of information-related criminal activities
Because financial institutions and banks
operating in the developed countries have
hardened the security in their computer
systems, there is an increasing trend for large,
transnational organized criminal groups
targeting MENA banks and financial centers; this
has led to the loss of a significate amount of
funds. In addition, hostile countries in the region
are using state-sponsored offensive computer
attacks to damage and destroy the computer
systems of rival country Central Banks and
financial centers.
ARAB BANKS UNDER ATTACK
It was described as "a massive 21st-century
bank heist”. Two banks in the middle east were
targets of a gang of cybercriminals in the United
States. In a span of 10 hours, USD 45 million was
stolen by hacking into a database of prepaid
credit cards and withdrawal of customer money
from ATMs in 27 countries. Many other banks
in middle east countries have also been victims
of a variety of cyber security crimes.
Recent Events in the MENA region highlight the fact that protecting banking information is an immensely positive risk-management strategy.
Ensuring Cyber-security leads to diminishing risk exposures
them to even greater risks.
Three key cyber risks affecting banks include:
SCOPE OF THE THREAT
The rate by which cyber-attacks evolve and
diversify is very high.
INDUSTRY INTERCONNECTION
The interconnection of banks and the financial
industry, which is crucial to the financial
system's functioning, is also an area of
vulnerability when it comes to cybersecurity.
Cyber risk increased when banks contract with
third-party vendors and service providers to
expand their offerings and improve efficiency.
RISING COSTS
Banks are paying more to strengthen their
cybersecurity protections as the risks to their
institutions grow. At the same time, launching
an attack on the industry is getting cheaper.
Dimensions of Cyber Risk The majority of data gathered and compiled by financial institutions and banks is done electronically. The failure to secure the organization from evolving threats can further expose
A Wealth of Experience In the Financial Industry,
the MENA Region and Corporate Governance
SPECIALIZATION
Global Strategy & Governance S.A. (GSG)
provides advice on Global & Regional Strategic
Positioning, Risk Management Infrastructures, as
well as Securing Strategic Corporate Governance
Principles for financial institutions and central
banks.
OBJECTIVE
One of our major objectives is to play a positive
role in the global advancement of Risk
Management, Corporate Governance, and
Corporate Social Responsibility. A special
emphasis in these fields is directed to the Arab
region.
Its vision is to promote a positive socio-
economic change in the Middle East and North
Africa that can only be secured through improved
corporate strategic and governance rational.
THE GSG TEAM
The GSG team consists of experienced executives,
including former senior managers and
regulators. Thanks to an integrated and cohesive
corporate culture, GSG helps financial institutions
identify an adapted and realistic strategic
positioning.
About Us
GSG’s Leading Expert in Corporate Governance
He has directed GSG’s advisory as well as
implementation client projects for various
systematically important MENA banks as well as
central banks. These projects included Strategic
Repositioning, Mergers and Acquisitions.
CFO & Board Member Experience with plenty of
firsts in the Arab World: Previously the CFO of
one of the top Arab bank groups in the region, he
was successful in achieving several important,
goals including:
• Raising the Group’s net income after tax from
USD 228 million in 2003 to an estimated USD
one billion in 2008.
• The enhancement the Group’s equity from
USD 2.9 billion in 2003 to an estimated USD 8
billion in 2008.
• Implementing Basel II and redesigning the
Group’s related systems.
• Introducing several modern managerial tools
including Asset/liability management and
financial planning concepts.
• Reorganizing the Group's operations in
Europe.
• Restructuring of the operations of subsidiary
and sister banks.
• Acquisitions of banking and financial
institutions outside of the Group’s home
country.
• Obtaining the Group an (A-) rating from the
international rating agencies: Moody’s, S&P,
and Fitch at the time when the sovereign
rating of the home country was (BB).
Publications: He has also published various
articles focused on Corporate Governance, Risk
Management, Strategic Positioning, Sovereign
Wealth funds, and Capital Adequacy.
A U.S. Company at the Forefront of Information
Security
FusionX represents an innovative information
security, technology, intelligence, and risk
management company that utilizes a unique
approach providing holistic security solutions in
complex environments to counter the most
advanced, ever evolving, and persistent cyber
security threats.
Philosophy: “we think like your adversaries and
anticipate their next moves”. Its methodology
provides a flexible framework for addressing the
full-spectrum of the client’s computer/cyber
security risk management issues drawing from
established best practices, best-in-class
technology solutions, and unprecedented risk
assessment expertise.
Specialization: FusionX specializes in the
financial/banking sector, and currently has
clients that are some of the largest banks in the
United States, some with over $10 trillion USD
under custody. The FusionX team regularly finds
vulnerabilities that would be exploited by
criminals and provides countermeasures and
mitigation strategies to prevent and deter costly
cyber attacks.
The FusionX Team
Its computer/cyber security team has been
working together for over 15 years to provide
the highest quality technical consulting services
to international corporations and governments.
Collectively, its team has worked with hundreds
of companies and government organizations
(assessing millions of systems) to address their
information security concerns using
comprehensive risk management principles.
They have worked with every critical
infrastructure sector to provide enterprise-wide
technical vulnerability assessments including
assessments of control systems (SCADA) and
other critical networks such as the government,
transportation and financial services sectors.
FusionX team members come from companies
like UUNET, WheelGroup, BTG, Network
Solutions, Titan, SAIC, CounterPane Internet
Security, iDEFENSE, iSIGHT Partners, Security
Design International, Technical Defense, Total
Intel, and Computer Sciences Corporation.
About Us
FusionX Senior Computer Expert
Specialization: He is an international security
expert specializing in counterterrorism, critical
infrastructure protection, intelligence, risk
management and cyber security issues.
Global Experience: He has previous computer
and cyber security experience at the highest
levels of several other well-respected computer
and information technology companies that
operated in the U.S., China, India, Europe and
South America. This expert provided strategic
consulting services to select foreign governments
and corporations on issues of information
warfare and security, critical infrastructure
protection and cyber security.
Publications & Television: His research on cyber
security and security lead to a widely published
thesis entitled, “National Security in the
Information Age”, as well as having co-written or
authored chapters for several books, including
“Cyber adversary Characterization”, “Threats in
the Age of Obama”, Information Warfare Volume
2”, and “Sun Tzu Art of War in Information
Warfare”. In addition, he has appeared on CNN,
MSNBC, FOX News, NPR, CBS News, BBC
Television, NWCN, Australian television and
dozens of other domestic and international radio
and television programs as an expert on cyber
security.
Lecturer: He is an adjunct professor at
Georgetown University, and is the Founding
Director of the Cyber conflict Studies Association.
Furthermore, he has lectured on the computer
networks and cyber security to the National
Defense University, the Swedish, Australian,
Japanese and New Zealand governments, and
various universities and colleges.
FusionX Top Computer Expert
Research & Publication: FusionX’s other expert
has been recognized throughout the security
industry for his research in multiple areas
including adversary profiling and software
vulnerability research and analysis.
Four books have been published by him on the
topic of information security, including Cyber
Adversary Characterization – Auditing the
Hacker Mind and is a contributor to the popular
Stealing the Network Series.
Lecturer & Speaker: He is a frequent speaker and
subject matter expert at world-class computer
and cyber security conferences including Black
Hat. In addition, he lectures at various colleges
and universities on computer issues.
Television: He is frequently called upon to
provide his expert opinion to mass media
organizations, including BBC News, CNN, Reuters
News, Wired and Business Week.
Proposals
CORPORATE GOVRNANCE
When we work with financial institution, we
first want to understand its purpose, its people
and its culture: only then can the design for
implementation be ready for best-fit solutions.
The main elements that compose the basic
ingredients of a proper governance system
include: the board of directors and its
committees, a well-developed strategy setting
framework, a proper organization, efficient
oversight policies and procedures, a sound
information’s system, and active risk based
controls.
The existence of a good systems component is
not sufficient on its own to ensure the existence
of suitable governance. Proper governance
requires applicable as well as active
implementation and practices. We help in
developing a favourable governance culture
within the entity.
CYBER SECURITY
To mitigate your bank’s cyber risks and enhance
its management of them, we replicate the exact
cyber-attacks that your enemies will carry out
against your computer systems and network.
We will then identify the vulnerabilities of your
computer system and plug those holes making
the system impervious to attack, thus saving
your institution millions of dollars in probable
losses.
Specifically, we can provide the highest quality
services and products in the following areas:
CORPORATE GOVERNANCE
– Evaluation of the corporate governance matrix
as far as cyber security is concerned. This
exercise will consider related reporting and
responses at all governance levels, including the
Board of Directors.
– Providing a set of proposals to improve the
cyber risk governance at all levels so as to be in
line with best practices
– Help the client in implementing its cyber risk
governance proposals in line with international
best practices.
– Evaluation of the corporate governance matrix.
– Board Evaluations in accordance with regulatory
requirements.
– Help implement governance proposals in line
with international best practices.
CYBER SECURITY
– Periodic vulnerability assessment and tactical
penetration testing (“red cell scenarios”) of the
client’s computer network mimicking actual
cyber-attack methods of the client’s main threats
(whether national governments, criminal
groups, or terrorist groups) to ensure the
network is secure and to identify and quickly
resolve any network vulnerabilities.
– An initial technical threat and vulnerability
assessment of existing computer network, both
software and hardware, with recommendations
and procurement of updated hardware and
software systems based on what the client needs
the network to meet them.
– Implementation of new hardware and software
into the computer system fully integrated with
security packages, solutions and training to
ensure the computer system’s integrity and
security from all threats.
– Cyber security policy, procedures and awareness
training for all personnel who will be operating
and maintaining the computer system, and the
development of an “in-house” continuing
training program.
– On-demand incident response and threat
analysis support as well as access to subject
matter experts.
FACTS FINDING
A brief visit to the organization (2-3 days) to
conduct a preliminary assessment surrounding
the capabilities and deficiencies of the
organizations’ technical and strategic risk
management infrastructures concerning their
risks, whether cyber risk or governance risks.
A REPORT ON DEFICIENCIES AND A
PROPOSAL
The client will be sent a proposal detailing the
current status of the institution regarding the
above and proposed plans of action.
IMPLEMENTATION
A gradual implementation of the changes will be
agreed upon, specifying a clear list of tasks and
time planning. This should identify each
implementation objective, resources needed for
its implementation and the needed time frame
to accomplish it.
An appropriate and organizational
implementation task force will be formed that
will direct and oversee the implementation of
the proposal.
Implementation Process
Global Strategy & Governance S.A. [email protected] 29, route de Pré-Bois P.O. Box 348 CH-1211 Geneva 3 Switzerland t : + 41 22 317 9650 f : + 41 22 317 9659
FusionX [email protected] Reston – Arlington – Seattle – Kansas City United States t : + 1 888 7475 411 f : + 41 22 317 9659
56, Shmeisani , Prince Shaker Ben Zaid Street P.O. Box 212989 11121 Amman Jordan t : + 962 6 565 2462 f : + 962 6 567 6016
Global Strategy & Governance