corporate governance in mena banks
DESCRIPTION
ÂTRANSCRIPT
Corporate Governance & Cyber SecurityCOMPLY • MODERNIZE • HARMONIZE • PROTECT • FORTIFY
GSG & FusionX
Protecting the Financial Industryin the MENA Region
• Strategic positioning
• Structure of the Board of Directors
• Reduction of agency costs
• Organizational structure Efficiency
• Definition of lines of responsibility and authorities
• Oversight by management
• Board’s role in Risk Management
• Integrated and comprehensive risk management
• Effectiveness of internal and external controls
• Ethical values and transparency
Corporate Governance
Never before has the role of key Arab financial institutions been so significant in the development of the regional economy.
As developed economies are restructuring to protect themselves from future financial turmoil, Arab banks have the ability to provide much needed funds and support to national economic growth. They can further position themselves as formidable and valued sources of stability. Without a solid foundation in corporate governance and risk management, this potential cannot be reached.
GOOD CORPORATE GOVERNANCE IN BANKING CHAMPIONS THE DECISION MAKERS
The banks that decide to enforce a proper corporate governance structure will add value to the stakeholders, which inevitably includes:
• Improved reputation through demonstrated transparency and social accountability
• Improved top level decision-making processes
• Improved long-term and sustainable performance
• Reduced risks linked to bad strategic decisions
• Increased foreign direct investments
IT IS A CHALLENGING TIME FOR BANKS IN THE MENA REGION
Corporate Governance & Risk Management Will Be the Deciding Factors in Performance & Longevity
• Indicates improved regulatory compliance
• Mitigates the impact of future crises
• Helps anticipate and seamlessly integrate regulatory changes
CORPORATE GOVERNANCE SIGNALS AN ADHERENCE TO REGULATORY REQUIREMENTS, AND MORE IMPORTANTLY, SELF-REGULATION
Stakeholders including fund managers, institutional investors and shareholders want to be assured that their bank genuinely cares about its own governance and long- term sustainability.
One of the main benefits of effective corporate governance is the mitigation of agency frictions. It preserves and protects property rights, which in turn encourages innovation and long-term investment in human and physical capital, as well as the creation of intellectual property.
Forming a healthy board encompasses one that is independent and accountable and thus has a direct influence on company performance.
• Correlates positively with higher revenue growth and lower capital expenditures
• Along with environmental and social factors, corporate governance is increasingly more significant for institutional investors and fund managers’ investment analysis
• Leads to positive credit ratings
IMPROVES CONTROLSAND REDUCES RISK
IMPROVES PERFORMANCE AND INVESTOR PORTFOLIO COMPOSITION
ENCOURAGESINNOVATION
• Limits abuse by corporate insiders• and enhances leadership.
• Signals a better control environment and risk culture
• Reduces firms’ cost of capital
• Dictates a monitoring of up-and-coming types of risks, such as Cyber crime
• Increased foreign direct investments
GOOD AND PROPER CORPORATE GOVERNANCE MEANS MAJOR AND TANGIBLE ACHIEVEMENTS
CORPORATE GOVERNANCE REPORTING
The corporate governance frameworks of major Arab banks reveal significant discrepancies in the extent of corporate governance implementation across institutions. Some banks do not include any corporate governance related material in their annual reports, while others include detailed accounts. Alarmingly, some of the top 15 have not posted their annual reports on their websites since 2007. Disclosure of non-financial information and related party transactions is often ignored. It is vital for Arab banks to start the transition to international standards and practices in corporate governance for accounting, audit and non-financial disclosures.
DISCLOSURE AND TRANSPARENCY
Generally, banks continue to crowd theirfinancial statement with irrelevant information and unnecessarily clutter their annual reports. Little emphasis is placed on the quality or relevancy of non-financial information. Reading through some of the top bank’s annual reports proves cumbersome and confusing to the average shareholder.
CONCENTRATIONOF OWNERSHIP
Although family-controlled or state-owned banks helped mitigate liquidity risks during the financial crisis of 2007, the current nature of such institutions leaves them open to future risks related to the preservation of shareholder rights and succession of power to appropriate persons.
PROPER CORPORATE GOVERNANCE IN ARAB BANKS WILL MITIGATE PROBLEMS RELATED TO AGENCY COSTS
QUALITY OF THE BOARD OF DIRECTORS
With regards to the boards’ members, this includes lack of training, lack of diversified and relevant backgrounds, and the lack of experience and qualifications. There is little attention paid to regular targeted training and development to ensure the members’ capabilities to oversee their intuitions. Also, there remains a teething process surrounding committee structures and their roles, responsibilities, compositions and functions. The limitation in the directors’ abilities to obtain accurate, relevant and timely information from the bank is a severe disabler to the power of the board to oversee the organization.
SHAREHOLDERS RIGHTS
Most banks provide assurance that all of their shareholders are treated equally and that supervisory and executive decisions are made for the benefit of shareholders as a whole. Nevertheless, few banks keep regular dialogue with their shareholders other than the annual shareholder’s meetings and reporting. Voting methodologies and disclosure of the voting results is of great concern in the MENA region and cumulative voting is far from ubiquitous. Protection of minority shareholders must be further strengthened.
As financial institutions become more interconnected, their vulnerabilities to cyber risk increase
It is management’s duty to protect the bank and it’s clients from known sources of probable risk
CyberSecurityTARGETS INTERCONNECTED BANKING AND OTHER FINANCIAL INSTITUTIONS
A major concern for multinationals – These risks are now a determining factor for the continued sustainability and competitiveness of interconnected businesses. Financial institutions in particular are increasingly faced with threats surrounding:
• Theft of banks’ & clients’ money
• Destruction of information
• Disruption of operations
• Espionage
TARGETING THE MIDDLE EAST AND NORTH AFRICA (MENA)
The MENA region is particularly susceptible to these threats due to a lack of solid regulation and immature information security structures, as well as being the targets of politically motivated attacks.
Corporate Governance & Risk Management Will Be the Deciding Factors in Performance & Longevity
Additionally, we have witnessed sophisticated organized criminals from other parts of the world migrate their attacks away from western banks and toward the MENA region, as they present a “softer” target for not having adequate security controls in place.
TARGETING THE MIDDLE EAST AND NORTH AFRICA (MENA)
Effective information security requires an enterprise-specific design of solutions that consider and tackle the ever evolving cyber security risks. Since cyber security is also a strategic risk management issue, an appropriate corporate governance structure is required that would serve to uphold such an investment as part of the Board of Director’s duties towards Risk Management.
CYBER SECURITY IS BECOMING ONE OF THE PRIMARY CONCERNS WITHIN MULTINATIONAL CORPORATIONS AND GOVERNMENTS
MENA IS PARTICULARLY VULNERABLE TO THE LACK OF A PREVENTATIVE STRATEGY
MENA financial institutins are becoming the primary targets of information-related criminal activities
Because financial institutions and banks operating in the developed countries have hardened the security in their computer systems, there is an increasing trend for large, transnational organized criminal groups targeting MENA banks and financial centers; this has led to the loss of a significate amount of funds. In addition, hostile countries in the region are using state-sponsored offensive computer attacks to damage and destroy the computer systems of rival country Central Banks and financial centers.
ARAB BANKS UNDER ATTACK
It was described as “a massive 21st-century bank heist”. Two banks in the middle east were targets of a gang of cybercriminals in the United States. In a span of 10 hours, USD 45 million was stolen by hacking into a database of prepaid credit cards and withdrawal of customer money from ATMs in 27 countries. Many other banks in middle east countries have also been victims of a variety of cyber security crimes.
RECENT EVENTS IN THE MENA REGION HIGHLIGHT THE FACT THAT PROTECTING BANKING INFORMATION IS AN IMMENSELY POSITIVE RISK-MANAGEMENT STRATEGY
ENSURING CYBER-SECURITY LEADSTO DIMINISHING RISK EXPOSURES
Three key cyber risks affecting banks include:
SCOPE OF THE THREAT
The rate by which cyber-attacks evolve and diversify is very high.
INDUSTRY INTERCONNECTION
The interconnection of banks and the financial industry, which is crucial to the financial system’s functioning, is also an area of vulnerability when it comes to cybersecurity.Cyber risk increased when banks contract with third-party vendors and service providers to expand their offerings and improve efficiency.
RISING COSTS
Banks are paying more to strengthen their cybersecurity protections as the risks to their institutions grow. At the same time, launching an attack on the industry is getting cheaper.
DIMENSIONS OF CYBER RISK
The majority of data gathered and compiled by financial institutions and banks is done electronically. The failure to secure the organization from evolving threats can further expose.
As financial institutions become more interconnected, their vulnerabilities to cyber risk increase.
SPECIALIZATION
Global Strategy & Governance S.A. (GSG) provides advice on Global & Regional Strategic Positioning, Risk Management Infrastructures, as well as Securing Strategic Corporate Governance Principles for financial institutions and central banks.
OBJECTIVE
One of our major objectives is to play a positive role in the global advancement of Risk Management, Corporate Governance, and Corporate Social Responsibility. A special emphasis in these fields is directed to the Arab region.
Its vision is to promote a positive socio- economic change in the Middle East and North Africa that can only be secured through improved corporate strategic and governance rational.
THE GSG TEAM
The GSG team consists of experienced executives, including former senior managers and regulators. Thanks to an integrated and cohesive corporate culture, GSG helps financial institutions identify an adapted and realistic strategic positioning.
About Us
A Wealth of Experience In theFinancial Industry, the MENA Region and Corporate Governance
• Reorganizing the Group’s operations in Europe.
• Restructuring of the operations of subsidiary and sister banks.
• Acquisitions of banking and financial institutions outside of the Group’s home country.
• Obtaining the Group an (A-) rating from the international rating agencies: Moody’s, S&P, and Fitch at the time when the sovereign rating of the home country was (BB).
Publications: He has also publishedvarious articles focused on Corporate Governance, Risk Management, Strategic Positioning, Sovereign Wealth funds, and Capital Adequacy.
GSG’S LEADING EXPERT IN CORPORATE GOVERNANCE
He has directed GSG’s advisory as well as implementation client projects for various systematically important MENA banks as well as central banks. These projects included Strategic Repositioning, Mergers and Acquisitions.
CFO & Board Member Experience with plenty of firsts in the Arab World: Previously the CFO of one of the top Arab bank groups in the region, he was successful in achieving several important, goals including:
• Raising the Group’s net income after tax from USD 228 million in 2003 to an estimated USD one billion in 2008.
• The enhancement the Group’s equity from USD 2.9 billion in 2003 to an estimated USD 8 billion in 2008
• Implementing Basel II and redesigning the Group’s related systems
• Introducing several modern managerial tools including Asset/liability management and financial planning concepts.
As financial institutions become more interconnected, their vulnerabilities to cyber risk increase.
FusionX represents an innovative information security, technology, intelligence, and risk management company that utilizes a unique approach providing holistic security solutions in complex environments to counter the most advanced, ever evolving, and persistent cyber security threats.
PHILOSOPHY
“We think like your adversaries and anticipate their next moves”. Its methodology provides a flexible framework for addressing the full-spectrum of theclient’s computer/cyber security risk management issues drawing from established best practices, best-in-class
technology solutions, and unprecedented risk assessment expertise.GSG helps financial institutions identify an adapted and realistic strategic positioning.
SPECIALIZATION
FusionX specializes in the financial/banking sector, and currently has clients that are some of the largest banks in the United States, some with over $10 trillion USD under custody. The FusionX team regularly finds vulnerabilities that would be exploited by criminals and provides countermeasures and mitigation strategies to prevent and deter costly cyber attacks.
About Us
A U.S. Company at the Forefront of Information Security
THE FUSIONX TEAM
Its computer/cyber security team has been working together for over 15 years to provide the highest quality technical consulting services to international corporations and governments. Collectively, its team has worked with hundreds of companies and government organizations (assessing millions of systems) to address their information security concerns using comprehensive risk management principles.
They have worked with every critical infrastructure sector to provide enterprise-wide technical vulnerability assessments including assessments of control systems (SCADA) and other critical networks such as the government, transportation and financial services sectors.
FusionX team members come from companies like UUNET, WheelGroup, BTG, Network Solutions, Titan, SAIC, CounterPane Internet Security, iDEFENSE, iSIGHT Partners, Security Design International, Technical Defense, Total Intel, and Computer Sciences Corporation.
FusionX Senior Computer ExpertSpecialization: He is an international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber security issues.
Global Experience: He has previous computer and cyber security experience at the highest levels of several other well-respected computer and information technology companies that operated in the U.S., China, India, Europe and South America. This expert provided strategic consulting services to select foreign governments and corporations on issues of information warfare and security, critical infrastructure protection and cyber security.
Publications & Television: His research on cyber security and security lead to a widely published thesis entitled, “National Security in the Information Age”, as well as having co-written or authored chapters for several books, including “Cyber adversary Characterization”, “Threats in the Age of Obama”, Information Warfare Volume 2”, and “Sun Tzu Art of War in Information Warfare”. In addition, he has appeared on CNN, MSNBC, FOX News, NPR, CBS News, BBC Television, NWCN, Australian television and dozens of other domestic and international radio and television programs as an expert on cyber security.
Lecturer: He is an adjunct professor at Georgetown University, and is the Founding Director of the Cyber conflict Studies Association. Furthermore, he has lectured on the computer networks and cyber security to the National Defense University, the Swedish, Australian, Japanese and New Zealand governments, and various universities and colleges.
FUSIONX TOP COMPUTER EXPERT
Research & Publication: FusionX’s other expert has been recognized throughout the security industry for his research in multiple areas including adversary profiling and software vulnerability research and analysis.Four books have been published by him on the topic of information security, including Cyber Adversary Characterization – Auditing the Hacker Mind and is a contributor to the popular Stealing the Network Series.
Lecturer & Speaker: He is a frequent speaker and subject matter expert at world-class computer and cyber security conferences including Black Hat. In addition, he lectures at various colleges and universities on computer issues. Television: He is frequently called upon to provide his expert opinion to mass media organizations, including BBC News, CNN, Reuters News, Wired and Business Week.
CORPORATE GOVRNANCE
When we work with financial institution, we first want to understand its purpose, its people and its culture: only then can the design for implementation be ready for best-fit solutions.
The main elements that compose the basic ingredients of a proper governance system include: the board of directors and its committees, a well-developed strategy setting framework, a proper organization, efficient oversight policies and procedures, a sound information’s system, and active risk based controls.
The existence of a good systems component is not sufficient on its own to ensure the existence of suitable governance.
Proper governance requires applicable as well as active implementation and practices. We help in developing a favourable governance culture within the
CYBER SECURITY
To mitigate your bank’s cyber risks and enhance its management of them, we replicate the exact cyber-attacks that your enemies will carry out against your computer systems and network.
We will then identify the vulnerabilities of your computer system and plug those holes making the system impervious to attack, thus saving your institution millions of dollars in probable losses.
Proposals
CORPORATE GOVRNANCE
Evaluation of the corporate governance matrix as far as cyber security is concerned. This exercise will consider related reporting and responses at all governance levels, including the Board of Directors.
Providing a set of proposals to improve the cyber risk governance at all levels so as to be in line with best practices
Help the client in implementing its cyber risk governance proposals in line with international best practices.
Evaluation of the corporate governance matrix.
Board Evaluations in accordance with regulatory requirements.
Help implement governance proposals in line with international best practices.
CYBER SECURITY
Periodic vulnerability assessment and tactical penetration testing (“red cell scenarios”) of the client’s computer network mimicking actual cyber-attack methods of the client’s main threats (whether national governments, criminal groups, or terrorist groups) to ensure the network is secure and to identify and quickly resolve any network vulnerabilities.
An initial technical threat and vulnerability assessment of existing computer network, both software and hardware, with recommendations and procurement of updated hardware and software systems based on what the client needs the network to meet them.
Implementation of new hardware and software into the computer system fully integrated with security packages, solutions and training to ensure the computer system’s integrity and security from all threats.
Cyber security policy, procedures and awareness training for all personnel who will be operating and maintaining the computer system, and the development of an “in-house” continuing training program.
On-demand incident response and threat analysis support as well as access to subject matter experts.
Specifically, we can provide the highest quality services and products in the following areas:
FACTS FINDING
A brief visit to the organization (2-3 days) to conduct a preliminary assessment surrounding the capabilities and deficiencies of the organizations’ technical and strategic risk management infrastructures concerning their risks, whether cyber risk or governance risks.
A REPORT ON DEFICIENCIES AND A PROPOSAL
The client will be sent a proposal detailing the current status of the institution regarding the above and proposed plans of action.
IMPLEMENTATION
A gradual implementation of the changes will be agreed upon, specifying a clear list of tasks and time planning. This should identify each implementation objective, resources needed for its implementation and the needed time frame to accomplish it.
An appropriate and organizational implementation task force will be formed that will direct and oversee the implementation of the proposal.
Implementation Process
CORPORATE GOVRNANCE
Evaluation of the corporate governance matrix as far as cyber security is concerned. This exercise will consider related reporting and responses at all governance levels, including the Board of Directors.
Providing a set of proposals to improve the cyber risk governance at all levels so as to be in line with best practices
Help the client in implementing its cyber risk governance proposals in line with international best practices.
Evaluation of the corporate governance matrix.
Board Evaluations in accordance with regulatory requirements.
Help implement governance proposals in line with international best practices.
CYBER SECURITY
Periodic vulnerability assessment and tactical penetration testing (“red cell scenarios”) of the client’s computer network mimicking actual cyber-attack methods of the client’s main threats (whether national governments, criminal groups, or terrorist groups) to ensure the network is secure and to identify and quickly resolve any network vulnerabilities.
An initial technical threat and vulnerability assessment of existing computer network, both software and hardware, with recommendations and procurement of updated hardware and software systems based on what the client needs the network to meet them.
Implementation of new hardware and software into the computer system fully integrated with security packages, solutions and training to ensure the computer system’s integrity and security from all threats.
Cyber security policy, procedures and awareness training for all personnel who will be operating and maintaining the computer system, and the development of an “in-house” continuing training program.
On-demand incident response and threat analysis support as well as access to subject matter experts.
GLOBAL STRATEGY & GOVERNANCE S.A. [email protected]
Switzerland
29, route de Pré-Bois P.O. Box 348CH-1211 Geneva 3 Switzerland
t : + 41 22 317 9650 f : + 41 22 317 9659
Jordan
56, ShmeisaniPrince Shaker Ben Zaid StreetP.O. Box 21298911121 AmmanJordan
t : + 962 6 565 2462f : + 962 6 567 6016
FUSIONX info@@fusionx.com
United States
RestonArlingtonSeattleKansas City
t : + 1 888 7475 411f : + 41 22 317 9659
