The New Resiliency Stress Test: Culture in Banking

In order for employees to understand a bank’s culture, leadership needs to define the specifics of culture and make it a part of the institutional core values. At our company, we always look for professionals that embody entrepreneurial, dynamic and flexible behaviors, all critical attitudes in managing change and transformation. Every company should define what culture means inside their individual institution.

Banks: The pandemic has taught us how capable banks are at accelerating digital change, but it also showed how crucial a culture of innovation is for the long-term. A bank’s measure of innovation culture was tested and quantified by how quickly they were able to shift to a virtual economy and how efficiently they were able to deliver stimulus to consumers and business owners amid the pandemic.

The financial services industry has been forced to adapt to the new normal brought on by the coronavirus pandemic. It’s never been more clear that the shift to a digital and virtual world made the case for a strong culture even more critical. Banks and financial institutions will continue to face pressures to accelerate digitization in an environment with more uncertainty ahead, and culture will serve as the barometer for a bank’s perseverance, growth and ultimate success. As we move into further unchartered waters in 2021, culture will remain one of the most important factors that contribute to a bank’s longterm success. Maria Gendelman Chief Culture & Experience Officer ConnectOne Bank

Elizabeth Maggenis Executive Vice President Chief Lending Officer

Attacks on the Software Supply Chain (SSC) have increased exponentially, fueled at least in part by the widespread adoption of open source software, as well as organisations’ insufficient knowledge of their software content and resultant limited ability to conduct robust risk management. As a result, the SSC remains an inviting target for would-be attackers. It has become clear that changes in how we collectively secure our supply chains are required to raise the cost, and lower the impact, of attacks on the SSC.

A report by Atlantic Council found that “115 instances, going back a decade, of publicly reported attacks on the SSC or disclosure of high-impact vulnerabilities likely to be exploited” in cyber-attacks were implemented by affecting aspects of the SSC. The report highlights a number of alarming trends in the security of the SSC, including a rise in the hijacking of software updates, attacks by state actors, and open source compromises.

This article explores the use of open source software – a primary foundation of almost all modern software – due to its growing prominence, and more importantly, its associated security risks. Poorly managed open source software exposes the user to a number of security risks as it provides affordable vectors to potential attackers allowing them to launch attacks on a variety of entities— including governments, multinational corporations, and even the small to medium-sized companies that comprise the global technology supply chain, individual consumers, and every other user of technology.

The 2020 Open Source Security and Risk Analysis (OSSRA) report states that “If your organisation builds or simply uses software, you can assume that software will contain open source. Whether you are a member of an IT, development, operations, or security team, if you don’t have policies in place for identifying and patching known issues with the open source components you’re using, you’re not doing your job.”

Open source code now creates the basic infrastructure of most commercial software which supports enterprise systems and networks, thus providing the foundation of almost every software application used across all industries worldwide. Therefore, the need to identify, track and manage open source code components and libraries has risen tremendously.

License identification, patching vulnerabilities and introducing policies addressing outdated open source packages are now all crucial for responsible open source use. However, the use of open source software itself is not the issue. Because many software engineers ‘reuse’ code components when they are creating software (this is in fact a widely acknowledged best practice for software engineering), the risk of those components becoming out of date has grown. It is the use of unpatched and otherwise poorly managed open source software that is really what is putting organizations at risk.

The 2020 OSSRA report also reveals a variety of worrying statistics regarding SSC security. For example, according to the report, it takes organisations an unacceptably long time to mitigate known vulnerabilities, with 2020 being the first year that the Heartbleed vulnerability was not found in any commercial software analyzed for the OSSRA report. This is six years after the first public disclosure of Heartbleed – plenty of time for even the least sophisticated attackers to take advantage of the known and publicly reported vulnerability.

The report also found that 91% of the investigated codebases contained components that were over four years out of date or had no developments made in the last two years, putting these components at a higher risk of vulnerabilities. Additionally, vulnerabilities found in the audited codebases had an average age of almost 4 ½ years, with 19% of vulnerabilities being over 10 years old, and the oldest vulnerability being a whopping 22 years old. Therefore, it is clear that open source users are not adequately defending themselves against open source enabled cyberattacks. This is especially concerning as 99% of the codebases analyzed in the OSSRA report contained open source software, with 75% of these containing at least one vulnerability, and 49% containing high-risk vulnerabilities.

In order to mitigate security risks when using open source components, one must know what software you’re using, and which exploits impact its vulnerabilities. One way to do this is to obtain a comprehensive bill of materials from your suppliers (also known as a “build list” or a “software bill of materials” or “SBOM”). Ideally, the SBOM should contain all the open source components, as well as the

versions used, the download locations for all projects and dependencies, the libraries which the code calls to, and the libraries that those dependencies link to.

Modern applications contain an abundance of open source components with possible security, code quality and licensing issues. Over time, even the best of these open source components will age (and newly discovered vulnerabilities will be identified in the codebase), which will result in them at best losing intended functionality, and at worst exposing the user to cyber exploitation.

Organizations should ensure their policies address updating, licensing, vulnerability management and other risks that the use of open source can create. Clear policies outlining introduction and documentation of new open source components can improve the control of what enters the codebase and that it complies with the policies.

Organisations should prioritise open source vulnerability mitigation efforts in relation to CVSS (Common Vulnerability Scoring System) scores and CWE (Common Weakness Enumeration) information, along with information about the availability of exploits, paying careful attention to the full life cycle of the open source component, instead of only focusing on what happens on “day zero.” Patch priorities should also be in-line with the business importance of the asset patched, the risk of exploitation and the criticality of the asset. Similarly, organizations must consider using sources outside of the CVSS and CWE information, many of which provide early notification of vulnerabilities, and in particular, choosing one that delivers technical details, upgrade and patch guidance, as well as security insights. Lastly, it is important for organisations to monitor for new threats for the entire time their applications remain in service. Emile Monette Director of Value Chain Security Synopsys

“Breaking Trust Archives.” Atlantic Council, www. atlanticcouncil.org/breaking-trust/.

“[Analyst Report] 2020 Open Source Security & Risk Analysis (OSSRA).” Synopsys, www.synopsys.com/software-integrity/ resources/analyst-reports/2020-open-source-security-riskanalysis.html?cmp=pr-sig.

“[Analyst Report] 2020 Open Source Security & Risk Analysis (OSSRA).” Synopsys, www.synopsys.com/software-integrity/ resources/analyst-reports/2020-open-source-security-riskanalysis.html?cmp=pr-sig.

Synopsys, Inc. www.synopsys.com/. “The Heartbleed Bug.” Heartbleed Bug, heartbleed.com/.

For many people, the process of investing can seem opaque and impenetrable, and filled with jargon.

They can see the potential benefits, but they can also see the Financial Conduct Authority (FCA) risk warnings.

Despite - or perhaps because of - this, the long-term trend suggests that more individuals are open to investing. One set of statistics suggests the percentage of individuals investing in stocks and shares in the UK grew nearly three per cent between 2010 and 2018. goal informs the strategy, which dictates the are working towards can be challenging for some too conservative.

Figure out why you invest, ahead of everything else

The key here is knowing what the overall goal is.

It is a constant source of amazement that when it and experienced financial planner can consider

comes to investing, few people stop to consider why they are actually doing it. Whether they have £100 or £100,000, many do not think about how their approach should be dictated by their overall goals.

For instance, someone looking to buy a house in the next 12 to 24 months should not be looking to dive into the world of bonds and equities, because they have a short-term target which requires reasonably fast access to cash. Tying their resources up in different funds and stocks will not only limit how quickly they can get their hands on their money when it comes to putting down a deposit, but they will not see the return that they would expect due to the short term price fluctuation of these assets. They would be better using a Cash ISA and enjoying the tax-free allowance.

On the other hand, if they have spare cash lying around that they won’t need for the next 3-5 years or longer, or they want to get a headstart on earning their retirement or long-term financial freedom, investing into financial markets is the way to generate compound return. That will give them a chance to beat inflation and, in all likelihood, it will give them a It is like any big project – determining the overall tactics. In the world of investment, this means management. Yet even deciding what goals they people – they might have overinflated ideas or be

This is where independent, objective, and knowledgeable financial planning comes in. By giving an individual’s finances a thorough check-up – much like visiting a GP – a qualified higher return than real estate would.

circumstances, wishes and constraints. Only when this has been completed can they assess how feasible a client’s goals are, and the client can start considering how they should invest.

It needs to be a bespoke diagnostic and prescription process, in much the same way that a trip to the doctor requires the practitioner to have an understanding of any contributing factors and your medical history.

If you were going to buy a property, you would look for a capable and qualified property lawyer instead of reading legal textbooks and undertaking training. The same logic applies to other professional advice, such as accounting, medical treatment and tax. Strangely, though, when it comes to investing, many people attempt to teach themselves.

While this approach is to be applauded, and there is certainly a huge amount of information readily available within a couple of clicks, the intricacies and vagaries of asset classes and funds, opposing investment styles, individual savings accounts and a hundred and one other terms can be overwhelming.

Forging ahead without professional guidance is a bit like having a pain in your hand and deciding to do a bit of exploratory surgery based on watching medical documentaries – there is only a slim possibility everything will turn out fine. This is why 99% of people have lost money by DIY-ing their own investments. It is a risky learning curve that, frankly, is better outsourced. Learning how to find a good investment provider can be a more efficient and less risky use of your time.

In the report quoted above, there is an alarming line: “Investors are now holding onto their shares for 0.8 years on average before selling them. In 1980, the average was 9.7 years, representing a decline of 91.75%.” The proliferation of trading apps brings convenience and lowers barriers, helping people to access financial products, but the user friendliness of the technology often encourages over engagement at a real financial cost.

On an individual basis, each time you buy and sell any financial product (not just shares, but funds too) you lose a tiny slice of your capital, even if you can trade for free - this is due to “spread” which, put simply, is the price difference between purchase price and sale price. As you trade, this quickly adds up and eats into your principal, which you need to earn back before seeing any profit. This is a direct cost, in addition to the time you invest, checking the share price several times a day, the sleep you lose during volatile days, and the potential for developing an addiction, which is a common result of trading. Take a look at your work pension investment report if you have any - there is a reason why professional investors don’t buy and sell frequently. On a collective basis, crowd trading behaviour drives more “boom and bust” cycles of financial markets, which has happened many times before and will continue to happen in the future. It is a more pronounced characteristic of less developed financial markets where there are fewer professional/ institutional investors to stabilise the market for everyone’s benefit.

Sensible investing requires a skillset that is the opposite of most professional careers or entrepreneurship. In the latter, one strives to become an expert in a chosen arena in order to command the highest possible pay or profit margin. A wise investor, meanwhile, needs to be a generalist rather than a specialist, and investing is about hedging all possible risks before seeking a return. One of the biggest principles to reduce risk is to diversify on various levels:

Your holding currency - for example, GBP has lost more than 15% in value against USD compared to the pre-Brexit high of five years ago, so it is a bad idea to hold all your assets in GBP only

Your country/geography exposure - for example, you can buy GBP priced US assets, or USD priced US assets, such as S&P 500 tracker, to have a slice of US economy growth. We strongly encourage people to consider a globally diversified portfolio, for the reason that different economies go through business cycles and are at different stages at any given point of time. With a globally diversified portfolio, you can always benefit from the growth of some country, somewhere, at any given point of time

Asset classes - If all your money is in London real estate, for example, you are likely to have felt some value depreciation since 2014. You take a risk if you tie your financial future to a single city’s economic cycle and potential rise and fall.

Industry allocation - as a former banker I never bought banking stocks or bonds, simply because my job and salary were already tied to the UK banking sector, and owning a piece of banks is like doubling down in a casino - not wise for risk mitigation. This is an often overlooked risk - people like to invest into companies and sectors they know well, typically from professional exposure and “inside knowledge” but this leads to blind spots and concentration risk. Investing should be part of one’s long term financial strategy hence there is no one size fits all recommendation that I could give here. A simple step by step guide is:

1. Save a good portion of your monthly income, that allows you to enjoy your current life but also prepare for the future

2. Shortlist 3 financial planners (include Rosecut as one option) and pick one that you feel you can trust and who is cost effective to lay out your big picture and future plan

3. Invest regularly into a globally diversified, professionally managed portfolio that fits with your future goal and then make minimal changes. Ideally you should only even consider changing on an annual basis

4. Learn from this loop, iterate and optimise, ask many questions along the way!

Qiaojia Li Co-Founder and CEO at the award winning wealthtech company, Rosecut

Rosecut is a financial planning partner and investment manager, giving access to the knowledge you need to plan for the future you want.

Well before COVID-19 shook up business practices and upended personal lives, the banking industry was heavily focused on digital transformation and digital disruption. Experts warned that banks should prepare for everything from startups providing 24x7 services to fintechs and pure technology companies disrupting the financial services market. Without this preparation, how could these firms compete with other banks?

Now, catalyzed by the global pandemic, banks need to refocus. Concerns about digital disruption and non-traditional competition are no longer the priority. Future success will be determined by how well banks innovate and stay ahead of the technological curve.

At the recent SIBOSi conference, there was a lot of talk about the need to embrace innovation. The importance of the cloud for financial services companies who want to innovate using intelligent technologies such as machine learning, artificial intelligence, and blockchain was highlighted.

And bank leaders are beginning to take note. A recent SAPii & Oxford Economics research studyiii found that 83% of leaders are prioritizing innovating on existing products and services. But banks must also look ahead, brainstorming and adopting visionary methods to apply the technology.

For example, how can intelligent technologies help banks break down long-established internal silos? We see many examples where a customer is trying to communicate with a bank about some need or problem. Perhaps the customer tries the chat feature but doesn’t get a helpful answer. Maybe there are multiple interactions with a call center agent, or it takes an entire lunch break to resolve a simple problem. Could AI technology be used to monitor these negative customer interactions and identify where service is subpar? What if AI provided real-time information to the bank agent, guiding the agent to a quicker resolution for the customer? Not only would banks have happier customers, but they could lower wait times and improve the efficiency of the call center. With seamless connectivity and end-to-end process integration, the bank could reduce the friction experienced by customers.

But that’s just the beginning. Banks are becoming digital platforms. They will have the ability to offer non-banking services alongside their banking services. Their cloud-based, open platform will allow them to easily plugin any third party services. Given that, what if next-level technology and a commitment to innovation could make customers’ lives better?