2017 risk outlook: 6 trends to monitor
INSIGHT ARTICLE |
2017 is shaping up to be a challenging year from an economic and risk perspective, as companies must monitor policy changes from the new Trump administration and understand evolving risks. The new administration will likely introduce several changes that could spur economic growth, but those may take time and may not be permanent. However, the need to address more pervasive risk challenges is more certain, as you must implement strategies to adequately address your threats and opportunities.
The U.S. economy had a fairly strong close in the second half of 2016, fueled primarily by another solid year of growth and employment gains. The probability of a recession due to coming policy changes has declined between 12 to 15 percent since the election, and middle market business sentiment has improved. The tight labor market has resulted in rising wages across the economy, however, and middle market companies are finding difficulty in hiring qualified employees, with recruitment and retention becoming increasingly challenging.
The early days of the new administration will likely signal a period of deregulation, which should result in short-term economic growth. However, we do not forecast a significant amount of growth in 2017, but we do expect growth to increase at a brisk pace in 2018 to 2020 if significant tax cuts are passed.
Generally, the outlook for global growth is not particularly strong, but some areas such as India and South America are promising. Further complicating the international picture is the incoming administration’s potential policy changes with countries such as China and Russia, and their impact on trade and tax regulations.
In addition to an uncertain economic outlook, several risks are coming to the surface that can affect your key business processes. Many of these risks may not necessarily be new to your business, but they are evolving and likely becoming more prominent. The following are six common challenges that your organization should understand in 2017 to help ensure the security of your data and operations:
1. Utilization of cloud service providers
Almost every organization utilizes the cloud to some extent, and usage is increasing as companies seek cost reductions, as well as increased flexibility and scalability. However, along with the benefits of utilizing a cloud service provider, there are also many risks.
For example, many companies do not understand the data flows and storage responsibilities contractually agreed to with a service provider. In addition, you must comply with applicable laws and regulations and should develop an inventory of data for appropriate oversight. Your company must also consider a provider’s ability to recover and resume operations in the event of a disruption and the potential impact of a cybersecurity event.
To help mitigate these risks, you should consider performing a due diligence and third-party selection process review to understand current controls and whether they align with your risk appetite. Contracts should also clearly define expectations and responsibilities, and the third party should undergo ongoing monitoring, especially around cybersecurity controls and security program management. A contingency plan should be developed to transition to a new provider or bring activities in-house if necessary.
2. Third-party access to sensitive information
Many organizations leverage third parties for support across multiple business functions. However, those vendors may not have the appropriate controls to adequately secure sensitive data and information. Inadequate controls can result in several consequences, including damage to your reputation, loss of sensitive data or intellectual property, and litigation and remediation costs.
Therefore, to address third-party risks, request a Service Organization Control (SOC) 2 report, providing assurance of data security and other key areas. If a SOC 2 report is not available, ensure that your third-party contracts provide audit rights to assess data security and controls and consider regularly exercising that option as part of your vendor relationship management activities.
3. International operations
As mentioned earlier, international operations will likely face several significant pressures in 2017. As a result of these factors, several risks may emerge, including increased fraud and corruption-related challenges, and increased Securities and Exchange Commission (SEC) and Department of Justice (DOJ) scrutiny. Your organization can also expect increased enforcement of data protection laws by governments and regulators around the world.
You must be prepared to quickly analyze, understand and react to changes to the economic return of foreign operations in response to alterations to trade agreements and tax policies. A business posture that made sense under one tax regime or a previous set of trade policies may not make sense under a new set of rules and may threaten the economic returns that originally supported your international operations.
Your organization can respond to these international risks in several ways, including assessing your Foreign Corrupt Practices Act (FCPA) program to ensure that it is effectively designed and executed to identify and prevent violations. In addition, increase the focus on foreign business units as you perform your annual fraud risk assessment, especially in countries affected by unfolding geopolitical events. Lastly, proactively identify potential contractual or operational adjustments to mitigate the impact of changing regulatory and tax policies. You should have alternative plans to shift suppliers or investment strategies as new policies, and their operational impacts, become clearer.
4. Cybersecurity maturity
Cybersecurity attacks have become a daily part of life, and they can result in disruptions to key operations, damage to your reputation, loss of sensitive data or intellectual property, and litigation and remediation costs.
To address these risks, you should first develop and implement a cybersecurity risk management program if you don’t already have one in place. A strong cybersecurity risk management program should be a layered approach of preventative, detective and corrective controls. An effective framework makes it difficult for external parties to penetrate your network; it also helps identify when they have accessed your systems, helps show the extent of the breach, and allows you to quickly and appropriately respond.
Your cybersecurity risk management program effectiveness should be regularly assessed and monitored with appropriate remediation of any identified weaknesses. In addition, you should adjust your program to include new regulatory requirements over cybersecurity as they evolve.
5. Nation-state sponsored hacking
We have seen a surge in nation-state sponsored hacking, targeting U.S. institutions and corporations and moving beyond straightforward theft to include an objective of inflicting mass damage. The level of risk depends on your industry, and the closer you are to critical infrastructure, your risks will rise. These hacking risks are difficult to detect, because traps can be in place with no actual irregular activity occurring and no data leaving your environment that might be detected and responded to by your normal monitoring programs.
To better manage these risks, your organization must be proactive with vulnerability management and security awareness training. In addition, consider the value of incorporating threat intelligence into your cybersecurity risk management program. Don’t just rely on what you see, but go deeper into what is said and shared within the broader cybersecurity market and look within your own environment for clues of similar challenges.
6. Data privacy regulations
All organizations will face much more complex international regulatory issues, as foreign nations use privacy regulations to control the flow of data to the United States. Unfortunately, this is just the reality of operating in multiple countries, with multiple jurisdictions dictating how you manage data movement between your entities.
To respond to data privacy risks, your organization should begin evaluating compliance with privacy laws for all of your geographic regions, as well as with select individual countries. Evaluate your networks and business processes to determine if you are able to perform necessary operations on data without removing it from the home geography. For example, a hosting provider may be necessary to manage data within a specific region.
Finally, seek out and retain external legal counsel specializing in these laws to help you navigate both the requirements and any adverse actions that may occur on short notice, such as fines or seizure of systems.
Your business is constantly operating in a changing environment, with many factors that affect your business decisions. However, we are now operating in a particularly unstable domestic and international climate, with evolving risks that can directly affect your operations. Focusing on these six key risks in 2017, and implementing preventative measures, can help secure your data and processes, and ultimately support your sustained success and profitability.