Targeted intrusions against financial institutions increased 109% year-over-year in 2024. Nearly all major US banks (97%) experienced third-party breaches. AI-powered cyberattacks surged 300% between 2021 and 2024. And ransomware activity is increasingly shifting toward emerging markets in South Asia and Latin America.
These are not hypothetical scenarios. They are the operating reality for every US-based financial institution with exposure to emerging markets.
The IMF’s April 2024 Global Financial Stability Report devoted an entire chapter to cyber risk, concluding that the financial sector is uniquely exposed and that cybersecurity policy frameworks in emerging market and developing economies remain generally inadequate.
For US banks, fintechs, development finance institutions (DFIs), and asset managers with operations, correspondents, or investments in Africa, Southeast Asia, and Latin America, the cyber risk equation is fundamentally different from domestic operations.
The threat actors are the same, but the defenses are weaker, the regulatory landscape is fragmented, the talent pool is thinner, the infrastructure is less resilient, and the third-party ecosystem carries concentrated risk.
This guide provides a structured cyber risk assessment framework tailored to these conditions. For the broader enterprise risk management context, see our guide to enterprise risk management.
The Emerging Market Financial Services Threat Landscape
The convergence of rapid digitization and immature cyber defenses creates a specific risk profile in emerging market financial services that US institutions must understand before they can manage it.
Scale of the Problem
Cyberattacks in emerging markets are growing at an estimated 21% annually. Latin America experienced a 45% increase in fintech-related cybercrime in 2023 alone. Cybersecurity spending in Africa accounts for only 0.2% of GDP, compared to 0.9% in OECD countries.
The average cost of a data breach globally reached $4.88 million in 2023-2024, but the indirect costs in emerging markets (regulatory fines, operational disruption, reputational damage) can be disproportionately higher because of weaker recovery infrastructure.
35% of all DDoS attacks globally target the financial services sector. The US accounts for 60% of ransomware attacks on financial institutions, but threat actors are expanding into South Asia and Latin America where defenses are less mature and ransom payments more likely.
A single day’s disruption in payments by a major bank could affect 38% of network banks globally, according to Federal Reserve Bank of New York research.
Emerging Market-Specific Threat Vectors
| Threat Vector | Emerging Market Context | Impact on US Institution |
| Mobile Money / Digital Payments Fraud | Mobile money platforms (M-Pesa, GCash, PIX) process billions in transactions with varying security maturity. SIM-swap fraud, USSD interception, and agent-network compromise are endemic. | US fintech partners, correspondents, or investees processing through mobile rails carry fraud exposure that does not exist in US domestic operations. |
| Insider Threats | Lower salaries, weaker background screening, limited DLP tooling, and high employee turnover create elevated insider threat risk in local operations. | Insiders at local subsidiaries or third parties can exfiltrate data, credentials, or customer information that exposes the US parent. |
| Third-Party / Supply Chain Compromise | Local IT vendors, system integrators, and managed service providers may lack basic security controls. A 2023 cloud provider ransomware attack caused simultaneous outages at 60 US credit unions. | Third-party breaches in emerging market operations create direct exposure for the US institution’s network, data, and regulatory standing. |
| State-Sponsored / Geopolitical Targeting | Financial institutions in politically sensitive regions face targeting by state-sponsored actors for intelligence collection, sanctions evasion, or destabilization. | US institutions with correspondent or investment relationships in sanctioned or near-sanctioned jurisdictions face elevated nation-state threat exposure. |
| Infrastructure-Dependent Attacks | Unreliable power, telecommunications, and internet connectivity create windows of vulnerability during outages. Backup systems may be inadequate. | Infrastructure failures can disable security monitoring, logging, and incident response capabilities in local operations during active attacks. |
| Social Engineering (AI-Enhanced) | Language-specific phishing campaigns using AI-generated voice (ElevenLabs) and text (FraudGPT) are increasingly targeting financial services staff in local languages. 68% of attacks originate from email. | 45% of employees at large financial institutions are susceptible to phishing. Local staff with less security awareness training are more vulnerable. |
For the NIST CSF-aligned KRI framework that underpins cyber risk measurement, see our detailed post on NIST Cybersecurity Framework Key Risk Indicators: 40+ Examples Mapped to CSF 2.0.
Regulatory Landscape: A Fragmented Compliance Map
US financial institutions operating in emerging markets face a multi-layered regulatory environment. US regulations apply extraterritorially, while local regulations create additional obligations that vary by country and are changing rapidly.
US Regulatory Requirements (Apply Everywhere)
| Regulation / Standard | Key Cyber Requirements | Emerging Market Implication |
| OCC / FFIEC Guidance | Information security program, vendor management, incident reporting, business continuity. Heightened Standards for large banks. | Applies to all operations including overseas branches and subsidiaries. OCC expects the same control standards globally. |
| NYDFS 23 NYCRR 500 (2023 Amendment) | CISO appointment, risk assessments, penetration testing, MFA, encryption, 72-hour incident reporting, third-party security policies. | Applies to all DFS-regulated entities globally. Third-party security policy must extend to emerging market vendors. |
| SEC Cybersecurity Disclosure Rules (2023) | Material incident disclosure within 4 business days. Annual risk management and governance disclosure. | An incident at an emerging market subsidiary that is material to the parent triggers SEC disclosure obligations. |
| OFAC Sanctions / BSA-AML | Sanctions screening, AML compliance, suspicious activity reporting. Cyber-enabled financial crime creates dual compliance exposure. | Correspondent banking and fintech partnerships in high-risk jurisdictions require integrated cyber-AML monitoring. |
| NIST CSF 2.0 | Six functions: Govern, Identify, Protect, Detect, Respond, Recover. Voluntary but widely adopted as de facto standard. | Provides the most practical framework for assessing and benchmarking cyber posture across multi-jurisdictional operations. |
Emerging Market Data Protection and Cybersecurity Regulations
| Region | Country | Key Regulation | Critical Requirement |
| Africa | Kenya | Data Protection Act 2019; CBK Cybersecurity Guidelines | Data localization requirements. 72-hour breach notification. Annual cyber risk assessments for banks. |
| Africa | Nigeria | NDPR 2019; CBN Risk-Based Cybersecurity Framework | CBN mandates annual penetration testing, SOC capability, and incident reporting for all financial institutions. |
| Africa | South Africa | POPIA; SARB Cyber Resilience Guidance | POPIA imposes GDPR-level obligations. SARB expects NIST-equivalent cyber maturity for banks. |
| SE Asia | Indonesia | PDP Law 2022; OJK Regulation on IT Risk Management | Data localization for financial services. OJK requires cyber resilience testing and third-party oversight. |
| SE Asia | Philippines | Data Privacy Act 2012; BSP Circular 808 | BSP mandates cyber risk management framework, vulnerability assessments, and incident response. |
| SE Asia | Vietnam | Cybersecurity Law 2018; Decree 13/2023 | Data localization for certain categories. Cross-border transfer restrictions affecting cloud operations. |
| LatAm | Brazil | LGPD; BCB Resolution 4893; PIX Security Rules | LGPD imposes GDPR-equivalent obligations. BCB requires detailed cybersecurity policies and incident reporting for all regulated entities. |
| LatAm | Mexico | LFPDPPP; CNBV Cybersecurity Guidelines | CNBV mandates cyber risk assessments, incident response plans, and information security governance for financial institutions. |
| LatAm | Colombia | Data Protection Law 1581; SFC Circular 007/2018 | SFC requires annual cybersecurity self-assessments and reporting for supervised entities. |
The practical implication: US institutions must maintain compliance with US regulations across all emerging market operations while simultaneously meeting local requirements that may conflict (e.g., data localization vs. centralized security monitoring). For the foundational risk assessment methodology, see our complete guide to the risk assessment process.
The Cyber Risk Assessment Framework for Emerging Market Financial Operations
The following framework adapts NIST CSF 2.0’s six functions (Govern, Identify, Protect, Detect, Respond, Recover) to the specific conditions of emerging market financial services.
It is designed to be used by US-based CISO teams, risk management functions, and compliance officers responsible for international operations. For the ISO 31000 risk assessment process that provides the underlying methodology, see our article on ISO 31000: getting started with risk management.
Phase 1: Govern – Establish Emerging Market Cyber Governance
NIST CSF 2.0 introduced the Govern function to emphasize that cybersecurity risk management must be embedded in organizational governance. For emerging market operations, this means:
- Board-level visibility: Emerging market cyber risk should be reported to the board risk committee as a distinct risk category, not buried within aggregate enterprise cyber risk. The SEC’s 2023 disclosure rules make this operationally necessary.
- Risk appetite for emerging markets: Define explicit cyber risk appetite statements for each emerging market jurisdiction. The risk appetite for a subsidiary in Lagos operating on local infrastructure is necessarily different from a London trading desk.
- CISO authority across jurisdictions: Ensure the US CISO has authority and visibility into security operations at all emerging market subsidiaries, branches, and significant third-party relationships. Matrix reporting structures that leave local IT reporting only to local management create blind spots.
- Regulatory compliance mapping: Maintain a current mapping of US regulatory requirements (OCC, NYDFS, SEC) and local regulatory requirements for each jurisdiction, with gap analysis updated at least semi-annually.
Phase 2: Identify – Map the Emerging Market Attack Surface
The attack surface in emerging markets is wider and less well-documented than in domestic operations. The Identify phase must catalogue:
- Asset inventory: All IT assets in emerging market operations, including locally provisioned infrastructure, employee devices, cloud services contracted locally, and shadow IT. In markets with limited IT governance, shadow IT proliferation is a significant risk.
- Data classification: Map all data types processed, stored, and transmitted in each jurisdiction: customer PII, financial transaction data, KYC/AML records, employee data. Overlay data localization requirements from local regulations.
- Third-party ecosystem: Identify all third parties with access to the institution’s systems, data, or facilities in each market: IT vendors, payment processors, mobile money aggregators, KYC providers, cloud services, security service providers.
- Connectivity architecture: Map all network connections between emerging market operations and the US parent: VPNs, SWIFT connections, API integrations, cloud links, remote access pathways. Each connection is a potential propagation path for an attack.
- Critical business services: Identify the financial services that, if disrupted, would cause the greatest customer harm, regulatory consequence, or financial loss. In many emerging markets, real-time payment systems (M-Pesa, PIX, GCash) have no offline fallback.
Phase 3: Protect – Implement Baseline Controls Calibrated to Context
Protection controls must account for the operating constraints of emerging markets: infrastructure limitations, talent scarcity, vendor maturity, and regulatory requirements.
| Control Domain | US Standard Expectation | Emerging Market Adaptation |
| Identity and Access Management | MFA for all privileged and remote access. SSO integration. PAM for elevated privileges. | MFA may require SMS fallback where authenticator apps are impractical. Hardware tokens for privileged access where mobile infrastructure is unreliable. Stricter access review cycles (monthly vs. quarterly) to account for higher staff turnover. |
| Data Protection | Encryption at rest and in transit. DLP. Classification-based access controls. | Data localization requirements may prevent centralized storage. Deploy local encryption gateways. DLP must cover local messaging platforms (WhatsApp, WeChat) used for business communication. |
| Endpoint Security | EDR on all endpoints. Managed patching. Device compliance checking. | Bandwidth constraints may delay signature updates. Consider lightweight agents. Enforce USB device controls rigorously; removable media remains a primary infection vector in markets with limited internet. |
| Network Security | Network segmentation. Zero trust architecture. IDS/IPS. | Segment emerging market networks from the US parent with DMZ architecture. Monitor all cross-border traffic. Deploy local firewall management where latency to centralized management is excessive. |
| Security Awareness | Annual training. Phishing simulations. Role-based training. | Training must be in local languages, culturally adapted, and delivered at higher frequency (quarterly minimum). Phishing simulations should use locally relevant lures (local banks, mobile money providers, government agencies). |
| Backup and Recovery | 3-2-1 backup strategy. Tested recovery. Offsite/cloud backup. | Data localization may restrict offsite backup locations. Test recovery procedures against local infrastructure failures (extended power outage, internet disruption). Maintain local backup capability that operates independently of US systems. |
Phase 4: Detect – Build Monitoring Capability Across Time Zones
Detection capability in emerging markets must address the reality that most local operations do not have 24/7 SOC coverage and may not have the staffing for real-time alert triage.
- Centralized SIEM with local log collection: Forward logs from emerging market operations to the US/global SOC. Address bandwidth constraints with edge log aggregation and compression. Ensure log retention meets both US (NYDFS requires 5 years) and local regulatory requirements.
- Detection rules for emerging market threats: Tune detection rules for locally relevant attack patterns: mobile money fraud indicators, SIM-swap activity, local phishing campaigns, insider access anomalies. Standard US-focused detection rulesets will miss regionally specific threats.
- Threat intelligence integration: Subscribe to regional threat intelligence feeds (FS-ISAC, Africa CERT community, APNIC, regional CSIRTs). Generic US threat intelligence feeds underrepresent emerging market threat actors and campaigns.
- Managed detection for smaller operations: Where local staffing does not support dedicated security operations, contract managed detection and response (MDR) services. Evaluate MDR providers for regional coverage and local language capability.
Phase 5: Respond – Incident Response Across Borders
Cross-border incident response adds complexity in jurisdictional coordination, regulatory notification, and evidence preservation.
- Multi-jurisdiction incident response plan: Maintain an IR plan that addresses the specific regulatory notification requirements for each emerging market jurisdiction. A 72-hour notification deadline in Kenya has different operational implications than a 36-hour requirement in the Philippines.
- Evidence preservation across legal systems: Digital forensic evidence collection must account for local legal requirements for evidence admissibility. Engage local legal counsel in the IR planning process, not during an active incident.
- Communication protocols: Establish communication channels that do not depend solely on the compromised infrastructure. Satellite phones, out-of-band communication platforms, and pre-established contact lists for local regulators, law enforcement, and legal counsel.
- US regulatory notification coordination: An incident at an emerging market subsidiary may trigger US reporting obligations (SEC 4-day materiality disclosure, OCC notification, NYDFS 72-hour notification) simultaneously with local obligations. The IR plan must coordinate these timelines.
Phase 6: Recover – Resilience in Low-Infrastructure Environments
Recovery in emerging markets must account for infrastructure constraints that US institutions take for granted.
- Recovery time objectives calibrated to local conditions: If restoring from cloud backup requires internet bandwidth that is unreliable or throttled during a crisis, the RTO must reflect this reality. Test recovery procedures under degraded-infrastructure conditions.
- Manual fallback procedures: Maintain documented manual procedures for critical financial services (payment processing, customer account access, regulatory reporting) that can operate without IT systems for extended periods.
- Independent local recovery capability: Ensure that local operations can recover critical services without depending on connectivity to the US parent. A major incident at the US parent should not disable the local subsidiary, and vice versa.
For NIST-aligned cybersecurity KRI examples with detailed threshold guidance, see our comprehensive post on NIST cybersecurity key risk indicators examples.
Third-Party Cyber Risk in Emerging Markets: The Critical Exposure
97% of major US banks experienced third-party breaches in 2024. In emerging markets, third-party cyber risk is amplified because the vendor ecosystem operates at lower security maturity, due diligence is harder to conduct, and contractual enforcement is weaker.
Third-Party Cyber Risk Assessment Framework
| Risk Tier | Third-Party Type | Assessment Method | Ongoing Monitoring |
| Critical | Core banking, payment processing, cloud infrastructure, SWIFT service bureau, mobile money aggregator | Full on-site assessment. SOC 2 Type II or equivalent. Penetration test results. Architecture review. Business continuity testing. | Continuous security rating monitoring. Quarterly control attestation. Annual on-site reassessment. Contractual right to audit. |
| High | KYC/AML provider, data analytics, managed IT services, cybersecurity tools, card processing | Detailed security questionnaire. SOC 2 or ISO 27001 certification. Evidence of penetration testing. Reference checks. | Security rating monitoring. Annual security questionnaire refresh. Incident notification requirements. |
| Moderate | Office IT, telecom, HR systems, non-production SaaS, consulting | Standard security questionnaire. Verification of basic controls (MFA, encryption, patching). | Annual questionnaire. Incident notification. Periodic rating checks. |
| Low | Office supplies, non-IT services, facilities (no data access) | Minimal: confirm no data access or system connectivity. | Contract-based. Reassess if scope changes. |
The practical challenge in emerging markets is that many local vendors cannot produce SOC 2 reports, maintain ISO 27001 certification, or afford independent penetration testing.
The assessment framework must adapt: accept alternative evidence (e.g., a detailed controls walkthrough conducted by the institution’s own security team), require compensating controls (e.g., network segmentation limiting vendor access), and plan for vendor upgrade paths where the relationship is strategic.
For the enterprise risk management framework for third-party risk, see our article on the COSO framework and how it is used.
Cyber Risk KRI Dashboard for Emerging Market Financial Operations
A dedicated KRI dashboard for emerging market cyber operations provides the CISO and board with visibility into the risk dimensions that matter most in these environments.
| KRI | Data Source | Green | Amber | Red |
| Mean time to detect (MTTD) – emerging market operations | SIEM / SOC | < 24 hours | 24-72 hours | > 72 hours |
| Critical vulnerability patch compliance (emerging market endpoints) | Vulnerability scanner | > 90% within 14 days | 75-90% | < 75% |
| MFA adoption rate (local staff) | IAM platform | > 95% | 85-95% | < 85% |
| Third-party security assessment completion (Critical / High tier) | Vendor risk management | 100% current | 80-99% | < 80% |
| Phishing simulation click rate (local staff) | Security awareness platform | < 10% | 10-25% | > 25% |
| Regulatory compliance gaps (unresolved findings) | Compliance tracking | 0 critical | 1-3 critical | > 3 critical |
| Security incident volume (emerging market operations) | SIEM / incident tracking | Stable/declining trend | 10-25% increase QoQ | > 25% increase QoQ |
| Privileged access review completion | IAM / PAM | 100% monthly | 80-99% | < 80% |
| DR/BCP test completion (emerging market sites) | BCP program | Annual test completed | Test overdue < 6 months | Test overdue > 6 months |
| Data exfiltration alerts | DLP / network monitoring | 0 confirmed | Anomalies under investigation | Confirmed exfiltration |
For the complete 40+ KRI library mapped to all six NIST CSF 2.0 functions, see our dedicated post on NIST CSF key risk indicators with Green/Amber/Red thresholds.
90-Day Implementation Roadmap
Days 1-30: Discovery and Baseline
- Inventory all emerging market financial operations, including subsidiaries, branches, correspondent relationships, and fintech partnerships.
- Conduct attack surface mapping: asset inventory, data flows, third-party connections, network architecture.
- Map regulatory requirements for each jurisdiction (US + local) and identify gaps in current compliance posture.
- Baseline current cyber maturity using NIST CSF 2.0 self-assessment for each emerging market operation.
- Engage local legal counsel, regulatory advisors, and regional threat intelligence providers.
Days 31-60: Framework Implementation
- Deploy or extend SIEM log collection to all emerging market operations with appropriate bandwidth management.
- Implement MFA for all privileged and remote access at emerging market locations.
- Launch third-party cyber risk assessment program for all Critical and High-tier vendors in emerging markets.
- Develop multi-jurisdiction incident response plan with local regulatory notification timelines.
- Initiate locally adapted security awareness training program in local languages.
Days 61-90: Operationalize and Test
- Build and deploy the emerging market cyber KRI dashboard with automated data feeds.
- Conduct tabletop incident response exercise simulating a ransomware attack at the highest-risk emerging market operation.
- Complete first cycle of third-party security assessments for all Critical-tier vendors.
- Present emerging market cyber risk posture, KRI dashboard, and remediation roadmap to the board risk committee.
- Establish quarterly reporting cadence for emerging market cyber risk to CISO and board.
Frequently Asked Questions
How does NIST CSF 2.0 apply to emerging market operations?
NIST CSF 2.0 is voluntary but widely adopted by US financial institutions as the primary cyber risk framework. It applies to all operations regardless of location.
The six functions (Govern, Identify, Protect, Detect, Respond, Recover) provide a universal structure for assessing and managing cyber risk.
The adaptation required for emerging markets is not to the framework itself but to how each function is implemented, the control expectations for each domain, and the KRI thresholds that reflect local operating conditions.
What is the biggest cyber risk for US banks in Africa?
Third-party and mobile money ecosystem risk. African financial services have leapfrogged traditional banking with mobile money platforms that process billions in transactions.
US institutions with correspondent, investment, or partnership exposure to these ecosystems face risk from the entire chain: mobile network operators, mobile money agents, payment aggregators, and KYC providers.
The security maturity of this chain is highly variable, and a compromise at any point can expose the US institution to fraud loss, data breach, and regulatory action.
How do data localization requirements affect centralized security monitoring?
Data localization laws in countries like Kenya, Nigeria, Indonesia, Vietnam, and Brazil can restrict the transfer of certain data categories (particularly customer PII) to overseas locations. This creates a tension with centralized security monitoring, which depends on aggregating logs and security telemetry at a central SOC.
The solution is typically to deploy local log aggregation and filtering that strips or pseudonymizes PII before forwarding security-relevant data to the central SOC. The specific approach must be validated with local legal counsel in each jurisdiction.
Should emerging market cyber risk be assessed separately from domestic cyber risk?
Yes. While the same framework (NIST CSF 2.0) and governance structure should apply, the risk assessment must be segmented by jurisdiction because the threat landscape, control maturity, regulatory requirements, infrastructure reliability, and talent availability differ materially from domestic operations.
An aggregate score that blends US and emerging market operations will mask the higher-risk profile of emerging market operations and prevent appropriate resource allocation.
What role do DFIs play in emerging market cyber risk?
Development Finance Institutions (DFIs) such as IFC, DFC, and regional development banks are both investors in and lenders to emerging market financial institutions. DFIs increasingly include cybersecurity requirements in their investment terms, conduct cyber due diligence on investees, and support capacity building.
For US DFIs and the institutions they fund, the cyber risk assessment framework described in this guide applies to both the DFI’s own operations and the due diligence it conducts on investees.
How do I prioritize which emerging markets to assess first?
Prioritize by exposure: the markets where your institution has the largest financial exposure (assets, transaction volumes, revenue), the deepest system connectivity (API integrations, shared infrastructure, direct network links), and the weakest current cyber posture (based on NIST CSF self-assessment). Secondary factors include regulatory penalty exposure, sovereign cyber maturity (use the ITU Global Cybersecurity Index as a proxy), and recent threat activity targeting financial services in the region.
Conclusion: Cyber Risk in Emerging Markets Is Not Domestic Risk at a Distance
The threat actors targeting emerging market financial operations are global and sophisticated. They use the same tools, tactics, and procedures they deploy against US domestic targets. But they are attacking systems defended by thinner security teams, older infrastructure, less mature vendors, fragmented regulatory oversight, and workforces with less security training.
For US banks, fintechs, and DFIs, this creates a specific obligation: assess cyber risk in emerging market operations using a framework calibrated to those conditions, not a simple extension of the domestic assessment.
Map the attack surface. Understand the regulatory landscape. Assess your third parties with the rigor the risk demands. Build detection capability that covers the time zones and threat vectors that matter. Prepare incident response plans that work across borders and legal systems. Monitor with KRIs that reflect the realities on the ground.
The frameworks exist. NIST CSF 2.0 provides the structure. The data is available. The implementation requires investment, local intelligence, and the honest acknowledgment that what works in New York, Charlotte, or San Francisco is necessary but not sufficient for Lagos, Jakarta, or Sao Paulo.
Strengthen your cybersecurity risk management capability. From NIST CSF key risk indicators to enterprise risk management frameworks, our resource library covers the standards and practical tools that cybersecurity and risk professionals rely on. Explore our guides at Risk Publishing to deepen your cybersecurity risk assessment practice.
Sources and References
- IMF. Global Financial Stability Report, Chapter 3: Cyber Risk – A Growing Concern for Macrofinancial Stability (April 2024). imf.org
- KnowBe4. Global Financial Sector Faces Unprecedented Cyber Threat Surge (2025). knowbe4.com
- FS-ISAC. New Cyber Threats to Challenge Financial Services Sector (2024). fsisac.com
- NIST. Cybersecurity Framework 2.0 (February 2024). National Institute of Standards and Technology.
- World Economic Forum. Global Cybersecurity Outlook 2025.
- IBM Security. Cost of a Data Breach Report 2024.
- Federal Reserve Bank of New York. Cyber Risk and the US Financial System (Staff Reports).
- NYDFS. 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies (2023 Amendment).
- SEC. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules (2023).
- Delphos International. Cybersecurity Investment in Emerging Markets: 2025 Alert. delphos.co
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.