What regulation could look like in the new predatory world of risk

The largest risks we now face are not random, they are designed, they are studied, and they are aimed, a keynote speaker told an audience assembled at the FSRA Exchange Monday.

To be resilient to predatory attacks in the current, changing world of risk means asking regulated businesses questions with a different set of principles in mind, said Dr. Laurence B. Mussio, a Canadian strategic historian of business, technology, and economics.

Risk is no longer “accidental,” as often assumed by regulators and businesses using probability in their risk modelling, Mussio told an audience of regulators and regulated entities attending the Financial Services Regulatory Authority of Ontario’s FSRA Exchange event in Toronto.

“Consider the case of the Lebanon pagers,” he said. “On the 17th of September 2024, at roughly half past three in the afternoon, local time, several thousand pagers detonated simultaneously across Beirut and southern Lebanon, each one containing a small explosive charge concealed inside the battery casing triggered by a single coded message.

“Pagers had been ordinary commercial devices shipped through ordinary commercial supply chains over the better part of two years. But what detonated in those moments was the supply chain itself, and whether one looks at that episode, at the engineered information attacks from Moscow, or Beijing, or Tehran, or at the use of weaponized interdependence in the new tariff wars coming out of Washington, the pattern is the same.

“It’s a hostile actor identifying the institutional point where efficiency has eaten resilience and strikes with surgical intent. So that’s the hour of the predator….[The predator is] watching your historical data. He studies your stress tests and engineers precisely the scenario you failed to model.”

Mussio noted even regulators themselves are now the targets of predatory attacks.

“In the early morning email traffic of January the 14th, 2026, four months ago, the Canadian Investment Regulatory Organization (CIRO) began notifying 750,000 Canadian investors that their personal data, birth dates, social insurance numbers, account statements, [and] government identification had been compromised in a sophisticated phishing attack first detected the previous August,” he said. “I want to dwell on that incident just for one moment, because it concentrates in itself almost everything that I shall say to you this morning.

“CIRO was breached. It was not a member firm, it was not a regulated entity, it was the self-regulatory organization itself, the body that supervises every investment dealer in this country.

“The data was held by the organization in the ordinary course of its supervisory work. Which is to say the very act of regulation had aggregated into one institution the most sensitive financial data on three quarters of a million Canadians, and the institution was then targeted, precisely because the data was there, by an adversary with the patience to study where the regulatory architecture had concentrated its riches. So now it’s fixed, but the data in some quantum is in the wrong hands.”

Tradition Meets Technology: Scaling a Family-Owned, Community-Driven Brokerage Image

Insights Paid Content

Tradition Meets Technology: Scaling a Family-Owned, Community-Driven Brokerage

How MIB is growing across Canada without losing the values, relationships, and local trust that built it.

By 

Sponsor Image

Also in the news: How farm consolidation is putting pressure on coverages

Mussio spent some time examining how the nature of global risk has inverted from “accident” to “purposeful” over the past several years. How do businesses become more resilient to the new predatory nature of risk?

The answer lies in regulators and businesses guarding against a type of amnesia, he said. He noted when institutions forget about past calamities or write them off as outliers in risk models based on probability, they are exposing themselves to attack. Predators, as he said, are constantly examining these structures for points of weakness; something companies have forgotten to do.

One antidote, among others Mussio listed, is for regulators to ask a simple question when assessing risk. The question would draw attention to past failures of similar innovations and ask regulated businesses: “How is this different?”

“In other words, before a new product is approved, a new system is migrated, or the new acquisition consummated, somebody, a designated officer perhaps, must present to the firm’s own board a written analysis of the three closest historical predecessors and defend on paper the proposition that this time is different,” Mussio said. “Those are the four most dangerous words in financial history, ‘This time is different.’” So you’re asking the right questions in the new [predatory] era.

“The protocol does not prohibit innovation, but it prohibits amnesiac innovation. And how many times have we seen this? That people have forgotten to remember.”

Essentially, asking the right questions will ensure businesses account for the probability they will be targeted. No longer should regulators think in terms of “probabilistic” risk. That’s because risk is not “accidental” in a predatory age.

To build institutional and industry resilience, regulators need to adjust their risk frameworks and ask questions that will force regulated businesses to address and protect against past failures.

“The single discipline articulating why this time is different, on paper with a named signatory, would be very interesting,” Mussio said. “And it would…force into the open the one question no one thought to ask: ‘What predecessor does this venture echo? And what did the failure cost?’

“It’s not that hard. The discipline cannot guarantee the right answer, but it guarantees the question.”

David Gambrill

David has twice served as Canadian Underwriter’s senior editor, both from 2005 to 2012, and again from 2017 to the present.