Trust is everything for compliance
Over the next couple of years, banking and insurance organizations will be busily preparing for and adapting to new security and operational resiliency regulations. These new rules represent an evolution in the expectations being placed on the sector in an increasingly technologically-driven age. Additionally, regulations in some jurisdictions will apply also to third-parties providing critical services to financial services firms. So what is happening around the world?World perspective
In the EU the Digital Operational Resilience Act (DORA) provides “financial entities” with a harmonized set of rules for managing risks associated with IT, data and digital operations. As with the SEC’s new rules, DORA also makes boards of directors ultimately accountable for the success or failure of firms’ technical cybersecurity strategies, making this a central business consideration.
By March 2025, financial services firms in the UK will need to ensure they have developed and implemented a Board Level Operational Resilience Policy. Such policies must include rules to identify and document important business services (including mapping out the business processes and associated IT Infrastructure and Applications), set impact tolerances, and develop a program of scenario testing.
In the U.S., the SEC has adopted new rules designed to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents” for financial providers. In practice, this will mean enforcing more aggressive timelines for reporting material security breaches, as well as proactively sharing details of the processes in place to identify and respond to cybersecurity incidents. Most aspects of these rules are already in force, with full compliance required by the end of 2024. It is no coincidence that countries including Australia and Canada are introducing more stringent requirements for banking and insurance businesses at the same time.
