Navigating global security and resilience regulations is challenging for companies. There isn’t a centralized source for all the rules, which puts the burden on regional compliance teams and security leaders to interpret policies. This often results in fragmented thinking and isolated approaches.
Despite the regional differences, some major regulatory themes are emerging worldwide:
-
Operational resilience and security are as crucial as financial stability.
Several regulations now emphasize identifying and securing a firm’s most essential services. For instance, the UK’s Building Operational Resilience regulations and the EU’s Digital Operational Resilience Act (DORA) highlight this need. Firms have often prioritized financial resilience, but frequent outages, whether from cyberattacks or operational failures, have disrupted customers’ experiences. Notable incidents, like Crowdstrike and WannaCry, illustrate the urgency of this focus. Companies must pinpoint their critical services, figure out the potential harm from outages, and prioritize investments accordingly. The most vital services should receive the greatest protection and support.
-
Transparency and timely reporting matter.
When issues arise, regulators want detailed information quickly. Many global regulations require timely reporting of security, cyber, and resilience incidents—like the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the U.S. and breach notifications under GDPR. Firms need a clear plan for reporting incidents, including who will draft notifications and communicate with different regulators. It’s crucial to keep regulators updated throughout the incident, detailing the organization’s response. Each jurisdiction has its own reporting timeline, so maintaining an up-to-date log of these requirements is essential. Automation tools can help large organizations manage compliance more efficiently.
-
Emphasize foundational cyber controls.
Regions like the U.S. are pushing for strong foundational cyber controls. For example, firms providing cloud services to the federal government must meet FedRAMP certification standards. Recognized benchmarks like ISO 27001 and NIST CSF guide firms aiming to enhance their cyber controls and report their maturity to boards. Regular reviews of cyber control maturity, at least annually, against these standards, should include non-technical aspects as well—like ensuring teams can recognize phishing attacks and that incident response drills are conducted regularly.
-
Put your customers first.
New regulations suggest that prioritizing customer protection leads to better security results. Some areas, like the UK’s Consumer Duty in financial services, specifically aim to enhance these protections. The way a firm responds to customers during crises is vital. The fallout from a cyberattack can linger for a long time, often leading to investigations driven by regulatory demands. Though the adage about banking with a recently robbed institution sounds odd, it reflects the idea that companies often become stronger through challenges. How firms manage their responses can define their resilience. There is growing recognition that consumers and markets need better protection from cyber and operational risks, prompting regulators to take action. This means a continued focus on cybersecurity, operational resilience, and supply chain regulations seems likely for the foreseeable future.
Adam Stringer leads cyber, privacy, and operational resilience efforts in financial services at PA Consulting.