Over the next couple of years, banking and insurance organizations will be busily preparing for and adapting to new security and operational resiliency regulations. These new rules represent an evolution in the expectations being placed on the sector in an increasingly technologically-driven age. Additionally, regulations in some jurisdictions will apply also to third-parties providing critical services to financial services firms. So what is happening around the world?
World perspective
In the EU the Digital Operational Resilience Act (DORA) provides “financial entities” with a harmonized set of rules for managing risks associated with IT, data and digital operations. As with the SEC’s new rules, DORA also makes boards of directors ultimately accountable for the success or failure of firms’ technical cybersecurity strategies, making this a central business consideration.
By March 2025, financial services firms in the UK will need to ensure they have developed and implemented a Board Level Operational Resilience Policy. Such policies must include rules to identify and document important business services (including mapping out the business processes and associated IT Infrastructure and Applications), set impact tolerances, and develop a program of scenario testing.
In the U.S., the SEC has adopted new rules designed to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents” for financial providers. In practice, this will mean enforcing more aggressive timelines for reporting material security breaches, as well as proactively sharing details of the processes in place to identify and respond to cybersecurity incidents. Most aspects of these rules are already in force, with full compliance required by the end of 2024. It is no coincidence that countries including Australia and Canada are introducing more stringent requirements for banking and insurance businesses at the same time.
Managing Director for Kyndryl Ireland and Kyndryl UK & Ireland Banking Guild.
Regulations
Finance has always been one of the most heavily regulated industries because of the essential role it plays in all other economic activity. And as the critical infrastructure of the finance industry increasingly embraces digitalization, new threats to security and resiliency are emerging. From a regulatory perspective, the issue here isn’t just the direct risk of financial loss and economic disruption – though that certainly warrants its own response. There is also the bigger issue of trust in financial institutions. Think about how you would feel if your credit cards or digital wallet ever stopped working. You would be prevented from accessing your own money – which in itself would create a lot of emotion and destroy trust.
Every transaction that takes place via a bank, or that involves the securing of an asset against loss by an insurer, demands an act of significant trust. Whether the parties involved are individuals or multinational corporations, there must be trust that money deposited can later be retrieved, that policies will pay out when the relevant terms are met, and that any sensitive information will be held securely. It is a mark of the success of many generations of financial regulation that the level of trust generally is high enough that we don’t consciously weigh it up when making financial decisions.
The key quality that any digitalized future for banking and insurance needs to protect, then, is trust. It is worth bearing this perspective in mind as financial sector businesses seek to comply with new requirements, ensure those efforts are not siloed, and contribute to a broader strengthening of resilience, reliability, and customer trust. In fact, many key trends in this space point in that direction.
Cloud services
An increasing reliance on cloud computing services, for instance, has triggered concerns from the Bank of England and others over the dependency of institutions on single technology providers and the scale of disruption that might come with outages. These concerns will add impetus to adopting a multi-cloud strategy, de-risking operations with a more flexible approach to where services run, and determining how customer needs are met.
Achieving these goals will require closing today’s IT talent gap. In finance, that gap will be felt even more keenly in the context of mainframe modernisation and hybrid strategies which combine cloud services with long-standing core infrastructure. As a rapid adopter of digital recordkeeping in the pioneering days of business computing, banking and insurance companies came to rely on mainframes that now must be integrated with modern systems. This will require both growing the skills base which bridges on-premise and cloud environments, and working with partners who can fill the gaps with best-practice approaches.
Of course, any application of emerging technologies to financial services workflows – including generative AI – must incorporate clear oversight of the security implications of those technologies. A key upshot of this will be opportunities for more finely-tuned products. For example, insurers will need to rely on more advanced approaches to data analysis as they grapple with the increasingly unpredictable consequences of climate change.
Making business data more available, more integrated and more secure also is the strongest route to more efficient and agile compliance with current and future regulations. And while compliance today might seem a steep hill to climb, now is the right time to develop proactive strategies to help build and maintain trust in essential infrastructure for the long term.
We've listed the best payment gateways.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
