Resilience Building Regulations and the Financial Sector

The financial sector handles sensitive data and transactions that affect our economy and society. It is a critical sector and is vulnerable to cyberattacks. The SolarWinds, Colonial Pipeline, and Kaseya attacks to name a few, have exposed the weaknesses and gaps in our cybersecurity practices and regulations.

To address these challenges and enhance the digital resilience of the financial sector, the EU and the U.S. have introduced or updated cybersecurity regulations geared to harmonize and strengthen the cybersecurity requirements and standards for financial entities and their third-party service providers.

In the EU, the Digital Operational Resilience Act (DORA) which entered into force in January 2023 and will apply in January 2025 establishes a framework for the management of ICT risks. DORA introduced principles and requirements for ICT risk management, ICT third-party risk management, digital operational resilience testing, ICT related incident reporting, information sharing and oversight of critical third-party providers.

In the U.S., the New York State Department of Financial Services (NYDFS) recently amended in November 2023, the regulations they enacted in 2017 which established cybersecurity requirements for financial service companies designed to promote the protection of customer information and the information technology systems of regulated entities, and to address the growing threats posed by cyberattacks.

This November 2023 NYDFS Part 500 regulation applies to all financial services companies that operate under or are required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law of New York. It includes and is not limited to banks, credit unions, insurers, money transmitters, mortgage brokers, and virtual currency businesses. The regulation also applies to any affiliates of such entities that have access to Non-Public Information or information systems of the regulated entity.  The amended Part 500 has significant implications for financial sector companies in the U.S. and outside the U.S., as it sets a high bar for cybersecurity standards and expectations. It may also be an influencer of other regulators and jurisdictions to adopt similar or more stringent requirements as cybersecurity is a cross-border issue that affects the stability and integrity of the financial system.

Both DORA and Part 500 share common objectives and elements, such as ensuring the protection of customer information and the information systems of financial entities, promoting a risk-based and proportionate approach to cybersecurity, and fostering a culture of cybersecurity awareness and accountability among senior management, and board members.  Application scope, prescriptiveness and level of detail, enforcement mechanisms and transitional periods differ. For financial sector companies that operate in both the U.S. and the EU should be aware of the similarities and differences between the two regulations and take the necessary actions to comply with both of them.

One of the key drivers and motivations for the development and update of these regulations is the rise of cyber threats and cybercrime that target the financial sector and pose significant financial, operational, reputational and legal risks for financial entities and their clients. Recent cyberattacks has confirmed the need and urgency for the financial sector to improve its cybersecurity posture and resilience and to comply with relevant cybersecurity regulations and standards.  DORA and NYDFS Part 500 are only two examples of such regulations that aim to provide a comprehensive and consistent framework for the financial sector to manage its cybersecurity risks and challenges, and to protect its clients and the financial system from cyber threats and incidents. These regulations also reflect the evolving and dynamic nature of the cybersecurity landscape and the regulatory environment, and the need for the financial sector to keep pace with the changes to be able to bounce back from an attack.

Are we seeing a new wave of financial sector cybersecurity resilience building regulations? The short answer is yes.