Organizations must implement effective incident response policies and practices to manage their IT risk amidst the rising regulatory requirements.
FREMONT, CA: Financial services firms must confront rising regulatory requirements around how they manage IT risk. This presents unique problems in terms of how those organizations implement effective incident response policies and practices. According to data presented by the UK's Financial Conduct Authority (FCA), ransomware, denial of service attacks, insider threats, inadequate supply chain problems, and cloud security will all remain as an issue for financial services organizations in 2021. The Bank of International Settlements stated that working from home and the frequency of cyber events during the Covid-19 pandemic were higher in the financial services sector than in many other industries. On this subject, regulators are changing their expectations for the action that should be taken to respond effectively to cyber and other operational problems in this setting.
Significant change is on the horizon for corporations that have operations across the EU. The European Commission presented a new framework for recognizing and reporting significant ICT incidents in September 2020. This framework will overlap with the existing General Data Protection Regulation (GDPR) and obligations arising under the Network and Information Security Directive (NIS Directive). In addition, there will be an impact caused by the submission of the draft NIS Directive 2.
In the United Kingdom, the Financial Conduct Authority (FCA) and the Prudential Conduct Authority (PRA) have made incident response a key component of their operational resilience framework, with stricter regulations expected to take effect in March 2022. Financial authorities in the United States have recently taken moves to redefine expectations for effective incident response action. The Commission has included a new procedure for responding to and reporting major ICT-related incidents in its draft regulation on digital operational resilience.