IT Compliance Management for the Financial Industry

IT compliance enables business resources to be sensibly deployed for the long term to protect information assets

IT compliance enables business resources to be sensibly deployed for the long term

1000

Information assets are increasingly becoming the foundation of value creation. They are an essential part of achieving the company’s goals. With our know-how, we show our customers how business resources can be sensibly deployed for the long term to adequately and effectively protect information assets.

KPMG considers IT compliance and information security holistically, i.e. starting with the strategy and the corresponding guidelines on the resulting processes and organisational structures, the employees and the technical IT components. This ensures that not only individual components, but also their interaction works as a whole.

Information technology is the basic infrastructure not only for all technical processes, but also all non-technical processes at banks and insurance companies. In a globalised financial world where more and more people are paying digitally or transferring money, and where many investors are contesting their investment online, IT governance and information security have become as important to the supervisory authorities as the provision of capital and liquidity to the institutions.

We support you with all IT compliance issues with the following current focus areas:

Operational resilience is becoming increasingly important for financial institutions as well as for national and EU supervisors. The consensus is that companies should create adequate cyber security for themselves and strengthen their resilience against threats.

To protect themselves appropriately, companies need an overview of potential risks. This includes not only threats to individual IT systems, but also all relationships in the value chain. The regulators have addressed this in the Digital Operational Resilience Act (DORA). As part of the EU Commission's strategy for digitizing the financial sector, it is intended to ensure greater resilience in companies against cyber threats. DORA came into force in January 2023. For financial companies, the implementation of DORA within the specified period of two years will be a test of endurance. New requirements include the creation of a digital resilience strategy, expanded testing of contingency plans, and threat-aligned penetration testing. In this context, the importance of harmonized interaction between the disciplines involved, such as IRM, BCM and outsourcing, is growing.

Many companies have already carried out a gap analysis or are starting to do so in order to obtain transparency about necessary measures and their location in existing projects or line structures at an early stage. We have experts, the appropriate tool and various benchmarks for classification and for submitting implementation options.

For the first time, the ECB is conducting a Cyber Resilience Stress Test in 2024 at ECB-regulated banks. The objective is to assess the operational resilience of an institution's core banking systems against a severe but plausible cybersecurity event. The test is structured in two stages. In the simplified approach, all institutions must complete a questionnaire, provide relevant evidence, and submit a cyber incident report to the ECB within two months. In the more in-depth approach, which involves 20 selected institutions, a recovery test for the cyber scenario must be demonstrated and there is a two-month on-site validation of the evidence.

The ECB has communicated its supervisory expectations to banks for consultation at a workshop on July 3, 2023. Banks can report their feedback to the ECB by August 15, 2023. The Cyber Resilience Stress Test begins on January 2, 2024, and ends for the simplified approach on February 29, 2024, with the submission of the questionnaire and evidence. The subsequent in-depth on-site validation will end on April 30, 2024.

Passing the ECB Cyber Resilience Stress Test requires cross-functional collaboration between various 1st, 2nd and 3rd LoD units in IT-SCM, BCM, IT, Information Security, Outsourcing Management and in the business units. The Cyber Resilience Stress Test is designed end-to-end and requires the assessment of economic loss as well as the involvement of (IT) service providers. The evidence goes beyond the written order requirement and includes, for example, business continuity and response and recovery plans and tests, as well as internal control processes and outcomes for ICT and security risks.

Since mid-August 2021, the Payment Services Supervisory IT Requirements (ZAIT) have been valid for e-money institutions, fintechs in payment transactions, providers of instalment purchase financing and experts for innovative payment solutions. The publication of the ZAIT expands the already existing compliance requirements for the security of payment and e-money institutions. An important focus is on the establishment of a comprehensive risk management as well as the documentation and implementation of corresponding processes. The supervisors also focus on ensuring compliance with the requirements by service providers and sub-service providers on the part of the ZAIT-regulated companies.

We are one of the leading companies in the field of compliance and are happy to support you in the implementation of the ZAIT with a specially developed ZAIT compliance analysis and our years of experience in preparing and accompanying supervisory audits as well as in defining and implementing measures. For the measures, our method of defining ambition levels has proven its worth.

The supervisory focus continues to be on cyber risks and risks from potentially inadequate modernization and implementation of digitization projects - both at national and EU level (BaFin, ESAs). Across all areas, it is important to be prepared not only for current requirements but also for new requirements and their implementation - from in-house services to those of sub-service providers (e.g., from the BAIT/VAIT amendment or from the EU DORA). New BaFin requirements focus in particular on the operational implementation of IT security measures, emergency management and physical security. Not only financial institutions have to prepare for examinations regarding their outsourcing and on-site inspections, but also critical IT and cloud service providers have to prepare for targeted examinations.

We bring the appropriate tools and prepare our clients for IT regulatory examinations, also accompanying them during a regulatory examination and in the follow-up. Our approach, including methods and templates, is based on our know-how from numerous projects on regulatory audits at insurance companies, banks and asset managers.

A purposefully established IT governance forms the backbone for an effective and secure digital transformation of companies. It helps to drive forward digitization in an organizationally appropriate manner without forgetting to protect the customers and information of financial companies. Typical further questions affecting IT governance are: How can necessary resources be secured now and in the future? How is it possible to work efficiently and without overlap? How can existing processes be integrated efficiently? What contribution must IT governance make to the company's overarching ESG strategy?

We develop suitable control mechanisms using IT or IS governance models (including COBIT, NIST CSF, ISO) and the necessary policy framework for their implementation. The goal is to ensure the necessary compliance with regulatory requirements without losing sight of efficiency and pragmatism.

A shortage of skilled workers and increased pressure to improve efficiency are combining with expanded regulatory requirements in information security (e.g., BAIT/VAIT amendment or DORA) to put increasing strain on companies. Although they are aware of the importance of a functioning ISMS (Information Security Management System), many of them limit themselves to merely fulfilling minimum regulatory requirements. Due to an increasingly digital and complex business world, a realistic representation of the risk situation in information security is not possible in a resource-efficient way with the solutions currently in use. Instead, it must be ensured that companies once again become masters of their individual threat situation through process automation and the use of tools.

We advise our customers with regard to advanced and future-oriented solutions and methods. Together with you, we select the tools that are suitable for you in order to implement them securely, efficiently and, above all, in a future-oriented manner.

The correct handling of digital identities forms the basis of a successful digital transformation. The challenges of the customer journey and the employee journey, as well as the ever-increasing regulatory requirements, demand modern, integrated solutions.

We advise our customers on individual issues as well as in long-term projects from the functional to the technical implementation of IAM, CIAM and PAM solutions, aligned with the business objective and the relevant regulatory requirements.

Effective business continuity management supports companies in identifying potential threats and their impact on business processes. In this way, a company derives suitable measures against current threats. Critical business processes and resources are identified on a regular basis, and emergency concepts that are subjected to tests can be used to respond appropriately.

BCM/ITSCM is thus an essential cornerstone in achieving the goals set out in DORA. Proven contingency plans and effective integration into enterprise risk management ensure, among other things, the achievement of a company's required operational resilience.

Our conceptual and methodological range of services is shaped by many years of experience in the implementation and operation of management systems for BCM and ITSCM as well as their integration into overarching risk management systems. Beyond the methods and with our relevant tool know-how, we accompany our customers in the efficient implementation of the processes.

More and more financial institutions are migrating to the cloud. An important criterion when choosing a cloud provider is how it handles compliance and security requirements. Providers that have set up their services in a secure and compliant manner can make the difference for financial companies. Current regulations are increasing the pressure on cloud and other IT service providers, as IT regulatory audits are increasingly focusing on outsourcing. The challenge is to identify specific threats and risks, create transparency across the outsourcing chain and manage it efficiently.

We accompany our clients' journey to the cloud and other IT service providers from the very beginning and ensure that they do not stumble over regulatory and legislative issues along the way.

IT compliance primarily means increased expenditure for financial institutions. In addition to the use of tools (e.g., in the GRC environment), banks, insurance companies, and asset managers increasingly see a benefit in taking regulatory requirements into account right at the beginning of new IT projects instead of addressing them only in the course of an upcoming IT supervisory or other audit or in relation to an individual finding. Awareness of the benefits of a sustainable and proactive IT compliance strategy is constantly increasing.

Compliance and security-by-design means thinking about the security of information assets from the outset and designing systems and processes to be legally compliant and secure.

One important task is IT compliance monitoring - identifying and evaluating new legal and regulatory requirements. The goal is to identify new and changed regulations, assess the risk of possible non-compliance, perform the impact analysis for implementation, and ensure compliant implementation in the policy framework as well as in the organization, processes, and/or tools.

We at KPMG have also established a function for this purpose: Our Regulatory Hub for IT Compliance & Cyber Security. This ensures that our employees always have the latest know-how and can advise our clients not only on the latest innovations, but also on their impact.