Tech and resiliency: Regulatory challenges

Recent events, including technology-based failures, cyber incidents, pandemic outbreaks, and natural disasters, have made clear that significant disruptions are increasingly likely and can be interconnected (consider how a health crisis sparked a mobility crisis that spawned a financial crisis). Although advances in technology have improved firms’ ability to identify and recover from such disruptions, the frequency of events and potential for interconnectedness and/or interdependencies to amplify risks nonetheless underscore the need for operational resilience and are prompting leading companies to adopt a more holistic, multi-function approach.

Explore here insights from the KPMG report Ten key regulatory challenges of 2022.

Mitigating risk: Tech and resiliency

Set resilience standards and methodology for resilience criticality for services; map business assets to these services.

Sound practices prioritize the operational resilience of a firm’s critical operations and core business lines; however, other operations, services, and functions for which a disruption could have a significant adverse impact on the firm or its customers also should be identified and addressed.

Areas to consider include the:

• Comprehensiveness of resilience practices and standards, including governance, operational risk management (including cyber risk), business continuity management, third-party risk management, scenario analysis, information systems management, and surveillance and reporting. IT asset management continues to be a dominant theme with regard to an inventory of assets mapped to critical services.
• Methodology for identifying and prioritizing business services; mapping assets supporting critical services; and defining resilience criticality.
• Development and implementation of controls and resilient information systems to maintain critical operations.
• Application of enhanced standards to critical operations and core business lines.
• Identification of potential risk transmission channels, concentrations, and vulnerabilities based on interconnections and interdependencies within and across critical operations and core business lines.
• Determination of the financial risk exposure arising from degradations in services.
• Testing and ongoing updates in coordination with business continuity and resolution planning.

Measure asset financial and non-financial risk exposure, scoring and inputs for resiliency implications (e.g., vulnerability management, end of life, data classification).

Identification of financial and non-financial risk exposure is based on the multi-lines of impact within the firm.  As risks are continuously evolving, controls processes and procedures should anticipate, test, and mitigate the impact of future threats and potential disruption.

With regard to vulnerability management, regulators are focusing on:

• Tools used for vulnerability discovery and verification (coverage and visibility).
• Prioritization strategies for remediation activities.
• Aged unremediated vulnerabilities.
• Management of non-patchable vulnerabilities.
• Controls enforcement in legacy environments.
• Scope of end of life risk classifications across hardware and software. 

Provide transparency to boards and senior management with regular insights that clearly articulate minimum service levels, and degrees of resilience.

A company’s board of directors and senior management must establish, oversee, and implement an effective operational resilience approach that enables them to respond and adapt to, and recover and learn from, disruptive events so that they can minimize the potential impact of disruptions and operate with confidence during a disruption.

Regulatory attention will focus on the effectiveness of:

• Board review and approval of the “tolerance for disruption,” at the enterprise level and for critical operations and core business lines, given its risk profile and operational capabilities under a range of scenarios.
• Board oversight, and senior management implementation, of sound practices, including maintaining a culture of risk management; sufficient and appropriate financial, technology, and staffing resources; and adherence to the tolerance for disruption.
• Business line front to back ownership of services and assignment of clear management responsibilities that incorporate resilience into governance protocols and provide transparency to the board.
• Information systems and controls to timely detect anomalous activity and provide the board and senior management sufficient data, including depth of information and metrics, to timely and appropriately respond.
• Board reporting during cyber incidents, including notification times.

Ten Key Regulatory Challenges of 2022

The year 2022 brings high levels of risk and regulatory supervision and enforcement. Regulatory “perimeters” continue to expand, and regulatory expectations are rapidly increasing. All financial services companies should expect high levels of supervision and enforcement activity across ten key challenge areas. Read the full report to learn more.