Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Data and Cybersecurity: 2023 Regulatory Challenges

Insights on risk management and governance, data collection and use, and privacy

Explore here insights on Data and Cybersecurity from the KPMG report Ten key regulatory challenges of 2023.


Risk management and governance

Regulators are looking to strengthen data risk management, especially in areas such as governance incident reporting, vulnerability management, and identity/access management. Companies should look to build practical and defensible frameworks for scoping their programs that consider both regulatory requirements and expectations as well as business needs.

Regulatory scrutiny around data risk governance will include:

  • Strength of skills at board, management, and staff levels.
  • Accountabilities across business lines and key functions (e.g., IT, data management, risk and compliance).
  • Timely board reporting, proof of challenge.
  • Strategy, inventory, and data lineage to legacy systems.
  • Clarity on data and information deemed critical to the organization, with associated data classification and risk rating to control programs.

Other aspects of data risk that regulators will also consider include:

  • Compliance with incident response and reporting requirements, including:
    • Reporting and disclosure timeliness (such as current banking agency standards, forthcoming SEC proposals, FinCEN SARs).
    • Reporting for national security and/or law enforcement purposes (e.g., CISA, state AGs).
  • Threat and vulnerability management, including:
    • Tools and processes for discovery, verification, and remediation of vulnerabilities.
    • Management of non-patchable vulnerabilities.
    • End-of-life system management.
    • Traceability of reporting.
  • Identity and access management, including:
    • Existence/adequacy of the privileged access management (PAM) programs and controls.
    • Protection of authentication credentials (including non-person acccounts).


Data collection and use

Regulators have shown increasing interest in, and scrutiny of, companies’ practices around data collection, utilization, sharing, and monetization. They are seeking to understand and set parameters around the ways data is collected and used as well as how it is protected from misuse. Ongoing areas of focus include:

  • Commercial surveillance (e.g., FTC’s ANPR seeking input on the need for regulations to address the scale of available data, data security practices, use of algorithms and automated systems to target behavioral advertising, potential consumer harms).
  • Consumer reporting agencies (e.g., CFPB’s expansion of “credit reporting agencies” under the FCRA to include “other data brokers”).
  • Payment platforms (e.g., CFPB’s orders to Big Tech on data practices).
  • New products and services, such as BNPL lenders and automated valuation models (both a focus of CFPB) and digital engagement practices (SEC potential rulemaking).
  • State and local laws, such as the CCPA and CPRA and NYC’s requirements around automated employment decision models.

Regulators will be reviewing practices related to data risk management and consumer protection including:

  • Practices for data collection, sharing, monetization, and utilization, including clarity of communication and customer choice.
  • Implementation of purpose limitation and data minimization policies (collect only what is needed for only as long as needed).
  • Management and controls over data retention and deletion.
  • Controls and monitoring of third-party processes regarding consumer data.
  • Fairness and fair treatment.



Regulators are evaluating companies' privacy practices related to the consumer and customer data they collect and use. Examples of privacy-related legislative and regulatory developments to watch for in 2023 include:

  • FTC amendments to the Safeguards Rule (requires information security programs to have administrative, technical, and physical safeguards; potential rulemaking to require reporting of cyber events where customer information has been or is likely to be misused).  
  • SEC proposal on digital engagement practices (proposed rule anticipated to cover predictive data analytics and related concerns including conflicts of interest, bias, and concentration risks).
  • CFPB proposal on personal financial data rights (Section 1033 of Dodd-Frank).
  • Guidance and/or examinations on models and algorithms, machine learning, and artificial intelligence.
  • State regulations, such as the CCPA and CPRA, the NY DFS Cybersecurity Rule (amendments), and other state consumer data laws.
  • Federal legislative proposals addressing consumer data privacy and/or data rights.

Increasingly, data privacy issues, and privacy-related legislative and regulatory developments, reflect elements, or “standards of care,” intended to facilitate transparency and consumer data rights. These may include:

  • Clear disclosure/communication and transparency of consumer choice policies and processes.
  • A consumer’s ability to access, correct, delete, or opt-out of the collection, processing, and utilization of their personal data.
  • Requirements for obtaining a consumer’s consent to collect and process sensitive personal data, such as geolocation, protected characteristics, or genetic or biometric data.
"Privacy and Data Security will continue to be a growing compliance and regulatory concern that will challenge organizations with finding innovative ways to safeguard customer, clients, and employees’ sensitive and personal identifiable information. The very nature of our business, and our economy, is being transformed by technological advancements and social-economic trends.  Technology-enabled innovations have emerged to offer simpler products and streamlined customer experience.  This evolution will present challenges, with sophisticated Cyberattacks, that will continue to challenge market participants, legislators, and regulators alike, with developing the necessary controls, safeguards, and accountability in the way organizations secure and manage customer data."
 —Michael Blackshear, SVP Chief Compliance & Privacy Officer | Head of Diversity, Equity, & Inclusion, Ryan Specialty

Call to action: Data and Cybersecurity

Drive improved integration of data management, cybersecurity, and privacy programs to:

☑ Build a practical and defensible framework for scoping these programs that considers regulatory obligations and the organization’s business needs

☑ Share a common view of what data and information assets are critical to the organization

☑ Coordinate efforts on how best to manage associated risks

☑ Measure and report upon the effectiveness of these programs and residual risk exposure for the organization in a consistent and integrated way

Dive into our thinking :

Ten Key Regulatory Challenges of 2023

Read our report for client perspectives, regulatory recaps, and actionable steps to help mitigate risk.

Download PDF

Explore more

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.