Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Technology and Resiliency: 2023 Regulatory Challenges

Insights on modern technology risk management, technology resiliency, and operational resiliency

Regulatory & compliance transformation

Explore here insights on Technology and Resiliency from the KPMG report Ten key regulatory challenges of 2023.


Modern technology risk management

As the adoption of cloud, e-communication technologies and platforms, and digital tools grows along with the numbers of related service providers, regulators warn of potential risks, including information security incidents, cyberattacks such as ransomware or malware, and service outages.

The robustness of a company’s modern technology risk management program will be of continuing focus for the regulators; heightened attention will be directed to significant operating changes using new technology innovations (e.g., cloud, AI, digitalization of risk management processes). Key areas will include:

  • Technology risk assessment programs, including the periodic assessment, categorization, prioritization, and documentation of risks related to data and information, technology systems, and service providers.
  • Ongoing risk monitoring processes and adjustment of internal controls across domains such as threat intelligence, identity and access management, and vulnerability management.
  • Board approval of the risk appetite and tolerances, informed by board expertise and board reporting.
  • Controls effectiveness over third party, supplier, and non-vendor third party risk management, including due diligence, business user acceptance testing and ongoing risk assessment and monitoring.

Financial companies will be challenged to demonstrate:

  • Effective board reporting and oversight, including i) the quality and timeliness of operational and risk metrics, ii) the depth of insight/transparency provided by senior management and risk metrics, iii) meaningful challenge and corrective action tracking, and iv) periodic review of the risk appetite and tolerances.
  • The 2nd line’s quality of risk visibility and ability to assess and monitor/test.
  • The 3rd line’s ability to critically challenge and enforce findings within the 1st line’s functions.


Technology resiliency

Regulators will look to technology resiliency and continuity plans within both legacy and newer-adopted technology and cloud systems. Regulators’ focus will include:

  • Proactive and ongoing detection, mitigation, and remediation of threats and vulnerabilities with respect to information and technology systems, both on-premises and cloud environments, including policies to establish accountability, threat intake processing (including insider threats), assignments, escalations, remediations, and remediation testing.
  • Governance, strategy, and data inventory and classification policies and procedures across information and technology systems for structured, semi-structured, and unstructured data, including evaluation of data backup and recovery capabilities as well as access safeguards such as multi-factor authentication or encryption, patch management, and end-of-life systems management and controls.
  • Coverage of technology risk management processes and continuity planning for company divisions, processes, and systems (not only those that are mission-critical).

Companies should consider application of these elements throughout the technology development lifecycle, including:

  • Testing in production environments.
  • Obfuscation of data in development environments.
  • Controls over system acquisition.


Operational resiliency

In addition to technology risk management and resiliency, regulators will look to the comprehensiveness of resilience practices and standards to include governance, operational risk management (including cyber risk), third-party risk management, scenario analysis, surveillance and reporting, and the connection with business continuity and disaster recovery planning. IT asset management continues to be a dominant theme with regard to an inventory of assets mapped to critical services.

Companies must ensure robust operational resiliency risk programs, including:

  • Identification of critical operations, core business lines, and material entities.
  • Effective controls and resilient technology systems to maintain critical operations.
  • Identification of potential risk transmission channels, concentrations, and vulnerabilities based on interconnections and interdependencies within and across critical operations and core business lines.
  • Testing and ongoing updates, including scenario testing related to cyber resiliency.
  • Determination of the financial risk exposure arising from degradations in services.
  • Coordination with business continuity management and disaster recovery teams.

Our governance and risk management around key areas, such as our public communications, our customers’ data and our company’s technology and infrastructure is one of our highest priorities and of great strategic importance. Even as existing and emerging risks increase, we look to continuously improve our control environment while demonstrating our ability to address critical challenges—it is a commitment we prioritize and focus on with diligence every day.

Karen Nelson

Karen Nelson

Senior Vice President and Global Chief Compliance Officer, AIG

Call to action: Technology and Resiliency

☑ Set criticality standards and methodology

☑ Measure asset risk exposure

☑ Provide transparency to board/management

☑ Automate security incident escalation and response; build feedback loops

☑ Clearly delineate responsibilities

Dive into our thinking:

Ten Key Regulatory Challenges of 2023

Read our report for client perspectives, regulatory recaps, and actionable steps to help mitigate risk.

Download PDF

Explore more

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.