Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Security & Privacy

“All things data” gains regulatory vigor with higher (and expanded) data risk management expectations

Security

Regulators will continue to focus on strengthening risk management and governance around the  security of data, IT systems, and networks as well as promote resiliency and incident response.  Regulators will be reviewing:

  • Cybersecurity Threats: Increasing cybersecurity risks (e.g., adversarial attacks, data poisoning,  insider threats, and model reverse engineering) will drive regulatory scrutiny to:
    • Processes for assessing, identifying, and managing risks from potential cybersecurity threats and  potential threat actors.
    • Board oversight and management effectiveness, including roles, responsibilities, and applicable  experience.
    • Timely reporting and disclosure of material cybersecurity incidents.
    • Speed of incident remediation.
  • Threat Detection and Monitoring: Expanding expectations around the adequacy of threat detection  and monitoring processes will include:
    • Maturity of endpoint detection and monitoring solutions.
    • Coverage of threat intelligence (both on premises and cloud environments).
    • Maturation of third-party risk programs, inclusive of ongoing management of supply chain risks.
  • Technology/Operational Resiliency: The small number of cloud service providers is driving  renewed regulatory focus on the wide range of service uses (e.g., IT and cybersecurity management,  data storage, and computing facilities need for AI/ML applications). Areas of interest will include:
    • Resiliency (e.g., cyber incidents, technical vulnerabilities, physical events) and business continuity  planning.
    • Transparency from cloud service providers (e.g., information on risks related to incidents and  outages needed to build technology architecture with consumer protections).
    • Market concentration, interconnectedness of providers, and concentration of “critical uses” of  cloud services and similar third-party services.
    • Clarity and thoroughness of company and cloud provider responsibilities documented in contracts;  third party risk management.

Data management

Regulators emphasize the importance of data management and controls across all systems and  applications, whether internal, or through affiliates and/or third or fourth parties, and across the  data lifecycle. Areas of regulatory focus will include:

  • Access: Attention to access management programs and controls (e.g., multifactor  authentication (MFA), least privilege, recertification), authentication credentials (e.g.,  encryption), and data practices (e.g., purpose, collection and handling, use, safeguarding,  retention, and disposal).
  • Third/Fourth Parties: Evaluation of third- and fourth-party risk management and governance  processes throughout the relationship lifecycle, including whether “higher-risk” activities and  complex relationships are subject to more comprehensive and rigorous oversight.
  • “Automated Systems”: Application of existing authorities and regulations to supervise and  enforce the design, development, and deployment of “automated systems” (e.g., algorithms,  predictive analytics, AI, ML, quantum computing and other innovative technologies). Key risk areas will include data integrity, statistical validity, model accuracy, transparency,  fairness, resiliency/reliability, and protections against data manipulation. Firms are expected  to consider during the design stage and thereafter ways that a system could potentially be  misused for fraud or cause other harms, and to take reasonable steps to mitigate such risks  through “durable, built-in features.”

Privacy

Regulators will continue to assess consumer financial data privacy protections across collection,  use, safeguarding, retention, and disposal, including increasing attention to purpose limitation,  data minimization, and consumer rights. Expect examinations to cover:

  • Evolving Processes: Is data privacy considered in the design, operation, and management  of new applications, including technology systems, automated systems, and digital business practices, with the goal of preventing vulnerabilities (e.g., malware, fraud, identity theft, insider  risk, reputation risk)?
  • Lifecycle Operations: Are regulatory requirements related to consumer data integrated  throughout the data lifecycle, including consumer notices, disclosures, opt outs, and  other rights enumerated under applicable privacy laws and regulations (e.g., UDAP, GLBA,  GDPR, CPRA)?
  • Data Brokering: Are data aggregation practices or those of third parties, including monetization  and use by data brokers and their customers, designed to ensure transparent practices and  consumer privacy protections (e.g., clarity of communications, consumer choice)?

What to Watch

As data collection and use proliferates, so will security and privacy threats. Key regulatory actions to watch will include:

  • SEC Cybersecurity Disclosures: Finalized in 2023, the rule requires public companies to disclose information about cybersecurity risk management, strategy, governance, and material  incidents. Additional rule proposals for investment funds and advisers and market entities  similarly address “cyber hygiene,” incident notification, and data privacy protection.
  • SEC Amendments to Regulation S-P: A proposal to amend on consumer financial data privacy protections-rules by imposing requirements regarding notification of data breach,  monitoring and detection of unauthorized access to or use of sensitive data, and proper  disposal.
  • Third-Party Risk Management (TPRM): Final Interagency Guidance: Finalized in 2023, the Interagency (FRB, FDIC, OCC) guidance establishes expectations for “sound” TPRM over the  relationship lifecycle, varying with the degree of risk and complexity of each relationship.

Call to Action…

  • Enhance board and executive oversight: Strengthen the oversight of security risk management,  strategy, and governance at the board and executive level. Conduct regular communication and  reporting between executives, management, and the board to foster a proactive approach to  identifying, monitoring, and mitigating potential security threats as well as timely incident response.
  • Maintain transparent and timely reporting: Implement a system for transparent and timely  reporting of security threat incidents, as required by regulatory authorities. All incident-related  information should be accurate, up to date, and communicated to the appropriate stakeholders,  including regulatory agencies and customers, as appropriate.
  • Effectively govern data management: Establish formal and effective governance around the  management of data assets, including:
    • Governance around data definitions, standards, artifacts, and key data management processes;  and
    • Well-defined roles and responsibilities pertaining to the management and ownership of  data assets.
  • Prevent privacy vulnerabilities: Design, operate, and manage new applications, including  technology systems, AI, and digital business practices, with the goal of preventing privacy  vulnerabilities (e.g., malware, fraud, identity theft, insider risk, reputation risk).
  • Invest in expertise and talent: Cultivate a skilled workforce that is well-equipped to manage data  and security risks in areas, such as systems access/authorization; development of “automated  systems”; arrangements with 3rd/4th parties; consumer protections; and data retention, storage,  use, and disposal. Encourage ongoing training and continued development at all levels of the organization.

Dive into our thinking:

Ten Key Regulatory Challenges of 2024

Download PDF

Explore more

Regulatory Insights

A source for updates and perspectives on regulatory activity and issues

Read more

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Matthew P. Miller
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Read bio
Image of Steven Stein
Steven Stein
Principal, Cyber Security Services, KPMG US
Read bio
Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Matthew P. Miller
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Read bio
Image of Steven Stein
Steven Stein
Principal, Cyber Security Services, KPMG US
Read bio

Explore other services tailored to your business

Service
Data privacy
Read more
Service
Cyber Security Services
Read more

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline