days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
How Effective Compliance Can Help Firms Develop a Solid Cybersecurity Posture
Regulatory compliance is a major priority for any financial business, and it’s becoming even more mission critical in an era of digital transformation and modern cloud deployments. That’s because, as a financial firm expands operations and services regionally, nationally and even globally, it’s also expanding threat surfaces and the jurisdictional boundaries to include more regulatory and enforcement agencies.
But what is the definition of effective compliance from an IT standpoint, and how can compliance efforts be tailored to do the most good for an organization seeking to stay both compliant and secure? Let’s step back and examine how compliance relates to security, and how organizations can optimize compliance efforts for the strongest cybersecurity posture.
Compliance and Security are Closely Linked
The best way to think about compliance is as a set of guidelines for security that’s also an accountability framework for security. Regulatory rules from agencies like the SEC, Treasury Department, IRS, FDIC and FINRA are meant to keep you secure, with penalties and fines for when you’re not. Just like a set of guardrails and road signs are there to make safe driving the enforceable norm on a busy highway, compliance regulations are there to make strong security the enforceable norm across organizations in the busy financial sector.
But just like guardrails shouldn’t turn into impassable roadblocks on a highway full of cars, compliance needs to be reasonable for an organization to navigate at the scale of business. Regulatory agencies don’t design compliance rules to be so onerous that they cripple workflows or operations. And companies trying to stay compliant can’t stay in business if they’re throwing up excessive roadblocks where they’re not needed.
This harkens back to the seamless vs. secure theme we discussed in a previous post. Especially in the highly competitive financial sector, you need to stay secure without bogging down systems and workflows with excessive access or procedural bottlenecks. From there, it’s a question of which compliance-related IT investments are the most strategic – both for the nature of the business, and for the specific cyber-threats and security gaps that are most relevant to the business.
Compliance Should be Targeted and Continuous
We all talk about return on investment (ROI) as a critical outcome of a successful IT initiative. But especially where compliance is concerned, we must also look up front at the focus of investment as an essential prerequisite for that success.
From both a cost and functionality perspective, organizations must selectively choose where their compliance investments can do the most good. For instance, we recently conducted a security review for a client that achieved 80% compliance in all but one area of the SEC’s OCIE framework for cybersecurity and resilience. Only their incident response function was sub-par, at just 50%. This gap assessment helped effectively and economically sharpen the focus of compliance investment to prioritize incident response for that client.
In addition to being focused, compliance efforts must be ongoing. Rather than a single snapshot in time, compliance and security are never-ending. It’s a continuous improvement loop of gap analysis and system hardening – a virtuous cycle that iteratively captures how your organization is operating and protecting itself as vulnerabilities, threats and regulatory rules shift over time.
Finally, this continuous and iterative approach also helps futureproof the compliance operation, especially when it’s maintained by experts with domain expertise in both IT and the financial sector.
To stay current and avoid obsolescence, a firm’s continuous compliance team should include both the financial domain experts to track shifting regulations, as well as the technical and engineering pros who can track shifting conditions in the underlying data, APIs, software systems and other IT components.
Many of these steps are easier said than done, which is why our next blog will take a closer look at how these compliance principles can be folded more seamlessly into business processes to make both compliance and regulatory reporting more streamlined and comprehensive.