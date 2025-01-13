It’s not easy for firms to understand how to comply with global security and resilience regulation; there’s no single place where all regulation comes together and it’s often down to regional compliance teams and security leaders to interpret policies, which leads to a lack of joined up thinking and extremely siloed approaches.

However, although there will always be nuances based on the geographical jurisdiction where a firm operates, there are several global regulatory themes emerging:

Operational resilience and security are now as important as financial resilience

Transparency and timely reporting are key

Focus on foundational cyber controls

Do the right thing for your customers and the rest will follow.

Operational resilience and security are now as important as financial resilience A number of regulations focus on the need to identify the most important services that a firm offers to their customer and markets and to make them secure above all else. Examples include the Building operational resilience regulations in the UK and the Digital Operational Resilience Act (DORA) in the EU. These regulations have come about because there's a belief that firms often focus on financial resilience, but outages caused by exploitation of vulnerabilities or operational failure were occurring too regularly and disrupting customers' lives. There have been many examples of major outages in recent years caused by cyber as well as operational and supply chain issues, including Crowdstrike, WannaCry and multiple outages impacting the airline industry. Firms need to identify their most important services and protect the infrastructure needed to run them. This is typically achieved by working out how much harm would be caused by a service outage and then tiering services accordingly. The most important services should receive the most investment and protection.

Transparency and timely reporting are key When things do go wrong, regulators are keen to understand the detail. A number of regulations globally focus on the need to report security, cyber and resilience issues in a timely manner. Examples include the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in the US, reporting requirements under DORA in the EU and breach notification for privacy related incidents globally, such as under the GDPR. Firms should make sure that they can report cyber and operational incidents in a timely manner, including understanding who will draft and approve the notification and who will liaise with each regulator. Regulators then need to be kept informed as the incident progresses, including what the organisation is doing to resolve the incident. Each jurisdiction may have different timescales for reporting and so keeping a log of regulations and reporting requirements (updated at least monthly) is important. There are tools that can automate this which might reduce the effort required for large global organisations to keep up-to-date with regulatory reporting requirements.