For businesses operating in the financial services (FS) arena, data has never been more important than it is today. When leveraged effectively, data holds the key to increased profit, boosted productivity, and improved customer service. Conversely – as we have seen with recent global disruption to the financial sector and many other verticals reliant on real-time transactional data – when timely and reliable access to this data is removed, by malicious or unintentional means, the negative reputational and business impact can be disastrous.

It is exactly for these reasons that data is an exponentially increasing target for malicious actors who seek to extort FS businesses for their money. In fact, recent research discovered that three in five FS organizations (64%) were hit by ransomware attacks last year. Due to the sheer amount of sensitive, personal data that these organizations hold, the potential damage of such an attack carries business-critical risk.

This is also why governments across the world are rightly focusing their efforts on strengthening cyber resiliency of all highly regulated sectors through the introduction of new legislative and regulatory requirements. By enforcing failure of compliance with these regulations with very significant financial and reputational repercussions, the objective is to avoid the even greater damage that can be caused to these critical national business sectors by external threat actors.

A landscape full of directives

In today’s highly digitized economy and evolving risk landscape, it is necessary for regulators across the globe to ensure the continuous delivery of essential services that both enterprises and citizens rely heavily on.

In Singapore, the government is expanding its Cybersecurity Act with the introduction of the Digital Infrastructure Act (DIA) aimed at enhancing the resilience and security of key digital infrastructure and services. The DIA complements the government’s existing regulatory framework—beyond cybersecurity—by addressing a broader range of resilience risks faced by digital infrastructure and service providers, including FS. This measure aligns with similar efforts in other Asian countries such as Hong Kong, reflecting a growing recognition across the region of the critical need for robust digital infrastructure.

The new DIA will take into consideration international developments such as how the European Union (EU), Germany, and Australia have introduced incident reporting requirements and baseline resilience and security standards that regulated entities, for example, financial institutions, must comply with. Collectively, these requirements could contribute to the prevention of disruptions and effective recovery should disruptions occur.

The introduction of the DIA increases the regulator’s oversight capabilities, underscoring the importance of cyber resilience and introducing penalties for non-compliance. These measures signify a clear intent to safeguard critical and digital infrastructure.

Across Europe, the landscape is also evolving, and the recent introduction of many new directives, including the NIS2 (Network and Information Services version 2), the CER (Critical Entities Resilience), and DORA (Digital Operational Resilience Act), signifies a paradigm shift toward more proactive risk management.

DORA, as one of the newest EU regulations, has become the subject of much attention in recent months. It was released in 2023 with a goal to strengthen cyber resilience for the financial market. With all financial institutions—including banks, insurance companies, payment and credit organizations, and service providers—expected to be compliant by January next year, the clock is very much ticking to implement necessary tools and processes.

DORA is all about boosting resilience for the increasingly globally interconnected, digital infrastructures of the FS sector. It requires companies to focus on a Digital Resilience Strategy accompanied by a Digital Resilience Framework. In fact, the 64-article EU regulation mentions the word ‘recover’ 60 times. As such, when it comes to compliance with DORA, the importance of effective backup solutions cannot be underestimated.

Legislated communication and transparency

Financial services organizations need a comprehensive response plan that is regularly tested, rehearsed, and continually communicated with all key stakeholders. It is only then that they can be on the front foot and act quickly to ensure business resilience.

The EU’s NIS2, for instance, requires specific incident reporting and communications provisions. It also emphasizes the importance of certified secure supply chains to protect the digital ecosystem. Non-compliance may result in penalties of up to 2 percent of revenue.

Similar to Europe, Hong Kong will be establishing a new legislation titled the “Protection of Critical Infrastructure (Computer System) Bill” that will require Critical Infrastructure Operators (CIOs) of large organizations in Hong Kong to meet organizational, preventive, and incidental management obligations. Expected to take effect in early 2026, this new regulation covers essential services such as energy, banking and financial services, and healthcare services. Specifically, the CIOs are required to notify the authority of the occurrence of critical computer systems security incidents within 24 hours and 2 hours for serious incidents that will lead to major disruptions or large-scale leakage of personal or other data.

Backing up to move forward with regulatory compliance

When it comes to regulatory compliance, FS organizations must be able to restore backups to another location physically and logically (segmented) from the source; and backup data securely protected from unauthorized access and corruption (immutable).

Because the backup system is one of the most important targets for an attacker, financial organizations must be able to demonstrate what safeguards are in place. This is why FS organizations should use solutions that already meet stringent requirements for the sector, so documentation is readily available during an audit.

Preparations should already be well underway for FS organizations preparing to meet the new and future regulations across different jurisdictions. However, those who are running behind should start an internal project for regulatory compliance as early as possible. This should include scoping, GAP analysis, process validation, and reporting validation. Fully understanding the regulation and how an organization might be affected is the first step toward achieving compliance.

Compliance is good for business

Even if FS businesses have discovered that they are not in scope for the upcoming directives, it doesn’t mean that they should just sit back and relax. There is a reason that these requirements exist. Attacks happen every day, and major incidents are becoming increasingly frequent.

While many countries across Asia are implementing substantial regulations, valuable lessons can be learned from the comprehensive approach of the EU’s DORA and its articles, applicable across Asia and beyond. Implementing such measures can greatly increase an organization’s cyber resilience and ensure that valuable FS data is better protected from attackers. This is why investing in a proactive approach to compliance could help FS organizations stay one step ahead.

#DataSecurity #CyberResilience #FinancialServices #RegulatoryCompliance #RansomwareProtection