How zero trust helps financial institutions adapt to regulatory change

By Jimmy Nilsson and Robert Wallos

For capital markets organizations, it can be complex and costly to adapt to regulatory change—particularly for changes to security protocols.

Given the stakes, many banks and financial services providers are moving to a zero trust model. Zero trust—often described as deny by default—creates tighter controls on asset access.

Let’s explore how this approach can help organizations pinpoint and diagnose gaps in their security systems and adapt quickly to evolving regulations.

Example: RegSCI

We start with a closer look at why adapting to regulatory change can be so challenging. Recently, the U.S. Securities and Exchange Commission (SEC) proposed a significant revision of its Regulation Systems Compliance and Integrity (RegSCI) rules.

The purpose of RegSCI is to protect investors and promote market stability. It establishes rules and requirements for critical market participants to follow to ensure their operational and technological systems are reliable and secure and that they comply with regulatory standards.

The proposed changes are extensive and would result in increased scrutiny of security and availability standards—as well as an expanded number of organizations that will be categorized as SCI entities.

The reality is that the initial compliance cost for new SCI entities is steep. It hovers, as reported by the SEC, at USD $45 million, followed by an annual bill of roughly USD $28 million.¹

And cost is only part of the equation.  

The RegSCI update would require qualifying capital market organizations not only to meet but exceed existing security protocols. Organizations could be tasked with running tabletop simulations across the entire value chain—including third parties—to demonstrate different risk scenarios and related defense strategies. Or your organization may be asked to quantify the potential impact of a cyberattack.

This is where zero trust comes in.  

Zero trust enables an end-to-end approach

Many capital markets organizations already boast robust security capabilities, but these capabilities often operate in silos, without adequate focus on the assets most in need of protection, such as order management systems or access controls.

Zero trust requires breaking down organizational, governance and technical silos to create a unified security system. This end-to-end approach is a powerful tool for adjusting to regulatory changes.

Here’s why.

When siloes are broken down and your organization’s existing security capabilities are mapped out—including enforcement, decision and information points—your team can optimize existing security architecture investments. You can also prioritize transformation efforts based on criticalities and potential risks, such as trading disruptions caused by network attacks or denial-of-service attacks.

Overlaying this groundwork with an integrated defense-in-depth architecture, as is called for with zero trust, can offer valuable insights to further enhance your security infrastructure, and grant your team increased agility to adjust to new regulatory standards.

Zero trust enhances reportability

A significant challenge for organizations required to comply with regulations such as the RegSCI proposal is traceability and reportability within their security environments. This is why effective measurement and communication of progress, fundamental to any zero trust framework, are key to success in adjusting to regulatory change.

Zero trust calls for the creation of robust tracking mechanisms to monitor the performance and value of your team’s security architecture. For capital markets organizations in particular, these mechanisms help your team avoid common pitfalls and oversights that might compromise compliance.

Zero trust facilitates third-party risk management

Another crucial aspect of zero trust is the management of third-party risks, a concern also shared by regulators such as the SEC.

In managing third-party risks, while delegating some responsibility to external vendors is feasible, ultimate accountability falls on the organization itself.  Therefore, it’s essential to integrate third-party vendors into your security strategy as closely as you might your internal security, IT and business units. In other words, rather than viewing third-party vendors and their associated risks as external elements, try considering them as an additional stakeholder group within your zero trust ecosystem.

Adapting in stride

Regardless of the cost and effort, adjusting to regulatory change is not optional: It is an obligation and an operational necessity for organizations across industries.

Planning ahead for possible, future regulatory compliance, however, may spare your organization time and unexpected challenges. Anticipatory compliance fosters healthy security practices and hygiene, underpinning operational continuity and minimizing the risk of unwanted scrutiny. In other words: If you’re ahead of the game, you won’t continually be playing catch-up.

A zero trust approach can help you keep ahead.

Jimmy Nilsson is the Managing Director and Global Domain Lead for Zero Trust, Kyndryl Consult. Robert Wallos is a Chief Architect for Banking & Capital Market.

1. The U.S. Securities and Exchange Commission (SEC). Proposed rule: Regulation Systems Compliance and Integrity. 2023.