5 steps to fill cyber regulatory gaps in your financial institution’s IT infrastructure

By: Aaron Severance

January 2025 promises to be a watershed moment for cyber regulatory compliance in the financial services sector.

That’s when the European Union will start enforcing the Digital Operational Resilience Act (DORA), marking the first time that the information and communication technology (ICT) systems of banks and financial institutions—and the ICT systems of third-party service providers that support them—will be governed by a comprehensive set of cybersecurity rules.

Even organizations that don’t do business in the EU will monitor how DORA enforcement plays out as they prepare for a host of new cyber resiliency rules.

Shifting to a proactive compliance strategy

With the regulatory landscape continually changing, my colleagues and I have developed a cyber regulation readiness approach to help companies anticipate, protect against, withstand and recover from ICT-related threats and disruptions while satisfying regulators’ expectations.

Here, I preview five key steps from the strategy that can close cyber regulatory gaps in your financial institution’s IT infrastructure:  

1. Understand the regulatory framework

Before searching for gaps in your IT infrastructure, work with your risk and compliance department to understand how each regulation will affect the organization and how your legal team will interpret the rules.

Consider the U.S. Securities and Exchange Commission rules—adopted in July 2023—that require registered companies to report “material cybersecurity incidents” within four days of the organization determining that the incident is material.¹ The regulation change doesn’t provide a definition of “material,” leaving it up to each company’s legal team to define the term and create an appropriate framework the IT department can use to report incidents when required.

Meanwhile, since regulations like DORA and the Network Information Security Directive (NIS 2)² extend to companies that support your business, any third-party technology providers you use must also be apprised of regulations and understand how the rules affect their service delivery. Be sure to clarify whether your company assumes full responsibility for any violations of the provider’s ICT systems or if the risk is shared.

2. Map gaps between the regulation and your infrastructure

Next, you’ll need to perform a gap assessment to determine how close your current IT deployment is to meeting the identified regulatory controls. The gaps could be as narrow as a single data-handling process or encompass a governance need across all your critical business systems.

When reviewing its ICT business continuity policy and response and recovery plans, a major bank headquartered in Cyprus found that it wasn’t fully compliant with the comprehensive testing and crisis management requirements of DORA. If this partial compliance had been left unaddressed, it would have affected the bank’s ability to recover quickly from disruptions or a cyberattack.

3. Create and execute a risk mitigation plan

The areas of non-compliance identified during a gap assessment provide the parameters for your risk mitigation plan. Before investing heavily in new technology to close your infrastructure gaps, explore options to enhance existing security and recovery capabilities or modernize legacy environments.

During its gap assessment, a Greece-based life insurance company learned that its detection mechanisms didn’t fully align with DORA standards, leaving the organization vulnerable to data breaches, operational disruptions and regulatory non-compliance. We recommended implementing multi-layer controls and establishing regular testing protocols to strengthen these areas.

Bear in mind that some risks—like known gaps in a technology product or risks you can reduce through a different set of changes in the IT environment that still meets the control requirements—may be acceptable. Perform a cost analysis on all changes and prioritize mitigations based on severity.

After executing your risk mitigation plan, review the outputs and confirm with each business owner that the remediation put in place meets the standard of the identified control. You’ll need to repeat steps 2 and 3 if you discover any new gaps or failures to mitigate.

4. Engage a qualified security assessor to confirm compliance

If the regulation being reviewed requires formal attestation of compliance, then you must engage a qualified security assessor. The assessor will conduct a formal audit and provide documents of attestation to demonstrate compliance and share with the appropriate regulatory body. 

Assuming you’ve thoroughly analyzed and remediated any problems found during your gap assessment, the process should be straightforward. However, if gaps remain or the chosen mitigation creates new issues, you’ll need to close the gaps before your environment can be certified.

5. Review as outlined by the regulation

Each regulation will define an attestation period and require audit recertification at set intervals. Recertification will go more smoothly if you maintain disciplined change control, implement a structured governance, risk and compliance program, and conduct regular compliance assessments of your ICT infrastructure.

A rapidly evolving regulatory environment

By proactively addressing potential IT gaps and incorporating the principles of cyber regulation readiness, you can help secure your operations and build resilience to navigate future regulatory changes.

Aaron Severance is Managing Director and Customer Technology Advisor for Kyndryl’s Security and Resiliency team.

¹ Cybersecurity risk management, strategy, governance and incident disclosure, U.S. Security and Exchange Commission, July 2023

² Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), European Commission, August 2024