Digital Operational Resilience and Regulatory Compliance for Financial Institutions And the emerging cyber security trends in the UK, EU, and India

On October 13, 2023

What is Digital Operational Resilience?  

If a business is ever disrupted by threats or hacks or even natural disasters, then the ability of the business to respond, act, and overcome these adverse circumstances is referred to as operational resilience, and from a technological perspective is known as digital operational resilience. The idea is to identify the potential problem before it escalates and causes damage and mitigate its effects. The digital integrity of the business is tested at such times. Digital operational resilience can be broken down into several stages: anticipating problems, developing strategies to prevent them, responding, acting and recovering from them, and finally adapting to the change in the situation. In the same vein, business continuity management (BCM), although not synonymous with digital operational resilience, ensures that at least essential functions of the businesses carry on irrespective of the disruption in services.  

What is business continuity management and how does it differ from digital operational resilience? 

Business continuity management is more target-oriented and targets specific incidents, whereas digital operational resilience is a natural extension of business continuity management, and has a wider scope. Moreover, business continuity management takes into account only external factors and the processes that are tied together, whereas digital operational resilience might look at indirect ways in which an operation can be disrupted. A holistic approach involving all the four key areas of technology, people, infrastructure, and third-party vendors in identifying potential risks, helps it to achieve digital operational resilience.  

What is DORA? 

The European Commission’s Digital Finance Package launched the Digital Operational Resilience Act (DORA) in September 2020. Its main aim is to improve the digital operational resilience of the whole finance sector. It also proposes to make the financial sector resilient enough to withstand security threats and also enables the monitoring of third-party service providers. DORA applies to all financial entities under the EU level such as banking institutions, electronic money institutions, trade repositories, crowdfunding service providers, trade venues, management companies, data reporting service providers, credit rating agencies, pension providers, and audit firms, investment firms, payment institutions among others. In terms of the scope of application of the DORA, the principle of proportionality plays a significant role, meaning that since businesses differ in size, risk profile, type of business model, etc. the regulations will not apply equally to all entities. For instance, a smaller financial institution will have to take fewer comprehensive measures to carry out resilience tests and report incidents.  

Regulatory Compliance for Financial Institutions 

Financial companies are among the most targeted sectors for cyberattacks mainly due to the sensitive nature of data it holds, making them most vulnerable. Thus, stringent regulations are required to keep the information safe. The cost of regulatory compliance has shot up severely over the past decade. It is estimated that it costs $10,000 per employee to maintain compliance. This is largely due to the growth in digital payment channels, increased cyber frauds, and the lasting effects of the 2008 financial crisis.  

What are the current issues faced by finance companies due to compliance? 

The pandemic era has caused the economic market to fluctuate leading to an increase in the number of compliance issues such as disclosure, anti-corruption, accounting fraud, cybersecurity issues, etc. Moreover, due to the fact that many financial institutions were forced to implement a complete remote or hybrid work model of working; the spotlight shifted to cybersecurity. With increasing advancements in the field of technology and the complex nature of work, finance companies are striving to continuously adapt to compliance changes.  A proactive model of cybersecurity must be implemented to keep vulnerabilities at bay and address data breaches at once, lest they result in huge penalties and fines.  

What are the Financial Data Security Regulations that every finance company should know about? 

1.General Data Protection Regulation (GDPR)

GDPR is governed by the European Union (EU) which ensures all international organizations abide by the compliance rules. The main idea behind this regulation is that there is transparency between the financial industry and the customers; thus, data collected must be minimal and for very specific reasons.   

2.Payment Card Industry Data Security Standard (PCI-DSS)

PCI-DSS is required to secure cardholder data and is established by the Payment Card Industry. Any organization that wishes to process, store or transmit cardholder data of their customers must follow the PCI-DSS. This is to protect customer data from debit/credit card thefts. All financial institutions: issuing banks, acquiring banks, merchant banks, etc. must abide by these standards. Regular testing must be done to control data breach attempts and ensure the network’s continued security. 

3.Gramm-Leach-Biley Act (GLBA)

The GLBA was brought into existence 20 years ago to regulate the distribution of private financial information. This is to educate the customers on their data sharing rights such as the right to opt-out of data sharing practices with third-party services. It encloses all financial institutions that lend money and offers wire transfer services, accounting firms, investment firms, tax firms, real estate agencies, and broker/service loans among others.  

What’s in store for UK and EU in Cyber Security in the coming years?  

The world is fast moving towards, and increasingly becoming dependent, on online networking. The speed and convenience of its use have propelled businesses to take advantage of digitization. But this has its fair share of weaknesses as well in the form of malicious threats and data theft. Criminal activity online has grown rapidly sending alarming bells ringing even as private organizations and government agencies alike, are endeavouring to face the onslaught of cyberattacks.  

The threats are not limited to financial losses alone, but also losses to government and democracy on the whole. Legal information, military information, and other top-secret government-related information are at stake here. At times, the impact is felt across an entire nation. Where the UK and Europe are concerned, the impact of Brexit on cybersecurity can be felt. UK was one of the pioneers in IT and cybersecurity, without it the rest of Europe could be left vulnerable. Brexit is no longer viewed as a separation when it comes to cyber security, but as a cooperative and collaborative effort to jointly thwart criminal activities. 

Cyber Security Associates (CSA) in the UK and the EU Agency for Network and Information Security (ENISA) have respectively developed a cyber security certification framework and blueprint for a rapid emergency response to address the security concerns and create defensive measures to respond appropriately and timely to any online threats. The European Council has further initiated measures to counter threats arising from the new 5G networks.  

The new distributed workforce implemented due to the pandemic has become a favoured workplace for cybercriminals. Due to large investments by organizations in cybersecurity, the cyber security market in India alone is expected to grow to USD 3.05 billion by 2022. Although huge strides have been made in the field of cyber security, yet threat actors continue to exploit weaknesses brought forth by their increased complexity.


Ransomware threats continued to abound as employees were forced to work from home overnight following the unforeseen onslaught brought about by the pandemic, as the employees were completely unprepared for this phase. Following the two years into the pandemic, now that the employees, at least most of them, are getting back to the office; the IT teams have a handful in trying to fix the gaps in the security networks.  

Although cloud-based applications are the norm now with organizations reaping their benefits of agility and scale, massive and unprecedented growth in the attack surface has risen due to the work from anywhere model. This has opened up more avenues for attack and vulnerable targets. Infrastructure security will see a good boost in the coming years even as government organizations have woken up to its critical role in cyber security. The rapidly changing threat landscape will keep organisations on their toes in the forthcoming years, even as the government completes its National Cybersecurity Strategy, propelling India to the tenth position in the Global Cybersecurity Index of 2020.  

What is the solution to the uncertainty and concerns of the future of cybersecurity? 

The ever-changing cyberscape has created a sense of unease and uncertainty as threats loom large over government agencies and private organizations. Government agencies are committed to providing security to all its citizens; but when it comes to convenience, security, and privacy, striking a balance among all three is key. The vulnerabilities increase as the gap widens between all the above-mentioned concepts.  

Companies should invest well in setting up firewalls, Virtual Private Networks (VPN), restricting access, strong password policy, etc. as some of the basic security measures. Knowledge is power; thus, empowering people with information about cyber security and creating awareness regarding unsafe cyber practices will go a long way in protecting the network and data. Simple random acts such as opening an email, or clicking on an innocuous-looking link can be avoided which otherwise can be fatal. As the age-old adage teaches about strength in unity, it is a concept that can be well adapted here, as the combined nations’ efforts can effectively combat threats by creating a strong partnership and a bright future for cybersecurity.