Shaping Cybersecurity Strategies Amid Evolving Financial Regulations

In my 20+ years as a cybersecurity practitioner, I've witnessed first-hand how the waves of regulatory changes can unsettle even the most seasoned professionals.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

In the UK, where financial services are integral to the national economy, adhering to cybersecurity regulations isn't just about compliance—it’s about securing trust and ensuring resilience.

The financial services industry has always been heavily regulated. Organisations in this sector face a complex landscape of regulations such as the GDPR, NIS2 Directive, and specific Financial Conduct Authority (FCA) mandates, which result in increased expectations around cybersecurity from customers and regulators—as well as increased liability for financial services firms in the event of a data breach. Ultimately, executives and Boards around the globe are responsible and accountable for cybersecurity performance management in just the same way that they are accountable for managing other critical parts of the business.

State, federal, and international standards are not static; they evolve to address emerging threats and technology advancements. For CISOs and cybersecurity leaders, this dynamic field means constant vigilance and adaptation are crucial to not only stay compliant but also protect sensitive data from increasingly sophisticated cyber threats.

Come to think of it, banks, credit unions, investment and insurance companies, and other financial services firms are prime targets for cyber attacks due to the nature of their business and the sensitivity of their data. In addition, financial services firms tend to be very large organizations with vast third-party ecosystems, as well as connections to millions of users and devices, which translates to more gaps in cybersecurity. It’s no wonder, then, that they have the second highest average cost of a data breach at 5.9 million dollars, according to the Cost of a Data Breach 2023 report by IBM.

Understanding What the Regulators are Looking For

Regulators are keen to see how a firm’s security performance management strategy affects its business strategy and how existing controls and monitoring processes are being adjusted accordingly to address it.

What the regulators are essentially asking financial services firms to do is establish senior level accountability and responsibility to ensure that organisations are treating the issues around security strategically—and that they have effective and appropriate levels of cyber risk management in place to monitor not only its own performance, but that of its third parties.

As such, security and risk leaders need a way to continuously monitor, measure, and communicate the efficacy of the controls they have in place to secure their valuable assets from threats in the digital ecosystem. In order to achieve this they need to take a risk-based, outcome-driven approach to manage performance through broad measurement, continuous monitoring, and detailed planning and forecasting in an effort to measurably reduce cyber risk.

Three Actionable Steps To Maintain Regulatory Compliance

1. Manage security performance across your financial services ecosystem

Only a data-driven, proactive approach to assessing and evaluating your company’s expanding attack surface can help you reveal hidden risk, prioritize investments, inform resource allocation—and reduce your firm’s liability. This includes measuring, monitoring, and maintaining ongoing security performance across payment systems, financial records, customer accounts, cloud services, vulnerable legacy systems, and more.

2. Expose and mitigate third-party cyber risk from financial partners

Financial services firms are part of a vast, interconnected third-party ecosystem of partners and suppliers. Each creates a potential weak spot for cyber defenses, making it necessary to continuously monitor third-party security performance and drive efficient risk reduction across your vendor portfolio—from onboarding through the life of the contract.

3. Quantify cyber risk in financial terms

Because cybersecurity is a boardroom concern, security leaders in the financial services industry need to cut through the technical jargon and measure and report cyber risk in language that makes sense to board members. Just like we use dollars and euros to communicate costs, we use cyber risk and performance analytics to communicate risk and easily assess a company’s potential for financial exposure across multiple cyber events, including ransomware and breaches.

As we move forward, the certainty of regulatory change in cybersecurity is as predictable as change itself. By transforming these challenges into strategic opportunities, financial institutions can not only comply with laws but can also strengthen their defenses, innovate securely, and build enduring trust with their clients. In this digital age, our resilience is tested not by our ability to avoid change—but by our capacity to evolve with it.

For more insights into navigating the complexities of cybersecurity regulations in the UK's financial sector, visit our detailed guide ‘A CISO’s Compliance Playbook.’

You an also join our webinar on 12 June - Turning NIS2 Regulation Into a Business Opportunity.