Over the last two years, many new regulations have been rolled out specifically relating to the banking, financial services and insurance (BFSI) sector. These regulations impact various technologies and processes such as cloud, consumer protection, privacy and data sovereignty.
Among the many reasons for this surge is the accelerated adoption of new technology during the coronavirus pandemic. While this trend helped organizations quickly adapt to business disruptions, many organizations were only able to move so quickly because they either fast-tracked risk evaluations for these new technologies or skipped risk evaluations entirely. Many technologies also required risk and cybersecurity teams to be upskilled to better identify risk exposure, but with limited time, training was sometimes put on hold.
Rushed adoption and overlooked security procedures increased organizations’ exposure to breaches, some more than others. Research into the cost of data breaches globally shows the Middle East trending as the second most expensive region in terms of average cost of breached data, up from 2021. The financial sector stands as the second most targeted sector globally.
Although these surges appear to be linked to the pandemic, they are not limited to the pandemic. As technology adoption continues, new security risks will emerge and new regulations will be introduced. Businesses need a way to outpace these changes, to move from a manual, reactive approach to regulatory tracking, to an automated, proactive one.
A new pace for technology regulations
The release of regulations is closely linked to the adoption of new technologies, specifically when those technologies can potentially impact organizations and the sector at large (e.g. UAE’s Critical Information Infrastructure Protection Policy). Faster adoption of technologies during the pandemic has therefore led to faster roll out of regulations. The diagram below shows the timeline of technology adoption since to pandemic compared to the estimated timeline had the pandemic not occurred.
Regulators in the UAE have been releasing regulations addressing cybersecurity and technology risks for over 10 years, but the last two years has seen a sudden increase in the regulations with an added stringent adherence clause. The list below shows just some of the regulations and initiatives enacted in the UAE between 2020 and 2022 that have an impact on banks and BFSI sector.
With critical entities and organizations throughout the Middle East’s BFSI sector widely adopting newer technologies, regulators are pushing the release of more regulations, some of which may not be very clear or mature.
For example: In certain cases, Central Bank of UAE requires banks to seek CB UAE’s approval for data stored outside the region. This may not be a sustainable model considering changes that banks in the regions are going through, such as some larger banks switching to cloud computing. It is likely that this approval process will be replaced with stronger and mature regulations in the future, but for now, this requirement from Central Bank has introduced delays and uncertainty in DevOps cycles and is impacting agile working methodologies.
The manual-tracking issue
With most countries in the Middle East embarking on digitalization initiatives and new business propositions gaining popularity, organizations can expect more regulations to be rolled out. This could pose a challenge because businesses are already struggling to keep up with all these new regulations due to outdated approaches, such as manually tracking regulatory requirements using a spreadsheet-based repository.
Such manual approaches have several shortcomings:
Siloed and difficult to maintain
Spreadsheet-based repositories are generally built as a onetime effort by individual teams with limited access or communication with each other. These registers are often ignored because manually tracking new regulations and updating the registers requires extensive effort.
Repositories are generally built to mainly capture regulation requirements, with little to no analysis of the applicability of the clauses or mapped controls.
Lack of visibility
If the applicable regulation registers are not regularly updated or if access is limited, organizations and technology functions cannot know their true level of compliance with regulatory requirements, leaving them vulnerable to hackers and penalties from regulators.
A common noncompliance reported by internal audits is lack of regulatory adherence or use of outdated regulations, and lack of awareness of new applicable regulations.
How to address this challenge
To keep up and remain compliant, organizations can no longer rely on manual regulatory monitoring; they need the support of a strong regulatory compliance program that is specific to technology and cybersecurity.
At a minimum, this program should:
To establish and maintain a program like this, organizations first need to build a robust, well-maintained regulatory repository, then embed those regulatory requirements into normal operations by linking them to the organization’s common control framework, as shown in the diagram below.
As long as organizations consider identifying and implementing regulations as separate tasks, the chance of losing track of compliance is high. This is especially true for organizations operating across multiple geographies because regulations can differ so much from region to region.
The first step in developing a strong regulatory compliance program is to develop a robust repository of regulations, one that is comprehensive and continuously updated. This will ensure that the organization is always up to date on the latest regulations and able to map them to common control. The diagram below shows several ways a well-maintained repository can benefit technology and cybersecurity operations.
Organizations can further enhance their security programs by incorporating automation at every stage:
With the regulatory landscape for technology and cybersecurity constantly changing, it can be hard enough to keep track of what’s changed, especially for global businesses operating in different countries. To be prepared for these changes and actually be able to work with them, businesses need to be more proactive with their regulatory tracking, and automation can help.
You can learn more about Wipro’s cybersecurity and risk management solutions.
Partner & Head of Cybersecurity & Risk Consulting Services — Middle East, Wipro
Anoop has more than 19 years of experience in cybersecurity, information and technology services, working across various sectors and specializing in BFSI. He has worked with several large global clients on technology, risk, and cybersecurity initiatives