One of the two key areas of research focus for me this year is organizational resilience. In 2023, a number of regulations have been updated, creating new requirements for businesses to follow, new areas of risk, and more money and time spent adjusting to these changes.
Compliance strategies help cement trust in professional partnerships and vendor relationships. If your firm is trying to qualify for cyber insurance, or simply looking to obey the law and avoid fines, your business is up against increasingly tough compliance measures. It is no longer sufficient to be compliant only once per year, scramble in the two weeks before the audit, and then forget about it for the rest of the year.
What compliance tech trends should IT management adopt as they build and refine their technology roadmaps?
Let’s start with some of the regulatory drivers for these trends.
Regulatory Issues to watch
European Union Digital Operational Resilience Act (DORA)
The EU is applying regulatory pressure in the financial sector with its Digital Operational Resilience Act (DORA). DORA is a “game changer” that will push Financial Services (FS) firms to fully understand how their ICT, operational resilience, cyber and TPRM practices affect the resilience of their most critical functions as well as develop entirely new operational resilience capabilities.
One key element here is that DORA introduces a Critical Third Party (CTP) oversight framework, expanding the scope of the FS regulatory perimeter and granting the European Supervisory Authorities (ESAs) substantial new powers to supervise CTPs and address resilience risks they might pose to the FS sector.
German Supply Chain Due Diligence Act (SCDDA)
On January 1, 2023, the German Supply Chain Due Diligence Act took effect. It requires all companies with head office, principal place of business, or administrative headquarter in Germany – with more than 3,000 employees in Germany – to comply with core human rights and certain environmental provisions in their supply chains. SCDDA is far-reaching and impacts multiple facets of the supply chain, from human rights to sustainability, and legal accountability throughout the third-party ecosystem. It will addressing foundational supply chain issues like anti-bribery and corruption diligence.
From 2024, the number of employees will be lowered from 3,000 to 1,000. And Switzerland, The Netherlands, and the European Union also have drafts of this type of regulation in the books.
PCI DSS 4.0
Payment Card Industry Data Security Standard (PCI DSS) is the core component of any credit card company’s security protocol. In an increasingly cashless world, card fraud is a growing concern. Any company that accepts, transmits or stores a cardholder’s private information must be compliant. PCI compliance standards help avoid fraudulent activity and mitigate data breaches by keeping the cardholder’s sensitive financial information secure.
PCI compliance standards require merchants to consistently adhere to the PCI Standards Council’s guidelines which include 78 base requirements, more than 400 test procedures and 12 key requirements.
When looking at the changes in how PCI has evolved over the years up to PCI 4.0, there is a departure from specific technical requirements and toward the general concept of overall security. PCI 4.0 requirements were released in March 2022 and will become mandatory in March 2024 for all organizations that process or store cardholder data.
The costs of maintaining compliance controls and security measures are only part of what businesses should budget for PCI certification. Businesses should also account for audit costs, yearly fees, remediation expenses, and employee training costs in their budgets alongside technical upgrades to meet compliance standards.
Tech Trend changes
Zero Trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets. Zero Trust as a model assumes all requests are from an open network and verifies each request this way. PCI 4.0 does not mention zero trust architecture specifically, but it is evident that the Security Standards Council is going that way as a future consideration.
Passwordless authentication gained a lot of attention and traction this year. Major companies, such as Google, Apple, and Microsoft, are introducing passwordless authentication based on passkeys. This is a clear sign that the game is about to change. As the PCI DSS focuses on avoiding fraudulent activity, so does newer authentication protocol approaches to verify and confirm identity.
Third-party risk management is quickly evolving into third-party trust management (TPTM), with the SCDDA creating a clear line in the sand for global organizations. TPTM is a critical consideration when standing up an enterprise trust strategy. Enterprise trust is a driver of business development that depends on cross-domain collaboration. It goes beyond cybersecurity and focuses on building trusted and lasting third-party relationships across the core critical risk domains: security, privacy, ethics & compliance, and ESG.
Final thought – Cyber Insurance in 2023
If some of these compliance drivers lead to a desire for financial protection, cyber insurance is one mitigation element for strategy to address C-level concerns. But wait – this is not as easy as it used to be.
Five years ago, a firm could fill out a one-page cyber insurance application and answer a handful of questions. Fast forward to ransomware and other cyber threats and now getting insurance with favourable terms, conditions, pricing coverage and low retention is tough.
Insurance companies prefer enterprises that are instituting robust security controls and incident response plans — especially those prepared to deep dive into their cybersecurity architectures and planned roadmaps. In terms of compliance strategy development, there needs to be a risk-based led approach to cybersecurity to allow an insurer to offer a favourable insurance option.