Cyber and data: Regulatory challenges

Mitigation and resilience initiatives relative to frequency and impact of cyber threats are needed for this 'foremost' risk.

Amy S. Matsuo

Amy S. Matsuo

Regulatory and ESG Insights Leader, KPMG US

+1 919-664-7100

Matthew P. Miller

Matthew P. Miller

Principal, Advisory, Cyber Security Services, KPMG US


Orson Lucas

Orson Lucas

Principal, Advisory, Cyber Security Services, KPMG US

+1 704-502-1067

The financial services regulators have called cyber risk the foremost risk to financial stability—and the Administration has called it a persistent and increasingly sophisticated threat that weighs heavily on governments and financial services companies alike. Given the highly interconnected nature of the financial services sector and its dependencies on critical third-party service providers, all participants in the financial system must implement risk mitigation and resilience initiatives relative to both frequency and impact of cyber threats. Current or emerging threats include malware (e.g., ransomware), supply chain risk, and sophisticated DDOS.

Explore here insights from the KPMG report Ten key regulatory challenges of 2022.




of U.S. consumers say data privacy is a concern.


don’t trust companies to ethically use their data.

Source: Corporate data responsibility: Bridging the consumer trust gap, August 2021, KPMG


Maintaining focus: Cyber and data

Evolve your customer and enterprise identity and access management programs to ensure appropriate preventions against latest account takeover threats. 

Increases in data transfer sophistication have widened the array of entry points to a financial services company’s assets and consumer data, widening the number of attack vectors for malicious actors. Weak access management and authentication controls provide opportunity for cyber attackers to leverage compromised credentials to access the same resources and data that legitimate users can.

New FFIEC guidance outlines effective risk management principles and practices for access and authentication, including:

  • Monitoring, logging, and reporting of activities to identify, track, respond, and investigate attempted or realized unauthorized activities.
  • Layered security and multiple controls to compensate for the weakness of a single control; multi-factor authentication may protect accounts from being compromised by threats, such as credential stuffing, phishing attacks, and spear-fishing attacks
  • Access and transaction controls including account maintenance; transaction value, frequency, and timing; rate limits on log-in attempts; and application timeouts.
  • Authentication solutions employed before system access, including solutions such as device-based public key infrastructure (PKI) authentication, one-time passwords (OTP), behavioral biometrics software, and device identification and enrollment.


Use orchestration and automation to augment limited cyber security resources and improve your speed to respond. 

Increasing legal and regulatory compliance requirements are complicating compliance risks and serving as a key driver for enhancements to cyber security capabilities. Security orchestration, automation, and response (SOAR) tools combine to allow companies to collect data about security threats from multiple sources, initiate a response with limited human interaction, and coordinate post-incident reporting and information sharing. Benefits include faster detection and reaction, broader threat context, integrated data management safeguards, and lower costs – which should help companies weather the flurry of regulatory attention to cyber and data issues in 2022, including: 

  • Regulatory response to Executive Order 14208 (May 2021) requiring improvements in the cybersecurity of the United States. The order is the “first of many ambitious steps” being taken to modernize national cyber defenses. Provisions address cybersecurity standards (including zero-trust architecture), supply chain security, standard responses to cyber incidents, and the creation of a Cybersecurity Safety Review Board. 
  • Annual reporting requirements imposed on the federal banking regulators for measures taken to strengthen cybersecurity within the financial services sector, including supervision and regulation of financial institutions and third-party service providers.
  • Guidance from the White House urging ransomware preparedness across the private sector. 
  • Anticipated rulemakings from the SEC regarding disclosures of cybersecurity risk governance, and increased enforcement activity regarding the accuracy of cyber disclosures and related disclosure controls and procedures; adverse business impact may not be necessary for an event to be “material.” 
  • State actions related to ransomware and cybersecurity controls. Notably, NY DFS is considering adding new controls to its Cybersecurity Regulation, and reporting requirements for any successful deployment of ransomware on internal networks or intrusion to privileged accounts.


Identify, manage and protect the organization’s information assets (throughout the data management lifecycle) by embedding “privacy by design” and automating data protection.

Businesses are collecting increasing amounts of customer data to feed predictive analytics, personalize marketing campaigns, and introduce/improve products and services. Consumers, for the most part, are increasingly concerned about how their information is being collected, used, and protected – focusing regulatory attention on customer data privacy and protection. “Privacy by design” principles set a baseline for robust data protection by embedding privacy into the design, operation, and management of new applications, including IT systems, AI platforms, and digital business practices, with the goal of preventing privacy vulnerabilities. 

Forthcoming regulatory attentions on data and privacy are expected to include: 

  • A CFPB proposed rulemaking to facilitate the portability of consumer financial transaction data.
  • An FTC rulemaking addressing unfair data collection and surveillance practices impacting competition, consumer autonomy, and consumer privacy.
  • A CFPB review of Big Tech practices related to consumer data capture, use, and restrictions in the context of their payments systems.
  • SEC focus on investor protections, predictive data analytics, and digital engagement practices.
  • Expansion of state data privacy and protection laws. Notably, the California Privacy Rights Act (CPRA) will be taking the place of the California Consumer Privacy Act (CCPA) beginning January 2023, bringing into scope a host of changes around new GDPR-like rights as well as a focus on areas such as records retention, business purpose limitations on data collection, data storage and processing, disclosure of predictive AI model details, and cyber audits. 


Ten Key Regulatory Challenges of 2022

The year 2022 brings high levels of risk and regulatory supervision and enforcement. Regulatory “perimeters” continue to expand, and regulatory expectations are rapidly increasing. All financial services companies should expect high levels of supervision and enforcement activity across ten key challenge areas. Read the full report to learn more.

Subscribe to our mailing list to receive our Regulatory Alerts and Points of View.