Technology and Resiliency: 2023 Regulatory Challenges

Modern technology risk management

As the adoption of cloud, e-communication technologies and platforms, and digital tools grows along with the numbers of related service providers, regulators warn of potential risks, including information security incidents, cyberattacks such as ransomware or malware, and service outages.

The robustness of a company’s modern technology risk management program will be of continuing focus for the regulators; heightened attention will be directed to significant operating changes using new technology innovations (e.g., cloud, AI, digitalization of risk management processes). Key areas will include:

• Technology risk assessment programs, including the periodic assessment, categorization, prioritization, and documentation of risks related to data and information, technology systems, and service providers.

• Ongoing risk monitoring processes and adjustment of internal controls across domains such as threat intelligence, identity and access management, and vulnerability management.

• Board approval of the risk appetite and tolerances, informed by board expertise and board reporting.

• Controls effectiveness over third party, supplier, and non-vendor third party risk management, including due diligence, business user acceptance testing and ongoing risk assessment and monitoring.

Financial companies will be challenged to demonstrate:

• Effective board reporting and oversight, including i) the quality and timeliness of operational and risk metrics, ii) the depth of insight/transparency provided by senior management and risk metrics, iii) meaningful challenge and corrective action tracking, and iv) periodic review of the risk appetite and tolerances.

• The 2nd line’s quality of risk visibility and ability to assess and monitor/test.

• The 3rd line’s ability to critically challenge and enforce findings within the 1st line’s functions.

Technology resiliency

Regulators will look to technology resiliency and continuity plans within both legacy and newer-adopted technology and cloud systems. Regulators’ focus will include:

• Proactive and ongoing detection, mitigation, and remediation of threats and vulnerabilities with respect to information and technology systems, both on-premises and cloud environments, including policies to establish accountability, threat intake processing (including insider threats), assignments, escalations, remediations, and remediation testing.

• Governance, strategy, and data inventory and classification policies and procedures across information and technology systems for structured, semi-structured, and unstructured data, including evaluation of data backup and recovery capabilities as well as access safeguards such as multi-factor authentication or encryption, patch management, and end-of-life systems management and controls.

• Coverage of technology risk management processes and continuity planning for company divisions, processes, and systems (not only those that are mission-critical).

Companies should consider application of these elements throughout the technology development lifecycle, including:

• Testing in production environments.

• Obfuscation of data in development environments.

• Controls over system acquisition.

Operational resiliency

In addition to technology risk management and resiliency, regulators will look to the comprehensiveness of resilience practices and standards to include governance, operational risk management (including cyber risk), third-party risk management, scenario analysis, surveillance and reporting, and the connection with business continuity and disaster recovery planning. IT asset management continues to be a dominant theme with regard to an inventory of assets mapped to critical services.

Companies must ensure robust operational resiliency risk programs, including:

• Identification of critical operations, core business lines, and material entities.

• Effective controls and resilient technology systems to maintain critical operations.

• Identification of potential risk transmission channels, concentrations, and vulnerabilities based on interconnections and interdependencies within and across critical operations and core business lines.

• Testing and ongoing updates, including scenario testing related to cyber resiliency.

• Determination of the financial risk exposure arising from degradations in services.

• Coordination with business continuity management and disaster recovery teams.