Last week, I had the pleasure of joining a panel discussion about governance, risk, and compliance (GRC) controls in financial regulation with industry experts from Google Cloud and Plaid.
Marina Kaganovich is Executive Trust Lead for the Office of the CISO at Google Cloud, and Kenneth Moras is Security and GRC Lead at Plaid. They joined me to share their insights about the evolving landscape of GRC in financial services.
Tom Bechtold from Secure World Digital guided a lively discussion about the pressing challenges and opportunities facing GRC teams in financial services institutions today—and into the future. Here are a few of the highlights:
The Digital Operational Resilience Act (DORA) Recognizes Financial Institutions as Critical Infrastructure
One of the major topics we discussed was the EU Digital Operational Resilience Act (DORA) enacted in 2023. DORA is a significant development that builds on existing regulations to protect the IT security of financial institutions. It makes them more complex from a regulatory stance, more tight from a control stance, and more broad from a coverage stance.
Kenneth and I agreed on the importance of DORA’s acknowledgment that financial institutions play a critical role in our IT infrastructure. As digital banks have disrupted traditional banking, many physical branches have closed. That makes it hard to get money when hackers take down financial systems.
DORA applies to anyone who provides pure digital infrastructure and their supply chain. Its comprehensive framework includes 140+ requirements, which Kenneth feels acknowledges the realities of how the financial industry operates and the modern threat landscape.
Of course, this adds pressure on GRC teams to focus on incident response to ensure compliance and resilience. I outlined a 6-step process for GRC teams to prepare for DORA, from gap analysis through information sharing. For the full 6 steps, jump to 10:52 in the webinar.
Above all, we see DORA as a sign of more regulations to come. “You will have a similar style of frameworks and regulations popping up in different countries,” said Kenneth, mentioning the UK Resilience Framework.
NYDFS Part 500 Is Comprehensive and Evolving
Marina provided some great insights into New York State Department of Financial Security (NYDFS) Part 500, especially regarding its recent revisions. “When NYDFS Rule 500 was introduced, it was really revolutionary in terms of its prescriptiveness,” she told us. Where previous cybersecurity rules had been loose and flexible, Part 500 (Formally Section 500 of NYCRR) imposed very detailed requirements.
NYDFS updated NYCRR Part 500 in 2023 in response to the growing harm and velocity of cyber threats. The revisions call for even more enhancements to organizations’ cyber programs, including independent cybersecurity program audits, detailed privileged management monitoring, and endpoint security detection and response controls.
These changes push financial institutions to step up their governance and reporting efforts. While the new security and governance requirements pose new challenges, they’re also an opportunity for GRC teams to demonstrate their value.
Marina cited a similarity in language from the SEC and called out a trend of cybersecurity rules becoming more prescriptive worldwide. It’s hard to tell, though, if regulations in the US will continue to pop up as a patchwork on a state level or if the nation will implement a national standard.
Kenneth added that while he was at Facebook, multiple states wanted to audit their payments program. Due to the specific requirements of NYDFS 500, Facebook’s compliance in New York would automatically let them pass the bar for other states.
I wondered if companies would game the regulatory system by registering in states with less stringent cybersecurity rules, but Marina set me straight. “Certain regulations apply for where businesses are headquartered or registered, but more likely, it’s where they do business,” she explained. “Other regulations pertain to where the customers are.”
NIS2 Broadens the Definition of Critical Infrastructure
Tom mentioned that the Network and Information Security Directive 2 (NIS2) was written into law “almost unnoticed” last January. NIS2, which will apply across the EU and in some form in the UK, focuses on critical infrastructure. Like NYDFS 500, it has granular requirements and requires annual evidence of compliance from a third party.
In my view, NIS 2 is bang on the money in broadening what critical infrastructure means. That's not about water or about light or about gas; that's about the things that we need and consume to be able to provide services, maintain businesses, and produce economic outcomes.
I’d go further because recently, CrowdStrike showed us what keeps our world going. It’s the S&P, it’s airlines, it’s social media. So if we look at what modern-day critical infrastructure is, it has to include finance. It has to include telco. Because if we have no internet connection, no phone availability, we can't work, and we cease to be able to function. It has to include ICT providers, because if GCP goes down, we've got a problem, right? There's a lot of businesses in the world who cease to be able to act.
Marina pointed out that despite (or because of) the legal patchwork found in the US, US individual financial institutions are already heavily regulated—often by more than one US regulator. She said this reflects a recognition that the financial sector is critical infrastructure. The more there's a focus on the financial services sector as being critically important, the more legislation and regulation is put out to bolster the controls that are required, and then the higher the standards become so that they can contribute to supporting confidence that the sector as a whole is really functioning as expected and can be trusted by consumers.
{{banner-image}}
CrowdStrike Proved (Once Again) that Third-Party Risk Is Real
Of course, we had to dive into the recent CrowdStrike incident. As Kenneth put it, “The CrowdStrike incident has been a very eye-opening incident that has forced a lot of organizations to think about operational resiliency very differently.” The massive impact of a faulty CrowdStrike update in July 2024 shows how interconnected our systems have become and how reliant our lives are on them.
From my perspective, what it taught us is that we need to do a better job protecting critical infrastructure—including finance, social media, and all those elements of society we haven’t traditionally thought of in those terms. More importantly, all that critical infrastructure needs better incident response (IR) and disaster recovery (DR). People couldn't recover fast enough, and they couldn't recover well enough.
While Tom was officially moderating, I was keen to ask Kenneth and Marina how their companies were affected and what they did.
Marina emphasized the importance of being aware of that interconnectedness and including controls to minimize risk at every step. “It's really about thinking through resilience and really ensuring that it's part of all of our processes, it’s part of testing, it’s part of SDLC, It’s part of being able to roll back changes if we need to, and it’s part of being able to recover quickly.”
As Kenneth pointed out, resilient infrastructure isn’t just about internal controls. It’s about understanding and mitigating risks across the entire supply chain. “Luckily we at Plaid did not use CrowdStrike, but we very well might have got impacted if we use them,” he told us. “It's very hard as a third-party risk management professional to foresee everything that can go wrong. It is really making these teams think through, ‘Who are your really, really critical service providers, and can you still survive with them not operating effectively or going out of business?’”
“For us as a software provider, Plaid products have been used by 10,000+ innovative fintechs, so we cannot afford to have a bad code that just crashes every FinTech application.”
SolarWinds Is When Risk Got Personal
One of the hottest topics we tackled was the SolarWinds case, given its implications for CISOs. Marina noted that this was the first time the SEC brought a cybersecurity enforcement claim against a CISO. The fallout from SolarWinds marks a new era of personal liability. (Note: This personal liability issue is something we discuss in our guide ‘Take Your Risk Management Program to a New Level.’)
Marina pointed out that the SolarWinds case led many CISOs to check on whether they’re covered by their company’s directors and officers (D&O) insurance. “Up until then, they seemed to be operating under this assumption that they would be included by default, because of that C-suite title. And many of them were surprised to find that that wasn't the case.”
While I may come under the policies of the organizations I've worked with, I make sure I have my own as well. SolarWinds aside, we've seen multiple organizations, Uber included, leave their CISO out to dry. You want to have your own individual protection to make sure that you are covered, regardless of what the CEO does.
Kenneth shared my concerns about the immense pressure this puts on security leaders. There are a lot more questions than answers, and I don’t think we’ve seen the end of this. It could very well be the beginning of a modern-day battle between security leaders and regulators.
Technology Can Make GRC More Strategic
We wrapped up the discussion by looking to the future of GRC. I emphasized the importance of staying informed about evolving regulations and the role technology, including generative AI, can play in streamlining processes.
Kenneth shared that his team at Plaid has seen huge time savings using compliance technology (and disclosed that they use Anecdotes). “These technologies are super critical… doing this manual mapping, doing these gap assessments, can be super time intensive,” says Kenneth. “I don't have an infinite number of people working on GRC, and I want them to focus on certain areas more. Having this technology empowers your smart people to do more smart work.”
Marina made a strong case for how to position a GRC solution as a strategic enabler within organizations rather than just a cost center—a perspective we wholeheartedly support at Anecdotes. This alone may be worth the watch for some of you reading! And there was plenty more on each of the topics I’ve touched on.