9 disaster recovery regulations that impact financial services firms

From IT disaster recovery to cyber resilience, financial institutions need to plan, document and test recovery procedures to maintain compliance

The regulatory landscape for financial service entities is vast and complex.Governing bodies across the world have increased accountability and strengthened protections for consumers with evolving and enhanced regulatory frameworks, guidelines, and legislation. Increased digitalization, sophisticated cybersecurity threats, and debilitating events like theCOVID-19 pandemic shone a light on the need for increased technology resilience.

Technology resilience is defined as the ability of an IT system to continue to operate under adverse conditions or stress and recover to an effective operational state in a time frame consistent with business needs. The type of business and where you operate determines which regulations you must adhere to, potential risks, and fines.

The Cutover Collaborative Automation platform helps financial service entities ensure regulatory compliance for technology resilience procedures with dynamic, automated runbooks, reporting, and auditing capabilities. With this in mind, we’ve compiled a summary of key regulations impacting technology resilience procedures. For any regulatory advice, please contact your legal experts.

The 9 disaster recovery regulations impacting financial services

1) DORA: Digital Operational Resilience Act

Enacted December 14th, 2022, the Digital Operational Resilience Act (DORA), created by European Supervisory Authorities (ESAs), is part of Europe’s Fit for a Digital Age program and creates a first-of-its-kind regulatory framework including binding rules on digital operational resilience. As of January 17th, 2025, DORA mandates that all financial services firms operating in the European Union (EU) ensure they can “withstand, respond and recover” from all types of information and communication technology (ICT) related disruptions and threats. The goal of DORA is to harmonize digital resilience in the EU through the introduction of requirements on ICT risk management and ICT-related incident reporting.

DORA provides a framework for making the oversight of outsourced IT providers (including cloud) the responsibility of financial market players. It consolidates and upgrades the requirements financial services firms will face and broadens the business view of resilience, bringing accountability to the senior management level. For a quick summary, read the three things you need to know about DORA.

Here is a summary of the five pillars of DORA:

• ICT risk management - updating the requirements and risk management framework and activities with a broader focus across critical business functions.
• ICT incident reporting - consolidating existing ICT incident classification and reporting.
• Digital operational resilience testing - new requirements for financial services firms to prove they can conduct an appropriate set of security and resilience tests on critical ICT systems and applications; This includes being able to fully address vulnerabilities identified by the testing and independent testers performing advanced large scale threat-led penetration testing every three years.
• ICT third-party risk management (TPRM) - provides guidelines for strategy, policy, and a standardized register of information; guidelines for pre-contract assessment and an oversight framework for critical providers with clear requirements and penalties.
• Information and intelligence sharing - provides guidelines for sharing arrangements for cyberthreats and vulnerabilities including a Critical ICT Third-Party Providers (CTTP) oversight framework

2) Policy statement 21/3: FCA PS21/3 Financial Conduct Authority

Effective March 31st, 2022, the Financial Conduct Authority (FCA), in partnership with the Bank of England and the Prudential Regulation Authority (PRA) published a shared final policy statement on requirements to strengthen operational resilience in the UK financial services sector. This follows an initial discussion paper in 2018 and a December 2019 consultation on the same issues. The new rules aim to help firms prevent, adapt, respond to, and recover and learn from operational disruptions. Policy Statement (PS) 21/3 significantly increases the requirements for the UK financial sector to be operationally resilient, with a compliance deadline of March 31st, 2025.

In summary, PS21/3 requires financial institutions to:

• Perform mapping and testing so that they are able toremain within impact tolerances for each important business service
• Make the necessary investments to enable them to operate consistently within their impact tolerances

PS21/3 aligns with DORA, providing parallels in the guidance given to financial services institutions operating across the UK and EU.

3) Monetary Authority of Singapore: MAS BCM, MAS TRM

Published in 2003 with revisions published in June 2022, the Monetary Authority ofSingapore’s (MAS) Business Continuity Management (BCM) Guidelines for financial institutions sets out to strengthen financial institutions’ resilience against service disruptions arising from IT outages, pandemic outbreaks, cyber attacks, and physical threats.

The MAS BCM Guidelines apply to all financial institutions in Singapore including banks, merchant banks, capital markets services license holders, and payment services providers. MAS BCM expands upon MAS TRM providing guidance for financial firms to achieve operational resilience and use a BCM framework to minimize the impact of any operational disruption on a financial institution’s ability to continually deliver financial services.

Financial institutions have 12 months from the date of issuance and therefore are expected to have adopted the guidelines by June 6th, 2023.

Summary of the MAS BCM guidelines that financial institutions must perform:

• Service recovery time objective (SRTO) - a time-based metric that organizations must establish foreach critical business service.
• End-to-end dependencies - covering people, processes, technology, and other resources that support critical business services; including third-party dependencies.
• Plans and procedures - address unforeseen disruption, failure or termination of third-party arrangements to minimize impact.
• Mitigate concentration risk and reduce impact in the event of a disruption.
• Continuous review and improvement.
• Testing - regular and comprehensive testing to gain assurance that its response and recovery arrangements are robust.
• Audit - an independent assessment of the adequacy and effectiveness of the implementation of a BCM framework.
• Incident and Crisis Management - resume critical services and functions within stipulated SRTOs/recovery time objectives (RTOs).
• Board and Senior Management Responsibility- provide leadership and strategic direction to establish strong governance over the financial institution’s BCM.

MAS Technology Risk Management Guidelines (TRM), issued in 2013 and updated in January 2021, focuses on the underlying IT infrastructure supporting financial institutions through their digital transformation journeys. MAS TRM complements MAS BCM and provides general guidance to financial services firms to “establish sound and robust technology risk governance and oversight” and maintain cyber resilience.

MAS TRM includes guidelines for IT system resilience in the areas of:

• System availability
• System recoverability
• Testing a disaster recovery plan
• System backup and recovery
• Datacenter resilience

4) PCI DSS: Payment Card Industry Data Security Standard

Enacted in 2004 and revised in March 2022, the Payment Card Industry (PCI) Data Security Standard (DSS), developed and managed by the PCI Security Standards Council (PCISSC), is the global data security standard. It outlines technical and operational standards to secure and protect credit card data provided by cardholders and transmitted through card processing transactions.

The PCI SSC was created by major credit card brands (Visa, Mastercard, AMEX, Discover, and JCB) and applies to all companies that accept, process, store, or transmit credit card information. PCI DSS should be a core component of any credit card company’s security protocol. The constant maintenance and assessment of security gaps are important for avoiding the theft of sensitive information (social security, driver’s license numbers, etc.). While not a regulatory mandate or legally required, it is regarded as mandatory through court precedent. Payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

PCI DSS includes twelve key requirements for companies to uphold:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt the transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data on a need-to-know basis
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel

PCI DSS outlines twelve key requirements for companies to uphold to secure and protect credit card data. The following requirement most significantly impacts IT disaster recovery procedures: Regularly test security systems and processes. This requirement hones in on a critical aspect of PCI compliance - testing. Companies need to outline policies and procedures and then regularly test to ensure they are sound and vulnerabilities are caught.

Additionally, the most recent revision in March 2022, PCI DSS v4.0, creates a baseline standard for technical and operational requirements to keep sensitive account data secure as it is used and transmitted throughout the payment processing ecosystem. These standards are required to be implemented by March 2024.

5) NFA Compliance Rule 2-38: National Futures Association

In 1982, the United States Commodity Futures Trading Commission (CFTC) created the National Futures Association (NFA) enabling it to launch regulatory operations, with the aim of safeguarding the integrity of the U.S. derivatives markets, protecting investors, and ensuring members meet regulatory responsibility.

According to the CFTC regulation, all the CFTC registered firms need to be a member of the NFA. The NFA regulates all qualified brokers, futures merchants, commodity pool operators, swap dealers, exchanges, commodity trading advisors, and retail foreign exchange dealers that deal in the futures markets.

The NFA is a self-regulatory organization that implements rigorous registration requirements, strict compliance rules, real-time market surveillance, and strong enforcement authority in order to prevent fraud and abuse. The NFA rulebook outlines best practices, rules, and procedures. Adopted in 2003 and later amended in July 2019, the NFA Compliance Rule 2-38 outlines requirements for business continuity and disaster recovery planning.

The NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan requires each member to:

• Establish and maintain a written business continuity and disaster recovery plan that outlines procedures to be followed in the event of an emergency or significant disruption.
• Provide the NFA with, and keep current, the name and contact information of all key management employees.
• Provide the NFA with the name of and contact information for an individual who the NFA can contact in the event of an emergency.

6) GLBA: Gramm-Leach-Bliley Act

Enacted in November 1999, and enforcedby the Federal Trade Commission (FTC), the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, strives to reform the United States financial services industry, specifically relating to consumer financial privacy. The GLBA includes three sections: The Financial Privacy Rule, The Safeguards Rule, and the Pretexting Provision. The GLBA applies to companies that offer consumers financial products or services including loan providers, financial/investment consultants, and insurance providers.

Key requirements of the regulation include:

• Explanation of their information-sharing practices to their customers and to safeguard sensitive data
• Regular cyber and physical security assessments
• Communications to customers on how financial data will be used and who it will be shared with
• Opt-out opportunity if a customer is unwilling to have information shared with any third party

Outlining cyber and physical security assessments is a key tenet of cyber resiliency and IT disaster recovery. Performing these assessments regularly requires financial services firms to document the assessment process, perform them regularly and make updates as security threats evolve.

7) Commodity Futures Trading Commission (CFTC): Derivatives Clearing Organizations 17 CFR Part 39

Enacted in 2016 and revised in 2021, the United States CFTC regulation 17 CFR Part 39.18 enhances the requirements for a “derivatives clearing organization’s testing of its system safeguards.” This regulation applies to all United States derivatives clearing organizations (DCOs), which act as a medium for clearing transactions in commodities for future delivery or commodity option transactions. The regulation requiresDCOs to perform:

• An annual compliance report that must be sent to the board and CFTC
• Vulnerability testing of independent contractors twice every quarter
• Internal and external penetration testing at least annually
• Control testing once every three years
• Annual security incident response plan testing
• Annual enterprise technology risk assessment(ETRA)

In 2021, the 17 CFR Part 39.18 revisions strengthened requirements for cybersecurity testing in the following areas:

• Periodic risk assessments
• Recurring tests of controls and automated system components
• Continuous monitoring and scanning of system operation and vulnerabilities

The testing, both internal and by a third party, should include a focus on the entity’s ability to detect, contain, respond to, and recover from cyber-attacks within its systems. Recovery is a key component of resiliency and the CFTC, along with other regulatory bodies, is becoming more stringent on procedures and testing requirements.

8) GDPR: General Data Protection Regulation

Effective May 25th, 2018, General DataProtection Regulation (GDPR) brought significant improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. The data protection and privacy changes impact all companies, including financial institutions, that collect and/or process the data of any EU citizen.

The 88-page law contains 11 chapters and 99 articles. Article 32 focuses on stipulations specific to technology resilience and IT disaster recovery. It regulates the security of processing data and directs businesses to take organizational measures to ensure a level of security appropriate to the risk. This includes:

• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

GDPR brought wide-sweeping changes tothe way organizations collect and process EU citizens’ personal data. While focused on data privacy, it also included IT disaster recovery stipulations requiring companies to have procedures for the recovery of personal data and testing to ensure the processing of data is secure.

9) SOX: Sarbanes-Oxley Act of 2002

Passed by U.S. Congress in 2002 and enforced by the Public Company Accounting Oversight Board (PCAOB), an entity created by the Securities and Exchange Commission (SEC), the Sarbanes-Oxley Act (SOX) was created to protect the public from fraudulent or erroneous practices by corporations or other business entities. SOX aims to ensure financial data security and financial record availability by mandating a yearly audit of financial statements to confirm the integrity of all data-handling processes and financial statements.

SOX impacts all publicly traded companies in the U.S. or private companies planning an IPO. (Privately-held companies do not need to comply with the reporting requirements but are subject to the penalty and liability provisions). SOX separates the auditing and accounting of financial information and requires management to certify the accuracy of financial information, which has an impact on both financial and IT departments. SOX also increases the oversight role of the board of directors and the independence of external auditors who review corporate financial statements. The SOX data security framework can be summarized in the following five pillars:

• Ensure financial data security
• Prevent the malicious tampering of financial data
• Track data breach attempts and remediation efforts
• Keep event logs readily available for auditors
• Demonstrate compliance in 90-day cycles

A third-party SOX compliance auditor will require your organization to demonstrate four primary security controls to be SOX compliant:

• Secure access management control
• Demonstrate a resilient cybersecurity framework
• Demonstrate data backup protocols
• Change management

Since 2002, other countries have enacted similar SOX-like regulations including Canada, France, and Italy.

While SOX is not strictly an IT disaster recoveryregulation, as stated above proving SOX compliance includes being able to ‘demonstrate a resilient cybersecurity framework.’ Ensure your company has a sound cyber resiliency framework with regular, documented tests and an audit trail.

Managing Technology Resilience Procedures to Maintain Compliance

While not an exhaustive list, this e-guide outlines some of the key disaster recovery and cyber resiliency regulations impacting financial services firms. With regulations expanding and governing bodies increasing scrutiny, the need for well-documented and proven IT disaster recovery and cyber resilience procedures will only intensify. Make sure your financial services company can manage and govern regulatory compliance with a Collaborative Automation platform. With Cutover, you can centralize your IT disaster recovery and test plans and govern recovery and resilience procedures while reducing manual tasks and increasing efficiency.

Want to know how Cutover can help? Watch this video to see how the platform works, schedule a demo, or contact us to learn more.