多部门数字运营弹性-应用金融部门的经验教训（英）

Applying lessons learned by the financial sector Financial services – Achieving digital operationalresilience is challengingdue to the balance neededbetween external, internal,and strategic challengesin an increasingly digitalenvironment. Organizations are terminating relationships. Theseregulations have set a highstandard for financial sector ITpractices. Financial institutions Establishing digital operationalresilience requires an integratedsolution across people,processes, and technology caused regulators to widen theirfocus to introduce minimumrequirements and comparable reliance on third-party providers Operations are at risk fromphysical damage, cyber-attacks,IT system outages, and third-party supplier failures. Naturalhazards, war, political protests,and employment disputes are The centrality of banking andfinancial services to economiesmakes the sector a recurringhigh priority for policymakers,political representatives, andregulators. The United Statesstarted the most recent drive forimproved operational resiliencein financial services in 2020 whenthe Federal Reserve published Recently, many organizationsin or connected with theEuropean Union have had toprepare intensively for a raftof cybersecurity regulations,including: the Network andInformation Security Directive 2(NIS2, 2022), the Cyber ResilienceAct (CRA, 2024), and for financialservices, DORA (2023).4 NIS2 The pressure on organizationsto ensure cybersecurity anddigital operational resilienceoriginates from regulations in The US National Institute ofStandards and Technology (NIST)describes operational resilienceas “the ability of systems toresist, absorb, and recoverfrom or adapt to an adverseoccurrence during operation that Historically, operationalresilience has mainly focusedon market events, with financialand strategic resilience gettingparticular attention followingthe 2007-2009 global financialcrisis. With increasing digital The UK added its own initiativein March 2022 when the financialregulator, the PrudentialRegulation Authority (PRA),issued a supervisory statementon operational resilience, These acts followed the 2019European Cybersecurity Act,which strengthened the EUAgency for cybersecurity (ENISA)and introduced a certificationframework for ICT products and Frameworks for It gives a view of all activities,functions, and components thatwill be affected by design orremediation, including criticalprocesses and supporting digitalassets. Its ultimate purpose is toconfirm that business executionis carried out with business and examine the resilience of theirICT infrastructure through arisk management lens in a waythat had not happened before.They have applied frameworksto ensure comprehensive, As operational resilience hasmoved up the agenda, thenumber of frameworks availableto enterprises to manage it hasexpanded. NIST published itsframework for cyber-physicalresilience in 2024, while the With DORA financial servicescompanies as case studies,an operational resilience risk DORA formalized ICTframeworks for banks, insurancecompanies, investment firms, Shared responsibility requiring organizations torespond swiftly to disruptionswhile collaborating withpeers and regulators. These was an organization’s ownresponsibility, but with cloud-based infrastructure, some ofthis responsibility transfers tothe cloud service provider (CSP). It is important to identifydependencies and securityresponsibilities across IT/OTinfrastructure or supply chains,especially for ICT vendors linked Attention to theright detail – lessonsfrom Sarbanes-Oxley third-party compliance. A fullyautomated system enables acompany to quickly view itscompliance status via dashboards network assessments, and Organizations must be crisis-tested to achieve control ofevery critical system. Othersectors can learn from the In complying with Sarbanes-Oxley Act (SOX) Section 404– the requirement to assess acompany’s internal controls overfinancial reporting – regulators Paper compliancealone is not enough The financial sector’s campaignto reach digital operationalresilience insight and compliancerevealed differences betweencompanies that dug deep into Realistic testing meansthoroughly testing wholesystems offline under simulatedcrisis conditions. When thatsystem is a trading or paymentplatform used by thousands The following milestones are key The cost ofdisruption and fines In 2023 the US Securitiesand Exchange Commission(SEC) marked developmentsin cybersecurity and risksby issuing its set of rules onCybersecurity Risk Management,Strategy, Governance, and Along with the threat tocommercial activity andinterruption of services,regulatory fines focus theminds of compliance, legal,and company boards. Under –Definition of critical processes –Assessment of third parties While the numerous regulationsacross different jurisdictionsmay be very similar, it is wherethey differ that can causenon-compliance breaches oroperational failure for businesseswith a