Critical Questions - How Can Banks Bridge The Cybersecurity Gap?

Cybersecurity law compliance is a complicated and costly exercise for financial institutions because of typically extensive domestic regulation and the fragmented legal landscape globally.

On this latter point, and by way of example, the definitions of critical systems, security incidents, customer, customer information, minimal system downtime and recovery time, and reporting timeframes vary across different jurisdictions. Given increasing regulator attention, political and societal expectations on financial institutions (including issues of 'social licence') and an ever-expanding and evolving cyber threat environment, it is essential for companies to localise their compliance approach by considering what level of compliance is suitable for their organisation based on their organisation's risk exposure across different jurisdictions and allocate appropriate resources to risk and compliance accordingly.

Cybersecurity gap analysis can be costly and complicated

A cybersecurity gap analysis can be costly given that it requires due diligence from technical and organisational perspectives. An organisation's legal team, risk and compliance team and Information Security/IT team need to work together closely to identify all applicable cybersecurity requirements, understand the standards required and ensure there are effective technological and organisational measures in place that are sufficient to meet the requirements.

Under cybersecurity laws, designated critical infrastructures (CIs) owners are also often subject to enhanced reporting and audit obligations in respect of their computer systems, including reporting any change in ownership of the systems, regular audits and vulnerabilities scans, and notification of cyber incidents.

Financial institutions are often required by regulators to identify critical systems within their organisations, which are subject to enhanced supervisory, audit and reporting requirements.

For organisations in the UK and EU, recent legislative developments and increased regulatory scrutiny have brought renewed focus to cybersecurity gap analyses as a necessary exercise. As discussed further on in this article, the Network and Information Security Directive (NIS2) and Digital Operational Resilience Act (DORA) in the EU, together with the UK's proposed Cyber Resilience Bill, have either seen or will see the introduction of a number of new changes and additional requirements, including expanded obligations around incident reporting, governance and oversight of third-party ICT providers. At the same time, financial institutions face additional requirements under the Bank of England, PRA and FCA's operational resilience framework, with full implementation having been required by March 2025, and the forthcoming Critical Third Parties (CTP) regime.

Supervisory authorities have signalled that they expect boards and senior management to take a proactive role in identifying gaps and remediating them. For many organisations, this may mean more frequent audits, increased board reporting and issue identification, greater use of board-mandated independent risk reviews, higher compliance costs, and the need to have effective mechanisms in place to track regulatory developments across jurisdictions in real time or near-real time.

Fragmented legal landscape and no one-size-fits-all approach

New cyber security laws to enhance the protection of critical infrastructures have been enacted globally to strengthen the security of the computer systems of CIs and to minimise the chance of essential services being disrupted or compromised in connection with any cyber incidents.

Notably, certain global financial centres have recently introduced new cybersecurity laws or introduced major amendments to existing laws:

Asia

• Hong Kong has just passed the Protection of Critical Infrastructures (Computer Systems) Ordinance. The Hong Kong Government aims to establish a Commissioner's Office within the first half of 2026, with critical infrastructure operators designated in phases during the second half of 2026.
• In Singapore, amendments to the Cybersecurity Act were passed in May 2024 to ensure that CI owners remain responsible for the cybersecurity and cyber resilience of the CI, even as they embrace new technological and business models, like the use of cloud computing.
• We have also seen major reforms to cybersecurity laws or new cybersecurity laws in Thailand, Vietnam and Malaysia.

Australia

• In late 2024 there was a spate of legislative action across multiple dimensions which resulted in a new Cyber Security Act (which amongst other things requires any payment of any cyber ransom to be notified and introduces an information regime which is intended to facilitate the voluntary sharing of information to the Australian Government), amendments to the existing Security of Critical Infrastructure Act and amendments to Australia's privacy regime (including the introduction of new regulatory powers). These also need to be seen in light of the existing prudential regulatory framework, including a comparatively new operational risk standard which came into effect as from 1 July 2025 and which imposes broad requirements on regulated entities to manage operational risk (CPS 230). The impact of these various instruments results in a challenging set of domestic regulatory commitments and requirements which require very careful navigation and with the promise of additional regulatory change to come (and are more problematic for those regulated entities operating in additional jurisdictions).

UK/EMEA

• NIS2 and DORA aim to harmonise and strengthen cyber security and resilience standards across critical sectors across the EU. For example, DORA applies to a wide range of financial entities (including banks, insurers, investment firms, payment institutions, and crypto-asset service providers) and requires them to manage ICT risks, report major incidents, conduct resilience testing, and oversee critical third-party ICT service providers such as cloud and data centre operators. NIS-2 extends baseline cyber requirements to a broad range of "essential" and "important" entities (including financial services and digital infrastructure), expanding the scope of entities caught, introducing stricter incident reporting timelines, and harmonising penalties.
• While some EU Member States have already transposed the EU Directive into national law, others remain in consultation or drafting stages. Once transposed, enforcement approaches may vary by sector and by Member State, with the consequence that the application of the rules may vary despite the EU-wide framework.
• In the UK, which remains outside the EU framework, the NIS 2018 Regulations (NIS1) continue to apply. The government has proposed reforms through a forthcoming Cyber Resilience Bill that draws on elements of NIS2 but which differs in scope and application. For organisations operating in both the UK and EU, this entails monitoring two parallel regimes and ensuring compliance with the specific requirements of each jurisdiction. Financial institutions in particular may need to implement jurisdiction-specific compliance measures rather than relying on a single framework.

No contracting out of responsibilities

Although it is common practice for banks and asset manager to outsource their IT systems and data storage to external suppliers, cybersecurity laws require CI owners to remain accountable for their CIs and such responsibilities cannot be outsourced to any third party.

For example, in Singapore, CI owners will be required to report incidents that happen in their supply chains. In the case of Australia, for those entities which are regulated by the Australian Prudential Regulatory Authority, similarly incidents arising from supply chain impacts may also be reportable where they have an impact on the regulated entity (and the regulator has been clear that relevant entities cannot outsource their regulatory compliance obligations).

In the UK, operators of essential services (including banks and asset managers) remain accountable under NIS1, even where IT or security functions are outsourced. Planned reforms via the Cyber Resilience Bill (first announced in July 2024 and expected to begin phased enforcement from 2026) will extend coverage to managed service providers while keeping accountability with the regulated entity. In financial services, the Bank of England, PRA and FCA have introduced an operational resilience regime requiring firms to identify important business services, set impact tolerances, and ensure continuity through severe disruptions, including cyber incidents. This will be reinforced by the forthcoming CTP framework, which will give regulators direct oversight of systemic technology providers (such as major cloud service operators) on which the financial sector increasingly relies. While regulators will gain new supervisory powers over these third parties, accountability will continue to rest with boards and senior management of regulated firms. Similarly, NIS-2 and DORA make clear that outsourcing and supply-chain arrangements do not diminish obligations to report incidents or ensure resilience.

Data sovereignty and localisation

Cybersecurity laws in jurisdictions such as China and Vietnam impose data sovereignty and data localisation requirements and reporting/ auditing requirements on CI owners in respect of their IT systems, IT vendors and data storage solution providers.

In India and Indonesia, the banking sector regulators have also required banks to store certain types of data onshore unless an exemption is applicable.

The main objective of these laws is to ensure critical data (including technology data, business data and personal data) is stored onshore and to enhance cybersecurity of CI owners and national security.

Unlike several Asian jurisdictions, the UK, EU and Australia have not imposed strict data localisation rules. Instead, the focus has been on ensuring secure cross-border data transfers and maintaining high standards of data protection. Under the UK and EU GDPR, personal data may only be transferred outside the region where adequate safeguards exist, and both regimes have extra-territorial effect where companies outside the jurisdiction offer goods or services within it. Similar positions apply under Australia's privacy regime. In addition, sector-specific regimes require firms to maintain visibility and control over data flows, but stop short of mandating onshore storage. For instance, the UK operational resilience framework and forthcoming CTP regime, alongside the EU's DORA, place obligations on financial services entities to oversee ICT and cloud providers, including those headquartered overseas. The emphasis is therefore on accountability and resilience rather than strict localisation.

In summary

Given the fragmentation in cybersecurity laws and new legislation and regulatory requirements, financial institutions will need to assess where their critical data is stored and identify their critical systems to understand their risk exposure in each jurisdiction.

Given the potential for regulatory gaps to exist for multinationals operating in multiple jurisdictions (and this gap is perhaps most notable for those operating in both the UK and EU), financial institutions and asset managers must adopt tailored, jurisdiction-specific compliance strategies rather than relying on a single international framework.

The legal risks of non-compliance and the legal and financial implications if they fail to meet the requisite standards, including as regulatory intervention and financial impacts of non-compliance are expected to increase (and in some jurisdictions, increase significantly from the current levels of practical regulator exposure).

Financial institutions should work with their IT, legal and risk and compliance teams so that they fully understand the requisite requirements and how they apply to their organisation.

Cybersecurity law compliance should not be regarded as a check-box to tick, but an essential exercise with real impact in preventing cyber incidents and as a critical element in maximising business continuity of the organisation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.