Over the last two years, many new regulations have been rolled out specifically relating to the banking, financial services and insurance (BFSI) sector. These regulations impact various technologies and processes such as cloud, consumer protection, privacy and data sovereignty.  

Among the many reasons for this surge is the accelerated adoption of new technology during the coronavirus pandemic. While this trend helped organizations quickly adapt to business disruptions, many organizations were only able to move so quickly because they either fast-tracked risk evaluations for these new technologies or skipped risk evaluations entirely. Many technologies also required risk and cybersecurity teams to be upskilled to better identify risk exposure, but with limited time, training was sometimes put on hold.    

Rushed adoption and overlooked security procedures increased organizations’ exposure to breaches, some more than others. Research into the cost of data breaches globally shows the Middle East trending as the second most expensive region in terms of average cost of breached data, up from 2021. The financial sector stands as the second most targeted sector globally.  

Although these surges appear to be linked to the pandemic, they are not limited to the pandemic. As technology adoption continues, new security risks will emerge and new regulations will be introduced. Businesses need a way to outpace these changes, to move from a manual, reactive approach to regulatory tracking, to an automated, proactive one. 

A new pace for technology regulations

The release of regulations is closely linked to the adoption of new technologies, specifically when those technologies can potentially impact organizations and the sector at large (e.g. UAE’s Critical Information Infrastructure Protection Policy). Faster adoption of technologies during the pandemic has therefore led to faster roll out of regulations. The diagram below shows the timeline of technology adoption since to pandemic compared to the estimated timeline had the pandemic not occurred.   

Regulators in the UAE have been releasing regulations addressing cybersecurity and technology risks for over 10 years, but the last two years has seen a sudden increase in the regulations with an added stringent adherence clause. The list below shows just some of the regulations and initiatives enacted in the UAE between 2020 and 2022 that have an impact on banks and BFSI sector. 

• Federal Law No 15 of 2020 on Consumer Protection (Consumer Protection Law) 
• Federal Decree Law No. 45 of 2021 on the Protection of Personal Data   
• Central Bank UAE: Stored Value Facilities Regulation 2020   
• DIFC and ADGM have recently enacted updated data protection in 2020 and 2021 respectively    
• Central Bank of UAE (CBUAE), vide Circular No.15/2021 dated 06.06.2021, issued the Retail Payment Services and Card Schemes (RPSCS) 
• Establishing UAE Cybersecurity Council in 2020 to develop comprehensive cybersecurity strategy 

With critical entities and organizations throughout the Middle East’s BFSI sector widely adopting newer technologies, regulators are pushing the release of more regulations, some of which may not be very clear or mature.    

For example: In certain cases, Central Bank of UAE requires banks to seek CB UAE’s approval for data stored outside the region. This may not be a sustainable model considering changes that banks in the regions are going through, such as some larger banks switching to cloud computing. It is likely that this approval process will be replaced with stronger and mature regulations in the future, but for now, this requirement from Central Bank has introduced delays and uncertainty in DevOps cycles and is impacting agile working methodologies.

The manual-tracking issue

With most countries in the Middle East embarking on digitalization initiatives and new business propositions gaining popularity, organizations can expect more regulations to be rolled out. This could pose a challenge because businesses are already struggling to keep up with all these new regulations due to outdated approaches, such as manually tracking regulatory requirements using a spreadsheet-based repository.

Such manual approaches have several shortcomings:

Siloed and difficult to maintain

Spreadsheet-based repositories are generally built as a onetime effort by individual teams with limited access or communication with each other. These registers are often ignored because manually tracking new regulations and updating the registers requires extensive effort. 

Limited implementation  

Repositories are generally built to mainly capture regulation requirements, with little to no analysis of the applicability of the clauses or mapped controls.  

Lack of visibility  

If the applicable regulation registers are not regularly updated or if access is limited, organizations and technology functions cannot know their true level of compliance with regulatory requirements, leaving them vulnerable to hackers and penalties from regulators.   

Frequent noncompliance

A common noncompliance reported by internal audits is lack of regulatory adherence or use of outdated regulations, and lack of awareness of new applicable regulations. 

How to address this challenge

To keep up and remain compliant, organizations can no longer rely on manual regulatory monitoring; they need the support of a strong regulatory compliance program that is specific to technology and cybersecurity. 

At a minimum, this program should: 

• Continuously checks for changes in the regulations   
• Establish mapping between the regulations and organizational structures/controls  
• Be easily accessible for teams and functions   
• Clearly describe the requirements of each regulation  
• Track timelines where applicable

To establish and maintain a program like this, organizations first need to build a robust, well-maintained regulatory repository, then embed those regulatory requirements into normal operations by linking them to the organization’s common control framework, as shown in the diagram below. 

As long as organizations consider identifying and implementing regulations as separate tasks, the chance of losing track of compliance is high. This is especially true for organizations operating across multiple geographies because regulations can differ so much from region to region.

The first step in developing a strong regulatory compliance program is to develop a robust repository of regulations, one that is comprehensive and continuously updated. This will ensure that the organization is always up to date on the latest regulations and able to map them to common control. The diagram below shows several ways a well-maintained repository can benefit technology and cybersecurity operations.

Organizations can further enhance their security programs by incorporating automation at every stage:

• Auto-feeds from regulators to a central location/platform  
• Mapping regulations to controls and common control frameworks  
• Publishing regulation registers to other teams/functions in the organization   
• Link common control feeds with the audit workflows and other relevant outlets

With the regulatory landscape for technology and cybersecurity constantly changing, it can be hard enough to keep track of what’s changed, especially for global businesses operating in different countries. To be prepared for these changes and actually be able to work with them, businesses need to be more proactive with their regulatory tracking, and automation can help.

You can learn more about Wipro’s cybersecurity and risk management solutions.

Anoop Ravindra

Partner & Head of Cybersecurity & Risk Consulting Services — Middle East, Wipro

Anoop has more than 19 years of experience in cybersecurity, information and technology services, working across various sectors and specializing in BFSI. He has worked with several large global clients on technology, risk, and cybersecurity initiatives