Investment Operations

Operational Resilience: US vs Europe

SEC Customer Protection Rule 15c3-3 training course

Operational resilience has become a critical concern for businesses, governments, and regulators alike. The increasing frequency and severity of disruptions, such as cyber-attacks, natural disasters, and pandemics, have highlighted the need for organizations to have robust plans in place to ensure continuity of critical functions and services. In response, regulatory bodies in the U.S. and Europe have proposed or implemented regulations aimed at enhancing operational resilience. In this article, we will discuss the current and proposed regulations in the U.S. and Europe.

Regulation in the U.S.

Currently, the U.S. does not have a comprehensive regulatory framework for operational resilience. However, several regulatory bodies have proposed or implemented regulations related to operational resilience.

  1. The Federal Reserve: In 2019, the Federal Reserve proposed supervisory guidance for large banks on operational resilience, which includes guidance on identifying, assessing, and managing operational risks, as well as testing and recovery planning.
  2. The Securities and Exchange Commission (SEC): The SEC has proposed a rule that would require publicly traded companies to disclose information about their operational resilience, including how they identify, assess, and manage risks to their operations.
  3. The Commodity Futures Trading Commission (CFTC): The CFTC has proposed a rule that would require certain derivatives clearing organizations to have robust operational resilience plans in place, including procedures for testing and recovery in the event of a disruption.
  4. The National Institute of Standards and Technology (NIST): NIST has issued a draft framework for improving critical infrastructure cybersecurity, which includes guidance on operational resilience planning and incident response.
  5. The Department of Homeland Security (DHS): The DHS has implemented a program called the Cybersecurity and Infrastructure Security Agency (CISA) which aims to improve the resilience of critical infrastructure against cyber threats.

Overall, the proposed and implemented regulations are focused on identifying and managing operational risks, testing and recovery planning, and incident response.

Regulation in Europe

In contrast to the U.S., Europe has taken a more coordinated approach to operational resilience regulation. The European Union (EU) has introduced several regulations that aim to improve operational resilience across different sectors.

  1. The Network and Information Systems Directive (NIS Directive): This directive, implemented in 2018, requires operators of essential services, such as energy, transport, banking, and healthcare, to ensure the security and continuity of their services. It also requires member states to establish a national framework for cybersecurity and incident response.
  2. The General Data Protection Regulation (GDPR): The GDPR, implemented in 2018, requires organizations to ensure the confidentiality, integrity, and availability of personal data. This includes having appropriate technical and organizational measures in place to protect against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of data.
  3. The Banking Union: The Banking Union, established in 2014, aims to create a more integrated and stable banking system in the EU. It includes regulations on capital requirements, supervision, and resolution, as well as stress testing and recovery planning.
  4. The Payment Services Directive 2 (PSD2): The PSD2, implemented in 2019, aims to improve the security and resilience of electronic payments. It requires payment service providers to implement strong customer authentication, as well as risk management and incident reporting.
  5. The Insurance Distribution Directive (IDD): The IDD, implemented in 2018, aims to improve consumer protection and market efficiency in the insurance sector. It includes requirements for insurance distributors to have appropriate measures in place to ensure continuity of their services in the event of a disruption.

Overall, the regulations in Europe are more prescriptive and sector-specific than those in the U.S. They require organizations to have specific measures in place to ensure operational resilience, such as incident response plans, stress testing, and recovery planning.

Recent Comments

No comments to show.


Popular Tags