QA Financial Forum London | 11 September 2024 | BOOK TICKETS
Close this search box.

Software risk management: Regulation round-up


Around the world, regulators and financial markets supervisors are increasing their scrutiny of how firms manage software risk and enterprise digital resilience. 

The European Union, for example, is readying its Digital Operational resilience Act (DORA), which will require firms to put a formal technology governance framework in place and  impose fines on firms whose software fails for avoidable reasons. (You can read a white paper on DORA and its impact – published by leading software testing services vendor Expleo, with research by QA Financial – here.)

We’ll be watching and reporting on further developments in the implementation of DORA, which was formally adopted as legislation by the European Council last November.

Meanwhile, here’s our round-up of important regulatory news announcements in February relating to software risk management – as we’ll describe it for convenience – at financial firms.

US Treasury’s Shambaugh praises DORA

During a February conference speech, Jay Shambaugh, the US Treasury under secretary for international affairs (pictured) spoke about the need to address challenges surrounding cybersecurity and operational resilience for the financial sector.

Shambaugh praised the EU digital operational resilience act (DORA), claiming it “overhauls the EU’s cybersecurity framework to meet the challenges of the modern era”. He went on to highlight the importance of collaboration with private sector institutions. “Securing the financial sector must be done in partnership with companies, who operate most of the financial sector’s critical infrastructure,” he said. ”It has been our priority to improve information sharing between the public and private sector over the last year”.

He concluded this section of the speech by outlining the need for international cooperation when dealing with the challenges posed.  “We are committed to working with the private sector to address these challenges. And because cloud is a global technology, we should avoid international regulatory fragmentation that could make cloud services less secure and resilient. We’ve started initial conversations with our likeminded counterparts, including our friends in the EU, and hope to progress further in the coming months and years.”.

Full text available here.

US Treasury highlights cloud technology risks

The US Department of the Treasury released a report outlining its views on the benefits and challenges associated with the adoption of cloud technologies by financial sector institutions. 

The report found that cloud services could improve the resilience and security of financial institutions, and identified a  number of significant challenges:

– Lack of transparency concerning the details of incidents impacting their systems hinders due diligence and monitoring by financial institutions.

– Workforce talent shortages may hinder the adoption of cloud services by financial institutions.

– Increased exposure to incidents originating from a cloud service provide.

– Potential broad-market impacts of the highly concentrated cloud service provider marketplace.

– The highly concentrated nature of the cloud service marketplace may increase the difficulty of negotiation for financial firm.

– The complexity of the global regulatory landscape for cloud technology may provide difficulty in scaling up cloud-integrated offerings.

The full report proposes recommendations for the secure and responsible adoption of cloud technologies by financial institutions.

The full US Treasury report is available here

NIST launches AI risk management framework playbook

The US National Institute of Standards and Technology (NIST) has launched a GitHub hosted playbook which suggests ways to utilise the recently released AI risk management framework version 1.0 (AI RMF 1.0), which provides guidance for organisations on best practices to design and manage trustworthy and reliable artificial intelligence systems. NIST has announced that it will continue to take comments on the playbook, reviewing and integrating these semi-annually. 

The hope is that this iterative approach will enable the framework to continue to adapt to the ongoing changes in technology and understanding, NIST said.

Link to the playbook available here

Bank of England publishes outsourcing policy

The Bank of England has published its policy on outsourcing and third-party risk management for financial market infrastructures. The new policy takes the form of a series of supervisory statements and an addition to its Code of Practice. 

The new policy aims to outline the bank’s requirements in relation to outsourcing and third-party risk management and build upon the Bank of England’s response to the future of finance report, by helping to facilitate the adoption of cloud and other technologies.

Full policy details available here 

UK government calls for views on software resilience and security

The UK government has called for views on software resilience and security from relevant organisations to begin to understand how best to address software-associated risks and create a more resilient digital environment, it claims.

This could signal a continuation of the trend towards increased regulatory oversight for the sector.

Full publication available here

EU regulators set new deadline for Broadcom bid for VMware

EU antitrust regulators have set a deadline of June 7th to make a final decision on whether to clear or block the deal for San Jose headquartered technology company Broadcom’s $61bn bid for cloud computing provider VMware. The announcement follows the resumption of the EU’s  investigation, which was temporarily postponed on January 31st.