Stay in the know
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead
Cybersecurity law compliance is a complicated and costly exercise for financial institutions because of typically extensive domestic regulation and the fragmented legal landscape globally.
On this latter point, and by way of example, the definitions of critical systems, security incidents, customer, customer information, minimal system downtime and recovery time, and reporting timeframes vary across different jurisdictions. Given increasing regulator attention, political and societal expectations on financial institutions (including issues of ‘social licence’) and an ever-expanding and evolving cyber threat environment, it is essential for companies to localise their compliance approach by considering what level of compliance is suitable for their organisation based on their organisation's risk exposure across different jurisdictions and allocate appropriate resources to risk and compliance accordingly.
A cybersecurity gap analysis can be costly given that it requires due diligence from technical and organisational perspectives. An organisation’s legal team, risk and compliance team and Information Security/IT team need to work together closely to identify all applicable cybersecurity requirements, understand the standards required and ensure there are effective technological and organisational measures in place that are sufficient to meet the requirements.
Under cybersecurity laws, designated critical infrastructures (CIs) owners are also often subject to enhanced reporting and audit obligations in respect of their computer systems, including reporting any change in ownership of the systems, regular audits and vulnerabilities scans, and notification of cyber incidents.
Financial institutions are often required by regulators to identify critical systems within their organisations, which are subject to enhanced supervisory, audit and reporting requirements.
For organisations in the UK and EU, recent legislative developments and increased regulatory scrutiny have brought renewed focus to cybersecurity gap analyses as a necessary exercise. As discussed further on in this article, the Network and Information Security Directive (NIS2) and Digital Operational Resilience Act (DORA) in the EU, together with the UK’s proposed Cyber Resilience Bill, have either seen or will see the introduction of a number of new changes and additional requirements, including expanded obligations around incident reporting, governance and oversight of third-party ICT providers. At the same time, financial institutions face additional requirements under the Bank of England, PRA and FCA’s operational resilience framework, with full implementation having been required by March 2025, and the forthcoming Critical Third Parties (CTP) regime.
Supervisory authorities have signalled that they expect boards and senior management to take a proactive role in identifying gaps and remediating them. For many organisations, this may mean more frequent audits, increased board reporting and issue identification, greater use of board-mandated independent risk reviews, higher compliance costs, and the need to have effective mechanisms in place to track regulatory developments across jurisdictions in real time or near-real time.
New cyber security laws to enhance the protection of critical infrastructures have been enacted globally to strengthen the security of the computer systems of CIs and to minimise the chance of essential services being disrupted or compromised in connection with any cyber incidents.
Notably, certain global financial centres have recently introduced new cybersecurity laws or introduced major amendments to existing laws:
Although it is common practice for banks and asset manager to outsource their IT systems and data storage to external suppliers, cybersecurity laws require CI owners to remain accountable for their CIs and such responsibilities cannot be outsourced to any third party.
For example, in Singapore, CI owners will be required to report incidents that happen in their supply chains. In the case of Australia, for those entities which are regulated by the Australian Prudential Regulatory Authority, similarly incidents arising from supply chain impacts may also be reportable where they have an impact on the regulated entity (and the regulator has been clear that relevant entities cannot outsource their regulatory compliance obligations).
In the UK, operators of essential services (including banks and asset managers) remain accountable under NIS1, even where IT or security functions are outsourced. Planned reforms via the Cyber Resilience Bill (first announced in July 2024 and expected to begin phased enforcement from 2026) will extend coverage to managed service providers while keeping accountability with the regulated entity. In financial services, the Bank of England, PRA and FCA have introduced an operational resilience regime requiring firms to identify important business services, set impact tolerances, and ensure continuity through severe disruptions, including cyber incidents. This will be reinforced by the forthcoming CTP framework, which will give regulators direct oversight of systemic technology providers (such as major cloud service operators) on which the financial sector increasingly relies. While regulators will gain new supervisory powers over these third parties, accountability will continue to rest with boards and senior management of regulated firms. Similarly, NIS-2 and DORA make clear that outsourcing and supply-chain arrangements do not diminish obligations to report incidents or ensure resilience.
Cybersecurity laws in jurisdictions such as China and Vietnam impose data sovereignty and data localisation requirements and reporting/ auditing requirements on CI owners in respect of their IT systems, IT vendors and data storage solution providers.
In India and Indonesia, the banking sector regulators have also required banks to store certain types of data onshore unless an exemption is applicable.
|
|
The main objective of these laws is to ensure critical data (including technology data, business data and personal data) is stored onshore and to enhance cybersecurity of CI owners and national security.
Unlike several Asian jurisdictions, the UK, EU and Australia have not imposed strict data localisation rules. Instead, the focus has been on ensuring secure cross-border data transfers and maintaining high standards of data protection. Under the UK and EU GDPR, personal data may only be transferred outside the region where adequate safeguards exist, and both regimes have extra-territorial effect where companies outside the jurisdiction offer goods or services within it. Similar positions apply under Australia’s privacy regime. In addition, sector-specific regimes require firms to maintain visibility and control over data flows, but stop short of mandating onshore storage. For instance, the UK operational resilience framework and forthcoming CTP regime, alongside the EU’s DORA, place obligations on financial services entities to oversee ICT and cloud providers, including those headquartered overseas. The emphasis is therefore on accountability and resilience rather than strict localisation.
Given the fragmentation in cybersecurity laws and new legislation and regulatory requirements, financial institutions will need to assess where their critical data is stored and identify their critical systems to understand their risk exposure in each jurisdiction.
Given the potential for regulatory gaps to exist for multinationals operating in multiple jurisdictions (and this gap is perhaps most notable for those operating in both the UK and EU), financial institutions and asset managers must adopt tailored, jurisdiction-specific compliance strategies rather than relying on a single international framework.
The legal risks of non-compliance and the legal and financial implications if they fail to meet the requisite standards, including as regulatory intervention and financial impacts of non-compliance are expected to increase (and in some jurisdictions, increase significantly from the current levels of practical regulator exposure).
Financial institutions should work with their IT, legal and risk and compliance teams so that they fully understand the requisite requirements and how they apply to their organisation.
Cybersecurity law compliance should not be regarded as a check-box to tick, but an essential exercise with real impact in preventing cyber incidents and as a critical element in maximising business continuity of the organisation.
Partner, Head of TMT, Asia, Singapore
Senior Associate (Australia), Singapore
Senior Associate, London
Senior Associate (Australia), Singapore
Associate, London
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills Kramer 2026
Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead