Steve Rackham, CTO for Financial Services, NetApp
The news of companies falling victim to cyberattacks is hitting headlines almost every week, costing millions in recovery costs and reputational damage. With terabytes of highly sensitive data, the financial services industry is no stranger to cyber threats. Just recently, a cyber incident at Allianz Life resulted in unauthorised access to the personal data of 1.1 million customers.
As a result of these incidents, global financial institutions are ramping up security measures to boost their resilience, ensuring the correct measures are in place to mitigate any losses and ensure a fast recovery when attacks do occur. In October 2024, the EU’s Network and Information Systems 2 (NIS2) directive became effective, mandating that the financial industry, among others, adopts robust risk management to limit successful attacks. It sets out standards for cybersecurity, disaster recovery strategies and stronger resilience.
Data management plays an essential role in supporting businesses to meet these requirements. By strengthening data governance, including how it is stored, accessed and shared, firms are better positioned to reduce operational risk and keep pace with regulatory expectations.
Where to start?
Almost a year after NIS2 came into effect, a report by Aon found that only 42% of UK businesses would be ready if NIS2 was to apply to them. Businesses that are aligned with NIS2 rules are in a better position to adapt – not just to incoming rules, but to new, evolving threats. Specifically, IT leaders who map out their existing digital processes and data infrastructure will be able to recognise potential vulnerabilities and address these to fit the requirements.
Similarly to article 21 of NIS2, the UK Cyber Security & Resilience bill is expected to be enacted in 2025 and emphasises the availability and reliability of critical systems and data. As a first step to achieving this, businesses should look to build visibility across their entire data ecosystem. By mapping data flows and applying access controls, for example, firms will be able to limit the risk of sensitive information becoming corrupted and respond to threats effectively. For UK firms, achieving compliance with NIS2 today puts them in a stronger position to meet the UK’s forthcoming requirements with fewer adjustments.
Turning data insight into data protection
Once businesses have a clear map of their data, they can then prioritise securing the most sensitive assets. Tools can support this process by identifying, organising and encrypting critical information. Classifying data in this way also supports businesses in meeting access control requirements of NIS2.
This also means that businesses are better positioned to quickly respond to anomalies in network traffic or suspicious transactions. Automated tools can support continuous monitoring and the regular testing of security systems, as required under NIS2. Beyond helping organisations meet EU compliance obligations, these measures will also position companies to be better prepared for the upcoming Cyber Security and Resilience Bill once it comes into force.
Response and recovery in an evolving threat landscape
NIS2, as well as other regulations, mandate strict response and reporting protocols. A well thought-out, proactive data management strategy not only supports businesses in reducing the likelihood of an attack, but also bolsters resilience and recovery when attacks do occur.
For example, creating secure duplicates of crucial data, such as transaction information, means it can be protected from corruption by bad actors, supporting continuity. And with automated security training, multi-factor authentication, and access controls in place, businesses are better positioned for continuous NIS2 compliance and to approach cybersecurity holistically.
NIS2 isn’t a nice to have
Comprehensive cyber prevention measures that span entire data infrastructures are essential for limiting threats and the impact of attacks. The Allianz Life incident, which compromised customers’ personal data, serves as a stark reminder that even established financial institutions remain vulnerable to sophisticated cyber threats.
UK financial services firms that achieve NIS2 compliance today will be best positioned to meet future regulatory requirements while building robust protection against evolving cyber threats. For financial institutions navigating an increasingly hostile cyber environment, comprehensive resilience and compliance measures have evolved from best practices to today’s business necessities.
