Martin Maas CISO
13 October 2023

The Need for Robust Compliance Frameworks in the Financial Sector

In the financial sector, regulatory oversight is omnipresent. Regulatory bodies ensure that laws and regulations are adhered to, and organizations in this industry must comply with a wide array of directives. In the Netherlands and Europe these are entities like DNB (De Nederlandse Bank), AFM (Autoriteit Financiële Markten), AP (Autoriteit Persoonsgegevens), ECB (European Central Bank), EIOPA/EAVB (European Insurance and Occupational Pensions Authority), and the list goes on. Each authority has its own set of controls and measures aimed at achieving specific objectives, such as safeguarding personal data, ensuring transaction integrity, identifying and managing risks, and upholding confidentiality and security.

However, this regulatory landscape is not static but subject to periodic review and updates. What is considered adequate today may change tomorrow. Organizations must not only conduct their own risk assessments but also consider changes in legislation that impact how they can ensure the quality and security of their services.

"When organizations decide to use cloud services or outsource system management and maintenance, they also need to think about how they can continue to comply with their existing obligations."

Adding Controls Smartly and Efficiently

It’s evident that a mature and often complex compliance framework is needed to meet all these requirements. Achieving compliance becomes much more manageable when you consider the requirements of multiple standards and regulations collectively. For example, if you have clients in the public sector, they may require a signed integrity declaration for every employee involved in their services. You can streamline this by adding this control to an existing onboarding check for team members serving this client. This way, you design one control that meets multiple standards, making it more efficient.

When organizations decide to use cloud services or outsource system management and maintenance, they also need to think about how they can continue to comply with their existing obligations. For instance, at Solvinity, we have a compliance framework based on SOC 2 measures, supplemented with requirements from our own regulators and those of our clients.

An "In Control" Declaration

The Solvinity Compliance Framework serves as the basis for our SOC 1 and SOC 2 assurance reports, prepared annually by an independent auditor. We observe that some of our more mature clients supplement these assurance reports with customized controls. These can range from quarterly restores of selected machines, databases, or mailboxes to quarterly checks on user and administrator accounts. The results of these controls, in conjunction with the assurance reports, contribute to their unique ‘in control’ declaration.

In the modern landscape, a comprehensive approach to compliance extends beyond the immediate organization. Recent incidents have underscored the importance of monitoring compliance across the entire supply chain. It’s advisable to conduct a risk analysis for extended supply chains, even in cases of sub-outsourcing.

"Collaboration within the sector and with specialized service providers can assist in navigating this complex landscape and ensuring organizations remain compliant with ever-changing standards and regulations."

Meeting the Challenges of New Legislation

The introduction of new regulations, such as the Digital Operations Resilience Act (DORA) and the Network and Information Security Directive 2 (NIS2), places added emphasis on the significance of compliance and comprehensive supply chain management. NIS2 establishes stricter requirements, encompassing risk management, cybersecurity policy, incident handling, reporting, business continuity, vulnerability management, security testing, and supply chain management.

At Solvinity, we have brought the management of both private cloud and Microsoft Azure Public Cloud within the scope of our SOC 1 and SOC 2 audits. Since 2020, Solvinity has been the first major Dutch IT service provider to include the management of Azure public cloud client environments within the scope of SOC 1 & 2® audits, successfully completing these audits for the third time in 2023. This development holds particular significance for clients with hybrid cloud environments, as compliance with platform management, account and identity management, vulnerability management, backups, and more is all demonstrated in one assurance report.

The Value of Collaboration

Lastly, with the rise of DevOps and Agile-like environments, the need for continuous and automated security testing during development has emerged. This is far more effective than the traditional approach of annual vulnerability and security scanning. In combination with a DevSecOps policy and a flexible cloud platform, security becomes an integral part of the entire IT landscape and the ultimate service to the customer’s customer.

The compliance landscape in the financial sector is ever-evolving. It is crucial for IT leaders in this field to stay updated on these developments and adjust their frameworks to meet the latest requirements. Collaboration within the sector and with specialized service providers can assist in navigating this complex landscape and ensuring organizations remain compliant with ever-changing standards and regulations.

If you have questions about compliance or want to learn more about how Solvinity supports organizations in the financial sector, please don’t hesitate to reach out. Together, we can ensure that your services remain secure and compliant in this dynamic environment.

Sign up for the Solvinity Newsletter

Receive the latest news, blogs, articles and events.
Subscribe to our newsletter.
Background Icon

Other articles

more articles

More