Computer Security Day: The role of leadership in protecting data
This Computer Security Day, it is important to recognize that strong leadership drives effective cybersecurity and ensures regulatory compliance.
Written by a human
Computer Security Day is a welcome reminder for us to recognize the role human decision-making and influence has on cybersecurity. While firms must implement the right technological tools for data protection, they are only as effective as the leadership that spearheads them. Top-level accountability and proactive policy management is increasingly critical in safeguarding data to ensure compliance with regulatory requirements, and in setting the right example for employees throughout a business to follow.
Tone from the top
The C-suite is under growing scrutiny from regulators and stakeholders around how their firms handle sensitive data and respond to threats to cybersecurity.
Inadequate controls and lack of clear direction can have severe consequences. Recent high-profile cases highlight just this. In September 2024 Swedbank’s Chief Executive Officer and Citigroup’s Chief Operations Officer were both reprimanded for data handling failures that led to reporting failures and weak anti-money laundering protocols. Here, the firms suffered both reputational and financial damage, as well as broader erosion of trust between financial institutions and regulators. In terms of individual impacts, Swedbank’s former CEO was sentenced to 15 months of jailtime as a result of the data mishandling issue and her comments around it.
These cases where senior managers are held directly accountable for their lack of proper oversight over departmental functions demonstrate the need for effective C-suite focused action – because regulators can, and will, hold senior-level individuals to account.
Operational Resilience is a global issue
Regulators are looking to promote integrity and prevent reputational damage by placing greater focus on cybersecurity. The Securities and Exchange Commission’s (SEC) 2025 priorities has placed a particular emphasis on whether firms have robust policies and procedures to address cybersecurity risks, including those tied to third parties.
This is a clear signal for firms to align their cybersecurity efforts with leadership accountability, ensuring a strong ‘tone from the top’, with senior figures leading by example. In its examination priorities, the SEC has acknowledged that operational risks are elevated due to increasingly complex cybersecurity landscapes, confirming that it will scrutinize if firms are managing information security and operational risks. The SEC has noted that disruptive events such as the Crowdstrike outage have not gone unnoticed, and that it will assess effectiveness of incident response plans as well as firms’ data loss prevention strategies to prevent these mistakes being repeated.
The need for a comprehensive operational resilience strategy to ensure data security and service continuation in an increasingly sophisticated cyber landscape is vital to prevent attacks compromising sensitive data, where operational resilience becomes the safety net that catches a firm’s fall in case something goes awry.
It is also clear that, without a robust operational resilience strategy, there is more at stake than sensitive data, but also reputational damage and – potentially – the integrity of entire markets. As in the case of the SEC’s own X account hack in early 2024, which led to billions of dollars’ worth of impact on markets, and left then-Chair of the SEC, Gary Gensler on the receiving end of difficult questions. This hack occurred due to a lack of two factor authentication in place on mobile phone access to the account, causing considerable embarrassment for the SEC, seeing the regulator fall foul of its own cybersecurity rules and guidance.
Operational resilience is also becoming a key focus for other global regulators. Europe’s Digital Operational Resilience Act is set to take effect in early 2025, and has been viewed as a game-changer for financial services. It mandates a holistic approach to mitigating risk, with an emphasis on governance, stating that the C-suite must instil a culture of security at all levels of the organization, viewing cybersecurity as a business priority, not a tick box exercise.
The Financial Conduct Authority (FCA) has also introduced legislation around operational resiliency requirements that comes into effect in early 2025, with PS21/3: Building operational resilience requiring firms to embed operational resilience into their overall risk frameworks, including response and recovery plans, substantial scenario testing, and identifying important business services to ensure these can still be delivered in the event of an outage.
With regulatory expectations around operational and cyber resilience increasing, leaders actively involving themselves in cybersecurity, and viewing it as the foundation of a firm’s ultimate mission sends a powerful message to employees and builds a more effective culture of compliance.
From the top down, human responsibility is key to cybersecurity
While the human element of cybersecurity is often overlooked, it is critical to today’s threat environment, as regulatory expectations heighten and cyber risks become more complex. Firms must look to prioritize leadership accountability and policy management to protect data and ensure operational resilience. Fostering a strong tone from the top, and addressing existing vulnerabilities in compliance frameworks, is essential for success and integrity. With senior leaders setting the right example to follow, and being seen to ‘practice what they preach’ on cyber resilience, firms will establish stronger, more compliant cultures and better resilience.
The Global Relay App ensures operationally resilient business communication by working with your BCPs to guarantee your business as usual communications within and external to your organisation. You can work confidently knowing your business is resilient and meeting regulatory standards.
