In the world of cybersecurity and evolving regulations, it is vital for businesses to remain up-to-date on changes in regulations and the compliance measures necessary to meet their standards. Businesses must navigate evolving regulations such as DORA (EU), SEC cybersecurity disclosures, and NYDFS rules, while learning how to comply with these laws, safeguard their data from cybersecurity threats, and maintain transparency with clients, investors, and relevant authorities. To stay compliant, businesses must constantly monitor these changes and engage legal expertise to make certain that their security practices and disclosures are in accordance with the law. Comerica is committed to ensuring that our business partners remain informed regarding recent regulatory changes that affect cybersecurity practices and how to remain compliant with these regulations.
Digital Operational Resilience Act (DORA): The five pillars of compliance
Beginning in January 2025, the EU introduced the DORA act to protect financial entities from ICT (Information and Communication Technology), while learning how to comply with this law, cyberattacks and other related threats. According to this act, the European Supervisory Authorities (EBA, EIOPA, ESMA) provide an oversight framework for ICT third-party providers to protect entities from ICT disruptions. This framework consists of five essential obligations that financial entities must fulfil and sustain in order to remain compliant.
- ICT Risk management – This is a provision that demands that financial entities must be proactive in conducting risk assessments, remain educated and aware of cybersecurity threats, and create durable Incident Response plans to potential breaches.
- Incident reporting – Entities must report all ICT-related incidents to relevant authorities in a timely and thorough manner. This ensures that both internal stakeholders and outside authorities are alerted to these breaches and can respond swiftly and appropriately. This provision ensures that financial entities are transparent in relation to cybersecurity breaches and that authorities are informed of the steps being taken by financial entities to mitigate these breaches, ensuring that they do not occur again.
- Digital operation resilience testing – This provision requires that financial entities frequently conduct tests of ICT systems and protocols to ensure that they are resilient to attacks and breaches. Whatever security gaps are discovered in these tests should be thoroughly assessed and steps must be taken to see that these gaps are remedied with tested and effective safeguards.
- ICT third-party risk management – It is essential for financial entities to assess that the third-party service providers that they utilize also use the same approved standards of digital security and ICT risk protection. Consequently, entities must have contracts with third-party providers ensuring that these partners are also compliant with DORA regulations.
- Information sharing – This provision requires entities to share all information regarding cybersecurity threats and vulnerabilities with authorities as well as other entities to ensure that attacks can be prevented elsewhere. This fosters a collaborative spirit and ensures that the financial sector remains vigilant, informed, and up-to-date on ever-evolving security risks involving ICT attacks.
For more information, see: https://www.digital-operational-resilience-act.com/
SEC Cybersecurity disclosures
In 2023 and 2024, the SEC released new mandates in relation to the required cybersecurity disclosures that public companies must make in relation to cybersecurity attacks. Companies must make annual reports disclosing their cybersecurity risk management and strategy in order to ensure that they have instituted robust cybersecurity measures while maintaining transparency with stakeholders and with the authorities. In Form 10-K, companies are required to report:
- Cybersecurity incidents in full detail, including the nature and timing of the incident, the scope of its impact and breach, as well as the impact on the company, financial and otherwise.
- A cybersecurity incident is defined as an unauthorized breach in a company’s “information systems.” This includes resources owned by third parties.
For more information, see: https://www.sec.gov/rules-regulations/2023/07/s7-09-22
NYDFS Cybersecurity regulation
The DFS (Department of Financial Services) has instituted special regulations that require financial services companies to be proactive in their approach to cybersecurity threats. New rules have been added to these regulations that further regulate how entities approach risk management. These include:
- Updated and additional requirements in relation to reporting cybersecurity attacks, including a new requirement in relation to ransomware attacks.
- Requirements for personnel training in relation to cybersecurity and risk management.
- Stronger access controls to mitigate the threat of attacks.
- Requirements for regular and consistent risk and vulnerability assessments, including response strategies to incidents, business continuity, and disaster recovery planning.
- Regulations for annual cybersecurity training and awareness programs for personnel, tailored to the specific and ever-evolving threats that an entity may encounter.
In addition, beginning in November 2025, additional cybersecurity requirements will be introduced, including more robust multi-factor authentication and asset inventory policies.
For more information, see: https://www.dfs.ny.gov/industry_guidance/cybersecurity
Comerica Bank and its affiliates do not provide tax or legal advice. Please consult with your tax and legal advisors regarding your specific situation.
This is not a complete analysis of every material fact regarding any company, industry or security. The information and materials herein have been obtained from sources we consider to be reliable, but Comerica does not warrant, or guarantee, its completeness or accuracy. Materials prepared by Comerica personnel are based on public information. Facts and views presented in this material have not been reviewed by, and may not reflect information known to, professionals in other business areas of Comerica.
