live_tv
Livestream Starting Soon
00
Hours
:
00
Minutes
:
00
Seconds
Up next in 10
The simultaneous enforcement of the EU’s DORA (January 2025 deadline) and NIS2, alongside the U.S. SEC’s four-day disclosure rule (effective late 2023), has created an increasingly fragmented and high-stakes compliance landscape for global enterprises. This episode details how organizations can move beyond segregated checklists to build a unified compliance strategy by centralizing governance, implementing continuous third-party risk monitoring, and using integrated response plans to meet varying reporting timelines. Learn why streamlining efforts across these mandates is essential to maintain business continuity, minimize legal liability, and avoid steep penalties, which can reach up to 2% of global turnover.
Sponsor:
www.compliancehub.wiki (http://www.compliancehub.wiki)
Show More Show Less View Video Transcript
0:00
Welcome to the deep dive. Today we're
0:01
tackling something absolutely critical,
0:04
uh what we're calling the global
0:05
compliance gauntlet for 2025. We got a
0:08
stack of documents here, regulations,
0:10
analysis, all pointing to how three big
0:13
regulatory waves, two from the EU, one
0:15
from the US are changing everything for
0:18
third party vendor risk.
0:19
That's right. And it's really putting
0:21
this issue, third party risk management
0:23
or TPRM front and center for the
0:25
seauite. It's not just paperwork
0:27
anymore. This is uh fundamentally a
0:30
global reaction to some major stresses
0:32
we're seeing escalating cyber threats,
0:34
geopolitical shifts, and honestly a huge
0:36
reliance on third party tech.
0:38
So our mission today is to cut through
0:40
that complexity for you. We're digging
0:42
into the EU's door, that's the digital
0:44
operational resilience act and NIS-2,
0:46
the network and information systems
0:48
directive, and then over in the US, the
0:49
SEC's new cyber security disclosure
0:51
rule. Understanding how these fit
0:53
together or sometimes don't. Well,
0:54
that's crucial for 2025.
0:56
Absolutely. It's the key to staying
0:58
compliant and frankly resilient.
1:00
And look, navigating this kind of
1:02
complex global web, it demands really
1:04
reliable, up-to-date resources. That's
1:06
why many teams turn to our sponsor
1:08
www.compliancehub.wiki
1:10
to get that precise guidance they need.
1:12
We thank them for their support.
1:15
Okay, let's set the stage first. Why
1:17
now? Why is third party risk suddenly
1:20
this massive global focus for
1:22
regulators? What's the trigger?
1:24
Well, it's not just one trigger. It's
1:25
more like a perfect storm really. You've
1:27
got a couple of big drivers. First,
1:29
there's systemic instability.
1:31
Everything's digital now, which means
1:32
things happen faster. Think about the
1:34
bank runs in 2023. Market swings.
1:37
Digitalization speeds it all up. Okay?
1:39
And you combine that speed with uh
1:42
frankly soaring global debt. Public
1:44
debts projected over 93% of global GDP
1:47
this year. Regulators are getting
1:48
nervous about overall stability.
1:50
So, fragility and speed, that's the
1:51
environment. But how does that connect
1:53
directly to say my software vendor?
1:55
That's where the second driver comes in.
1:56
The third party dependency crisis. We
1:58
saw it starkly, didn't we? That huge IT
2:00
outage back in July 2024 caused by just
2:03
one tech provider, it basically ground
2:06
parts of the global economy to a halt.
2:08
Yeah, that was huge. It showed how
2:09
reliant we are.
2:10
Exactly. It proved how one failure in a
2:13
critical supplier, especially in tech,
2:15
can cascade through the whole financial
2:17
system and then layer on top the
2:19
geopolitical stuff, more sanctions, more
2:21
export controls that creates real
2:23
business interruption risk often coming
2:26
from your vendors in different parts of
2:27
the world.
2:28
Got it. So, the regulations aren't just
2:30
about pure cyber security anymore. It's
2:32
about this dangerous reliance on
2:34
external companies whose failure could
2:37
be catastrophic. It's cyber risk plus
2:40
business risk all wrapped up together.
2:42
And that's why TPRM is now firmly a
2:45
boardroom issue, not just an IT
2:47
checklist.
2:48
Precisely. It's about operational
2:49
resilience in a much broader sense.
2:50
All right, let's pivot to the EU then.
2:52
They've got this double header coming
2:53
online. Door and NIS2. Are they
2:56
basically the same thing or
2:58
they're related? Definitely
2:59
complimentary but quite different in
3:01
scope and uh application. DOR the
3:03
digital operational resilience act.
3:05
That's a regulation. Big difference. It
3:07
applies directly across the EU from
3:09
January 17, 2025. No local transposition
3:12
needed
3:13
and its focus is narrow,
3:14
very focused, exclusively the financial
3:17
sector, so banks, insurers, investment
3:20
firms. And it gets deep into ICT risk
3:22
management, serious resilience testing
3:25
like threatled penetration testing for
3:27
the big players and very specific rules
3:29
for third party risk.
3:30
Okay, so door is financial sector
3:32
specific. What about NIS2?
3:34
NIS-2 is the broader play. It's a
3:36
directive, so member states had until
3:38
October 2024 to write it into their own
3:41
national laws. And its scope is huge. 18
3:44
different critical sectors. We're
3:45
talking energy, transport, healthcare,
3:47
digital services, even some
3:49
manufacturing. Much wider net.
3:51
So if I'm a bank, Dora applies for my
3:53
ICT risk instead of NIS-2.
3:55
Generally, yes. Where DORA has specific
3:57
rules for financial entities on things
3:59
like ICT risk or a third party risk,
4:02
those rules take precedence. They are
4:04
considered lex specialis. But NIS-2
4:06
still sets a baseline for many other
4:08
critical sectors and includes strong
4:09
mandates around supply chain security
4:11
for everyone it covers.
4:13
Okay. Now, this is where I think it gets
4:14
really transformative for vendor
4:15
relationships, the contracts. What
4:18
exactly do these rules force companies
4:19
to put into their vendor contracts? It
4:21
sounds like a big shift in power.
4:22
It absolutely is. This is probably the
4:25
most immediate uh operational headache,
4:27
especially under DORA. Financial firms
4:30
must review and where necessary repaper
4:32
their contracts with critical ICT
4:34
providers.
4:35
Repaper meaning rewrite or add
4:37
amendments.
4:37
Both potentially the contracts have to
4:40
include specific mandatory clauses. Now
4:42
things like clear descriptions of
4:44
services where the data is physically
4:46
located, but crucially the right for the
4:48
financial entity and its regulators to
4:50
conduct audits and inspections of the
4:52
vendor. That's huge.
4:53
Whoa. Okay. So the vendor has to agree
4:55
upfront to let the regulator in
4:57
essentially. Yes, for critical services,
5:00
plus clear rules on incident
5:02
notification, assistance obligations,
5:03
and really detailed termination clauses
5:05
and exit strategies. You need a plan to
5:07
get out if things go wrong.
5:09
That audit right and the pre-planned
5:11
exit strategy that completely changes
5:14
the negotiation leverage, doesn't it?
5:15
The vendor has to accept much more
5:17
accountability.
5:18
No question. The burden of proving
5:19
resilience shifts significantly. And
5:22
NIS2 echoes this maybe less granularly,
5:25
but with the same intent. It mandates
5:27
that organizations have a formal program
5:29
for supply chain risk. That means doing
5:32
regular security checks on your
5:33
suppliers and it means putting
5:35
contractual obligations on them too.
5:36
Things like maintaining basic security
5:38
hygiene, you know, MFA, patching,
5:40
reporting incidents quickly.
5:41
And there are teeth to this
5:43
for management.
5:44
Oh yes, both frameworks emphasize senior
5:46
management accountability. NIS2 is
5:49
particularly blunt about it. It mentions
5:51
potential temporary bans on sea level
5:53
executives running the company if there
5:54
are serious failings and finds of course
5:57
up to€ 10 million euros or 2% of global
5:59
turnover for the big entities under
6:01
NIS2.
6:02
Wow. Okay. Managing all that, finding
6:04
every critical ICT contract, checking
6:06
it, amending it, tracking it, especially
6:08
against those EU deadlines. That's a
6:10
monumental task. You'd absolutely need a
6:13
centralized, reliable way to manage that
6:15
knowledge. It makes sense why teams rely
6:17
on resources like our sponsor
6:19
www.compliancehub.wiki
6:21
for exactly this kind of challenge.
6:23
It's the kind of task that spreadsheets
6:25
just won't handle effectively. Not at
6:27
this scale.
6:27
All right, let's switch continents. The
6:29
US approach with the SEC cyber security
6:32
disclosure rule. It feels different,
6:35
maybe less about how you manage risk and
6:37
more about just telling people when
6:39
something bad happens.
6:41
That's a fair characterization. The
6:43
SEC's focus is primarily on transparency
6:46
and speed for investors. It's less
6:48
prescriptive on controls, but the
6:50
urgency is palpable. Two main things
6:52
here. First, the one everyone talks
6:54
about, the 4-day clock,
6:56
right?
6:57
Public companies have to report a
6:58
material cyber security incident on a
7:00
form 8K within four business days of
7:02
deciding it is material.
7:04
And that materiality decision seems like
7:06
the tricky part. It's not always
7:07
obvious, especially in the middle of a
7:08
crisis, who makes that call.
7:10
Exactly. It's tough. Materiality isn't
7:13
just about dollars lost, though that's
7:14
part of it. It's what a reasonable
7:16
investor would think is important. So
7:18
that includes qualitative things, too.
7:20
Reputational damage, potential
7:21
litigation, disruption to the business.
7:23
So, it's a judgment call.
7:24
It is, but it needs to be a fast and
7:27
well doumented one. The SEC says
7:29
companies need a process involving it,
7:32
security, legal, finance to make that
7:35
call without unreasonable delay.
7:37
Oh, and you can't just ignore small
7:39
incidents. If you have a series of
7:41
related smaller breaches that add up to
7:43
something big, you need to aggregate
7:45
them for that materiality assessment.
7:47
Okay. So, the pressure on the third
7:49
party risk team here is intense. If a
7:51
key vendor gets hit, how do you make
7:53
sure that doesn't cause your company to
7:55
miss that 4-day SEC deadline. This is
7:58
where the SEC rule, while not explicitly
8:00
mandating TPRM controls like DORA, has a
8:03
huge indirect impact because the second
8:06
part of the rule requires companies to
8:08
disclose annually their processes for
8:10
managing cyber risks.
8:11
Oh, okay.
8:12
And they have to specifically talk about
8:14
how they handle risks coming from third
8:15
party service providers and supply chain
8:17
issues. That puts DPRM squarely in the
8:20
spotlight for investors and the board.
8:22
So you can't just say we send out a
8:23
questionnaire once a year anymore. Not
8:25
if you want to be credible. No. If a
8:27
vendor incident happens, you have
8:29
potentially just 96 business hours from
8:32
determining its material to report it.
8:34
An annual checkup is useless for that.
8:36
You need near real-time visibility into
8:38
your critical vendor security posture,
8:40
which means continuous monitoring
8:42
becomes basically essential for SEC
8:43
compliance too, not just for door.
8:45
Absolutely. It pushes you towards
8:47
continuous monitoring using things like
8:48
security ratings, having really tight
8:51
integration between your incident
8:52
response and your vendor management. You
8:54
need those internal thresholds for what
8:56
might constitute a material risk from a
8:58
vendor and the data flowing to make that
9:00
call quickly. It forces TPRM to be much
9:02
more data driven.
9:03
So okay, we have door demanding specific
9:07
contract terms and tests in the EU. We
9:09
have NIS-2 broadening security mandates
9:11
across critical sectors there and the
9:13
SEC demanding rapid disclosure and
9:15
process transparency in the US. If
9:17
you're listening and you're facing this
9:19
this global regulatory convergence, what
9:22
are the most important highest impact
9:23
things you should be doing right now to
9:25
build a unified strategy?
9:27
Yeah, it's a lot. But when you boil down
9:28
the recommendations from you know
9:31
various policies like from EY, Bitsite,
9:34
Isaac Hack, four key actions really
9:36
stand out across all these regulations.
9:39
First and maybe most importantly,
9:41
elevate accountability. Make sure cyber
9:44
security risk, including thirdparty
9:46
risk, is formally owned, approved, and
9:48
overseen by senior management and the
9:50
board. NIS-2 and DORA demand it
9:52
explicitly. The SEC rules imply it
9:56
through the disclosure requirements. It
9:57
has to be a regular boardroom
9:59
conversation framed in terms of business
10:01
impact, not just technical jargon.
10:02
Makes sense. Get leadership buyin and
10:04
oversight first. One second.
10:06
Second, shift to continuous monitoring.
10:08
Seriously, the era of relying solely on
10:10
static point in time vendor assessment
10:12
is over. It's just not adequate anymore.
10:15
You need tools or services. Security
10:17
ratings are a common example to track
10:19
your vendor's cyber security performance
10:20
routinely. This helps meet door's
10:22
resilience needs and helps you avoid
10:24
nasty surprises that could trigger an
10:26
SEC filing.
10:26
Right? Know your vendor's posture in
10:28
near real time. Okay. Third,
10:30
third is about testing that resilience.
10:32
Test resilience with your vendors. Don't
10:35
just review their paperwork. conduct
10:37
actual tests. Door eye specifically
10:39
calls for digital operational resilience
10:42
testing. This should include scenarios
10:44
simulating major disruptions caused by
10:46
critical third parties. Think vendor
10:49
down exercises or vendor data breach
10:51
simulations.
10:53
So practice for the worst case scenario
10:55
involving your suppliers.
10:56
Exactly. And make sure your own incident
10:58
response plans explicitly cover these
11:00
vendor related failure scenarios.
11:02
Okay. Accountability, continuous
11:03
monitoring, joint testing was the fourth
11:05
key action.
11:06
The fourth is looking ahead slightly.
11:08
Govern AI risk. AI adoption is
11:11
accelerating everywhere, right? And that
11:13
brings new risks often via third
11:14
parties. Think about data leakage
11:16
through AI models, prompt injection
11:18
attacks, risks from using thirdparty AI
11:21
services. You need an AI strategy, sure,
11:23
but your governance framework,
11:25
especially TPRM, needs to adapt now to
11:27
assess and manage these emerging AI
11:29
related supply chain risks. That's a
11:31
really crucial point. AI adds another
11:33
complex layer to that third party
11:35
landscape. So across all these actions,
11:38
accountability, monitoring, testing, AI
11:40
governance, the common element seems to
11:42
be needing rigorous processes, solid
11:44
documentation, and quick access to the
11:47
right compliance information, which
11:49
again underscores the value of having
11:51
dependable resources. We encourage you
11:53
to check out our sponsor
11:54
www.compliancehub.wiki
11:56
wiki to help streamline navigating this
11:59
complex regulatory environment.
12:00
Yeah, having that structured knowledge
12:02
readily available is going to be key for
12:04
teams trying to implement all this
12:05
effectively.
12:06
So, wrapping this up, it feels like the
12:08
big takeaway is that compliance isn't
12:10
just a local checkbox exercise anymore.
12:12
It's become this core component of
12:14
global business resilience and it's
12:16
being driven by these powerful
12:17
transparency and accountability demands
12:19
stretching from the US to the EU.
12:21
That's exactly it. The challenge for
12:23
every global company now is balancing
12:25
innovation, adopting AI, using complex
12:28
digital supply chains with mitigating
12:30
the very real, often systemic risks that
12:33
come with it. Compliance, particularly
12:35
around operational and digital
12:37
resilience, is really the foundation now
12:39
for earning and keeping trust,
12:41
especially in the capital markets.
12:42
Which leads to maybe a final thought for
12:44
you, our listeners, to chew on. We see
12:46
this push for standardization and
12:48
operational resilience through DORA and
12:50
IS-2, the SEC rules. But at the same
12:53
time, we see inconsistent adoption of
12:55
other global standards like Basil 3.1
12:57
and banking or the ongoing fragmentation
13:00
of how different countries are
13:01
regulating digital assets. These also
13:04
impact a firm's operational base. So the
13:06
question is, how can global firms truly
13:09
achieve standardized operational
13:10
resilience when the wider international
13:12
regulatory landscape underneath them
13:14
keeps shifting and fragmenting?
13:16
something to consider. That's our deep
13:17
dive for today.
#Business Operations
#Legal