Cyber threats targeting the financial services (FS) sector are growing in scale, complexity and consequence. Nation-state actors are stepping up their activity, high-profile breaches are making headlines, and consumers are demanding greater transparency and control over how their data is handled.
In response, regulators around the world are moving quickly – but not always in unison. With each jurisdiction taking its own approach, keeping pace with shifting cyber regulations has become a critical challenge for financial institutions operating across borders.
That’s why we created PwC’s Global Cyber Regulations Roundup for Financial Services. This must-read report provides you with a clear view of where regulatory focus is heading, across several priority areas.
The summary below breaks down the key regulatory developments – so you can take timely action to strengthen your governance, sharpen your controls, and stay one step ahead of emerging cyber risks.
Priority areas
Regulators and policymakers have focused on improving firms’ defences, controls and policies across the globe in the following areas:
Operational resilience
The ability to recover quickly from a cybersecurity or other disruption, with little or no effect on services, has taken centre stage as a regulatory priority.
The United Kingdom’s standards for operational resilience in the sector went into effect in March 2022. They require that firms define critical activities, set impact tolerances, conduct testing and establish governance over operational resilience functions.
The European Union has the most extensive regulation for operational resilience in the sector. The Digital Operational Resilience Act (DORA) covers digital risk management, resilience testing, third-party risk management and information sharing.
The Middle East has a variety of frameworks, including Saudi Arabia’s 2017 Business Continuity Management Framework, which focuses on governance and requires yearly disaster recovery exercises.
Australia has seen significant changes with the introduction of the Australian Prudential Regulation Authority‘s (APRA’s) Cross Prudential Standard 230 (CPS 230) on Operational Risk Management,1 which comes into effect on 1 July 2025, and the Security of Critical Infrastructure Act (SOCI) legislative changes.2 These regulations emphasise the need for financial institutions to implement comprehensive frameworks for managing operational risk, including cyber resilience, with a focus on critical assets and operations.
Data protection
Many jurisdictions around the globe are also focused on data protection to give consumers more control and limit the possibility that breaches or attacks could put their data at risk.
North America has various laws and regulations for data privacy and security in the sector. For the US, these include the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and the California Consumer Privacy Act (CCPA). In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out principles for the fair handling of personal information.
The European Union’s GDPR grants consumers the right to access, rectify, erase, restrict and port their data and to object to certain processing activities. It also imposes obligations on data controllers and processors, including cybersecurity and incident reporting requirements.
The United Kingdom’s Data Protection Act contains similar requirements to the EU’s GDPR.
Asia Pacific countries have different approaches and focus on data protection. China has strict rules on data security and cross-border data transfer, which affect data processing and sharing. Singapore, Hong Kong, and India have requirements that largely mirror the GDPR.
Australia’s data protection and privacy laws continue to evolve, with the first stage of the long-awaited privacy law reforms receiving Royal Assent in December 2024. This stage has set the course to implement mechanisms for individuals to take legal action against organisations or individuals for serious invasions of privacy, new transparency obligations to require firms to disclose in privacy policies when decisions are made using automated processes, new measures to combat ‘doxxing’ (sharing of someone’s personal information with the intent to harm), and ministerial powers to ‘whitelist’ countries that provide substantially similar privacy protections to assist disclosing of personal information overseas.3
Incident reporting
Regulators around the world – and in some cases multiple regulators within a single jurisdiction – expect different incident reporting standards and timeframes:
In North America, various regulators require FS firms to report and disclose cyber incidents to authorities and customers within a short time frame. For example, the Securities and Exchange Commission (SEC) requires reporting within four days of determining that an incident is material, whereas the New York Department of Financial Services (NYDFS) requires notification within 24 hours of making a ransomware payment.
The European Union’s DORA requires FS firms to submit an intermediate report to relevant authorities and the European Supervisory Authorities of any incidents that have a significant impact on their operations, services, customers, or the financial system within 72 hours from the submission of the initial notification.
The Middle East does not have a uniform regulation for cyber incident reporting, but some countries, such as Saudi Arabia and the United Arab Emirates, have issued cyber and data protection frameworks that require FS firms to report cyber incidents to the relevant authorities, such as Saudi Arabia Monetary Authority (SAMA), and Telecommunications Regulatory Authority (TRA). The reporting requirements vary by country, sector, and type of incident.
Asia Pacific countries have different approaches and focuses on cyber incident reporting. For instance, China requires that firms report “network security incidents” to the Cybersecurity Administration of China and impacted individuals, with deadlines ranging from “immediate” to 72 hours depending on severity. Singapore requires that firms report incidents that result in “severe harm” or impact 500 or more individuals to Personal Data Protection Commission (PDPC) no later than 3 business days.
Australia implemented a suite of cyber security reforms in 2024, including the passing of the Cyber Security Bill 2024, which establishes the Cyber Incident Review Board (CIRB) to conduct no-fault, post-incident reviews of significant cyber security incidents in Australia. Additionally, entities with an annual turnover of AU$3 million or more must report ransomware payments, including ransom demanded, amount paid, payment method and any communications with the threat actor.
Fraud prevention and liability
Regulators have also been taking steps to address fraud as attacks continue to rise while remaining split as to the extent to which banks or consumers should be responsible for losses:
In North America, a paradigm shift is underway as US regulators are increasingly holding firms liable for fraudulent payments that they process.
The European Union’s Payment Services Directive 2 (PSD2) contains strict rules on payment security and authentication. It also requires that firms reimburse their customers who have been victims of certain types of fraud and scams.
The Middle East has seen an increase in fraud attempts on FS firms and customers. Saudi Arabia has issued a Counter-Fraud Framework that requires FS firms to use fraud controls, mandates yearly fraud assessments and requires them to educate their customers about how to spot and avoid scams.
In Australia, levels of cyber fraud events continue to rise, with credit card fraud alone accounting for AU$2.1 billion of losses between July 2023 and June 2024, an increase of 9% on the previous year.4 Fraud has been the centre of Australians’ minds this year as cyber criminals coordinated targeted attacks on multiple Australians’ superannuation funds. In these attacks, hundreds of members’ reused passwords, initially stolen from unrelated incidents, were used to log into their accounts in attempts to commit fraud.
Third-party risk management (TPRM)
This remains a key focus area as regulators express concern around concentration risk due to heavy reliance on vendors as well as a rise in vendor-related breaches:
In North America, various agencies within the U.S. have released expectations on TPRM, including interagency guidance released in July 2023. In Canada, the Office of the Superintendent of Financial Institutions (OSFI) has issued similar Guidelines.
In the United Kingdom, the Prudential Regulation Authority (PRA) has issued a supervisory statement highlighting expectations on outsourcing and TPRM. In January 2025, the Critical Third Parties Regime came into effect, enabling the Bank of England, PRA and the Financial Conduct Authority to have direct oversight of the activities of critical third parties that provide services to regulated financial services firms, bringing some service providers into the purview of financial services regulation for the first time. In the European Union, DORA covers third-party risk management and sets requirements for financial institutions to manage their ICT risk, conduct threat- intelligence-based ethical penetration testing, and insert standard cybersecurity clauses into vendor contracts.
In the Middle East, a third-party risk management framework is being developed by the Saudi Arabia Monetary Authority.
From an Asia Pacific perspective, the Monetary Authority of Singapore (MAS) has updated its requirements for managing risks associated with outsourced services. In Japan, regulators are asking for more vendor due diligence from pre-onboarding to post-contract termination.
In Australia, APRA’s CPS 230 comes into effect on 1 July 2025 for regulated entities in the financial services sector, expanding APRA’s oversight and expectations beyond traditional outsourcing arrangements to encompass all organisational agreements with material service providers, requiring entities to implement comprehensive service provider management policies, formal agreements and robust service provider monitoring processes, with service providers meeting the same operational risk management standards as the entity.
Artificial intelligence (AI)
Lastly, as we see rampant AI adoption globally, governments and regulators are setting expectations for secure AI usage across FS organisations:
In North America, AI regulation currently falls under many existing standards and expectations, but policymakers are weighing whether additional authority is necessary. Canada had proposed an Artificial Intelligence and Data Act which would provide guidelines for safe, responsible, and ethical AI use.
The United Kingdom has several initiatives and guidelines to promote ethical and responsible AI development and use. These include the UK AI Sector Deal, the Centre for Data Ethics and Innovation, the Office for AI, the Alan Turing Institute, and the AI Council.
In the European Union, the Artificial Intelligence Act approved in May 2024 establishes a regulatory and legal framework for AI use.
Asia Pacific countries have different approaches and areas of focus on AI regulation. China has strict rules on data security and cross-border data transfer, which affects AI applications. Singapore and Japan have issued guidelines and principles for ethical and trustworthy AI.
In Australia, the government released a proposal in September 2024 for industry feedback for the introduction of ten mandatory guardrails for AI in high-risk settings, which are complemented by the ten voluntary guardrails previously set out in the Voluntary AI Safety Standards. Industry consultation has now concluded, with updates from the government expected in due course.
How can financial services firms respond?
Prepare for regulatory pressure on operational resilience by clearly defining your critical services, mapping key vulnerabilities and dependencies related to those services, setting impact tolerances and conducting regular testing.
With a sharp rise in global regulations focused on cyber incident transparency, firms can reassess their reporting frameworks. That includes how you determine incident materiality, what information you disclose, and how you keep your governing bodies informed – quickly and confidently.
Taking a proactive approach not only helps you stay ahead of regulatory expectations – it also reduces the impact of disruption, strengthens stakeholder trust, and protects what matters most: your customers, your technology and your reputation.
If you’d like to explore how these regulatory shifts could impact your organisation – and how you can stay ahead – we’re here to help. Contact Pearce Delphin.
