Financial institutions operate in an environment where cyber incidents, operational disruptions and regulatory scrutiny are increasingly intertwined. A single ransomware attack on ION Markets, for example, temporarily disrupted derivatives trading across multiple institutions and triggered regulatory attention immediately.
As a result, expectations are increasing. It’s not enough for firms to merely have controls to manage cyber and compliance threats. They must prove those controls work under real-world pressure. That shift redefines how resilience is measured across the financial services industry – and highlights gaps that many organizations cannot overlook.
Resilience today means clients and investors can access their funds and services even when the institution is under stress. More importantly, resilience means the firm has a cyberattack response plan in place that not only meets stringent regulatory requirements but also works under pressure.
Enforcement actions for delayed cyber disclosures, the ION Markets outage, updated obligations under New York State Department of Financial Services Part 500 cybersecurity requirements, and federal third-party risk guidance all point to the same reality: Compliance now drives resilience.
As firms work in 2026 to balance evolving oversight with limited resources and aging systems, the shift from policy to proof is a defining challenge.
Confidence is the currency of the financial world. Compliance is what keeps confidence in circulation and keeps money flowing.
Slow Detection Is a Compliance Risk
The first aspect of resilience is simply knowing you’ve been attacked – and being able to move quickly through reporting channels. That’s becoming harder as attacks grow more frequent. Nearly every financial institution experienced at least one cyber incident over the past year; many faced dozens.
Omega Systems’ Mike Fuhrman: More concrete, but more challenging, standards.
No longer the exception, being attacked is the operating reality. Regulators understand this, which is why they’re demanding stronger evidence that firms can detect incidents quickly, determine materiality, and communicate clearly under pressure.
The Securities and Exchange Commission’s Cybersecurity Disclosure Rule fundamentally changed the tempo of incident response. Publicly listed institutions have only four business days to determine whether a cyber event is material to investors and begin reporting – a requirement that exposes weaknesses in monitoring, audit trails, and internal communication.
Several recent SEC actions further reinforce this shift. In multiple cases, the agency cited incomplete logs, delayed internal escalation, and unclear materiality assessments as governance failures, not technical flaws. The high-profile SolarWinds case, in which the SEC alleged misleading statements about cybersecurity risks and controls before later dismissing the claims, sent a strong signal to public companies that cyber disclosures are fair game for securities enforcement.
Yet detection remains a challenge across the sector. More than a third of financial industry leaders say it would take at least a week to detect and contain a breach.
The reason detection is so difficult becomes clearer when you look at the processes behind it.
Manual Processes Can’t Keep Up
Many compliance programs remain anchored to manual, spreadsheet-driven workflows. Documentation is scattered, testing cycles are inconsistent, and evidence often requires days of reconstruction. These limitations become painfully visible during examinations, when regulators request control validation in near real time.
More than half of surveyed leaders say their firms still rely on manual processes to track cybersecurity controls and compliance documentation. They cite evolving regulatory requirements, limited staff resources, and difficulty translating regulatory language into technical action as ongoing friction points.
In addition, half of them say their infrastructure would slow their ability to respond or recover during a breach. Under these conditions, even well-intentioned teams struggle to keep pace.
These challenges are highlighted in FINRA’s 2025 Annual Regulatory Oversight Report, which highlights an increase in the variety, frequency, and sophistication of cyberattacks – from ransomware and account takeovers to data breaches, QR code “quishing” and generative-AI-enabled fraud.
The report also warns that such incidents can compromise firms’ ability to comply with business continuity, supervision, recordkeeping, and privacy rules. It explicitly notes that cyber incidents and poor controls can impede compliance across a range of obligations, not just “pure IT” operations.
And while internal processes create their own challenges, the picture becomes even more complex when disruptions originate outside a firm’s four walls.
Third-Party Weaknesses as Compliance Failures
Financial institutions depend on complex networks of custodians, trading platforms, cloud providers, fund administrators, and specialized software-as-a-service (SaaS tools. These relationships accelerate operations – but they also introduce risks that regulators now treat as integral to a firm’s overall control environment.
Recent events highlighted how quickly third-party issues can cascade. Snowflake-related compromises in 2024 and 2025 showed how mismanaged credentials or misconfigurations outside a firm’s perimeter can impact multiple financial organizations at once.
FINRA’s report reflects this emphasis by adding a new Third-Party Risk Landscape topic, noting that vulnerabilities at vendors frequently lead to data breaches, account takeovers, and supply-chain attacks. Regulators are increasingly asking institutions to demonstrate not only that they review vendors, but that they understand – and actively govern – those risks every day.
Taken together, these pressures reshaped what regulators expect from firms – and the standard is more concrete but far more challenging to meet.
Regulators Expect Proof of Performance
Oversight has shifted toward a practical standard: Firms must execute their controls during real incidents and demonstrate, with defensible evidence, that those controls worked as intended.
It is no longer enough to maintain policies that describe how escalation, access governance, or materiality decisions should work. Regulators want confidence that these processes function reliably when an actual event occurs.
That expectation is rising at the same time financial leaders acknowledge the difficulty of keeping pace. Forty-two percent say evolving regulatory requirements are now their biggest compliance challenge.
It’s why many institutions are investing in automation to strengthen their compliance foundation. Financial leaders identify data discovery (51%), automated evidence collection (45%) and document management (45%) as the most impactful capabilities for improving audit readiness and enhancing control visibility. Automation doesn’t replace governance – it reinforces it by making evidence more consistent, more accessible, and more defensible under regulatory scrutiny.
The result is a new definition of resilience – one rooted not in intention, but in verifiable performance.
Resilience Now a Verifiable Outcome
For financial services firms, the ability to show how controls operate under real conditions is central to how they’re evaluated. Incidents, exams, and operational disruptions expose weaknesses quickly, and firms are expected to produce evidence that their systems, teams, and governance structures hold up under stress.
The organizations gaining ground are those reinforcing their foundations: modernizing systems to support auditability, improving visibility across environments, and aligning cybersecurity, IT and compliance into a cohesive operating model. Many are also strengthening their posture by integrating specialized outside expertise alongside internal teams to maintain consistency and depth as oversight evolves.
Resilience today isn’t measured by avoiding incidents. It’s measured by how confidently a firm can demonstrate that it’s prepared – and how reliably its controls perform when it matters most.
Mike Fuhrman, CEO of managed IT and cybersecurity services company Omega Systems, has over 30 years of experience in operations, product development, and leadership in the IT industry. His deep understanding of business operations and technology enables Omega to help organizations navigate the complexities of modern cloud environments. Fuhrman is a U.S. Air Force veteran and a graduate of The Citadel, where he serves on the executive advisory board for the School of Engineering.
Topics: Regulation & Compliance, Cybersecurity, Resilience, Third Party Risk