ICT risk management framework
Article 6 - ICT risk management | Regulation S-K Item 106 - Risk management | Continuous configuration monitoring, risk-scored findings, remediation tracking
DORA & SEC Readiness
Financial Services
Connect operational resilience, third-party oversight, incident readiness, and board-level governance evidence for financial services teams.
See how Westport Cyber helps banks, insurers, investment firms, public companies, and ICT providers evidence DORA and SEC cybersecurity obligations.
- DORA evidence mapping
- SEC disclosure readiness
- Third-party risk oversight
Overview
Financial services organisations face a cybersecurity regulatory environment that is more prescriptive, more scrutinised and more consequential than almost any other sector. The challenge for most organisations is not a lack of awareness - it is the ability to demonstrate, at any point, that the right controls are in place, that third-party risks are being managed, and that leadership has the visibility required to meet their governance obligations.
DORA - the Digital Operational Resilience Act - came into force across the EU in January 2025, placing binding requirements on banks, insurers, investment firms and financial market infrastructure, as well as the ICT third-party providers that serve them.
In the US, SEC cybersecurity disclosure rules place explicit obligations on public companies around material incident reporting, board-level governance and the disclosure of risk management practices. For organisations operating across both jurisdictions, managing two distinct regulatory regimes from disconnected tools creates gaps that regulators and auditors will find.
Westport Cyber provides a single operational surface that supports both regimes - keeping compliance evidence, security posture and vendor risk connected to the same source of truth, regardless of which regulator is asking.
How Westport Cyber Maps to Financial Services Regulatory Requirements
Third-party & supply chain oversight
Articles 28-30 - Third-party risk | Regulation S-K Item 106 - Risk management | Vendor assessments, OSINT monitoring, supply chain risk scoring
Incident detection & reporting
Articles 17-23 - Incident management | Regulation S-K Item 1.05 - Material incidents | Configuration monitoring, incident evidence records, governance documentation
Resilience testing
Articles 24-27 - Digital operational resilience testing | - | Control evidence, remediation records, posture history
Governance & board oversight
Article 5 - Governance & organisation | Regulation S-K Item 106 - Board oversight | Board-level reporting, posture dashboards, governance evidence
Policy documentation
Article 6 - ICT policies & procedures | Regulation S-K Item 106 - Policies | AI-powered policy analysis, gap identification, improvement recommendations
User awareness & training
Article 13 - Awareness & training | - | Phishing simulations, e-learning, completion and awareness evidence
Disclosure & reporting readiness
- | Form 8-K - Material incident disclosure | Auto-evidenced controls, audit-ready evidence base, compliance documentation
Concentration risk & vendor oversight
Articles 28-30 - Critical third parties | Regulation S-K Item 106 - Third parties | Multi-vendor risk management, OSINT signals, breach monitoring