From “Are You Protected?” to “Can You Operate?” Why Regulators Want Resilience, Not Just Controls

For years, financial institutions prepared for supervisory reviews the way students prepare for exams. Teams gathered documents, mapped controls to frameworks, and checked every item on the list.

Regulators asked a simple question: are you protected?

In my recent conversation with Phil Park, that question felt outdated.

Phil has advised financial institutions on cybersecurity and regulatory risk for more than 25 years. He worked with clients during the early days of the Sarbanes-Oxley Act and now guides them through global operational resilience mandates.  

In his current role at IBM, he supports major banks across the U.S., Europe, and Asia as they manage supervisory pressure and new technology risks.

He has watched expectations shift over time. He believes we now face a clear turning point.

Global supervisors no longer focus only on control checks. They expect operational resilience. Regulators do not stop at proof that policies and safeguards exist. They want evidence that you can absorb disruption, contain incidents, and keep critical services running under stress.

As Phil explained, success no longer means passing an audit. It means your business keeps running when controls fail.

The end of the compliance checklist era

Ten or fifteen years ago, most cybersecurity and operational risk programs focused on control coverage. If your team showed safeguards in place, clear policies, and a mature program, regulators viewed you as prepared.

Over time, that standard changed. Regulators watched real incidents unfold and saw that paper controls often fail under pressure.

“The biggest shift has been the movement from asking, ‘Are we protected?’ to ‘Can we operate through disruption?’” Phil said.

Attackers hit the financial sector with ransomware, third-party outages, cloud misconfigurations, and supply chain compromises. Many affected institutions met compliance requirements. They passed audits and checked the boxes.

Services still failed. Customers felt the disruption, and shareholders lost confidence.

These events reshaped regulatory expectations. Frameworks such as the Digital Operational Resilience Act (DORA) assume that cyber incidents will happen. Regulators no longer ask whether you can prevent attacks in theory. They ask whether you can prove resilience in practice.

Phil described this shift as a move from static to dynamic evaluation. Regulators now look beyond the presence of controls. They examine how controls perform in real scenarios and how leaders act when systems fail.

When disruption hits, technology isn’t the only test

Phil made one point clear. Modern regulators look beyond technical controls.

“Regulators are watching less for perfection because they know perfection is impossible,” Phil said. “What they care about more is the quality of the response when something goes wrong.”

When an incident occurs, regulators study how you respond in real time. They examine:

• How quickly and clearly teams escalate the issue
• Whether senior leaders align on key decisions
• Whether silos slow coordination
• How well you communicate with regulators, customers, and the board
• Whether you understand critical service dependencies

Resilience doesn’t rest on firewalls or detection tools alone. It shows in how your business acts during a security event.

You may have a detailed incident response plan. But gaps appear fast if one person controls escalation.  

Problems grow if legal and security teams clash during a crisis. Delays increase when teams argue over severity levels instead of acting.

Regulators no longer expect perfection. They know breaches will happen. What they judge is how well you perform under stress.

Regulatory scrutiny is shifting from controls to outcomes

In the earlier compliance-driven era, narrative carried weight. If you described your security controls clearly and showed structured governance, regulators often felt satisfied.

That standard has changed.

“The biggest gap that I see is that many firms rely on the frameworks and heat maps while regulatory supervisors want to see action and outcomes,” Phil said.

He stressed that evidence now outweighs explanation. Supervisors ask you to provide tangible proof, including:

• Results from scenario tests and simulation exercises
• Records of past disruptions and the steps you took to fix them
• Proof that failover processes work as designed
• Real-time traceability between critical services and the systems that support them

You can no longer state that a plan exists. You must show that you tested it and improved it based on lessons learned.

In practice, realistic exercises expose many resilience gaps. Assumptions fail. Service maps miss key dependencies. Escalation paths reveal decision bottlenecks.

Regulators often see these findings as signs of maturity, not weakness. They expect you to admit gaps and fix them quickly.

The reporting burden is getting heavier and faster

Beyond building operational resilience, you must report security incidents.

In the U.S., financial institutions answer to federal banking regulators, state authorities, Securities and Exchange Commission (SEC) disclosure rules, and sector guidance. In Europe, DORA sets strict deadlines for reporting major information and communication technology (ICT) incidents.

You can’t wait for a crisis to plan your response. You must build reporting into governance, workflows, and escalation paths before an incident occurs.

Organizations that handle this well create clear reporting playbooks. They test communication protocols and keep documentation easy to access. They coordinate across legal, cybersecurity, compliance, and risk teams without delay or confusion.

You can’t gather facts in the middle of an active incident and hope for accuracy. Regulators expect fast, consistent, and accurate reports. They also expect your account to stay aligned across jurisdictions, even when several authorities review the same event.

AI: new tools, same discipline

AI adds new risk to modern environments.

Threat actors already use AI to create more convincing social engineering campaigns and automate malware at scale. At the same time, many organizations embed AI agents into critical business operations.

Phil cautioned that the core security challenges remain the same. Many businesses deploy AI platforms without clear governance, strong identity controls, or full visibility into assets and data flows.

AI doesn’t replace strong security fundamentals. In many cases, it amplifies weak controls and unclear ownership.

Rapid AI adoption makes basic operational discipline more important than ever.

What does “passing” financial industry compliance even mean now?

This new supervisory era brings a hard truth. There’s no clear finish line.

In a checklist-driven model, compliance meant you completed required tasks. You met the standard and moved on.

In a resilience-driven model, success shifts. It depends on how well you perform under real stress.

Phil explained that assumptions often fail during a crisis. Your true readiness shows in how quickly and effectively your team responds.

As Phil put it, “everybody has a plan until you get hit in the mouth.”

Today, regulators define a pass by behavior, not perfection. They expect you to admit weaknesses, outline practical remediation plans, and show steady improvement. They want discipline built into daily processes, not last-minute heroics.

Supervisors don’t expect flawless systems. They expect mature organizations that prepare in advance, operate with transparency, and take responsibility when gaps appear.

Cyber risk is now operating model risk

This shift reflects a larger truth. Cyber risk no longer sits only with IT.

Many organizations now position CISOs higher in the structure. Boards also take direct responsibility for cyber outcomes.

Regulators look beyond control frameworks. They review operating models, decision paths, and how teams manage risk across the business.

Resilience now acts as a core business capability. It shapes how you plan, invest, and respond to disruption.

If you treat cybersecurity as a siloed technical function, you will struggle in this environment.

If you build resilience into leadership, daily operations, vendor oversight, and executive decisions, you will stand stronger. You’ll prepare better for regulators and for real-world incidents.

Listen to the full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or our website.