For years, cybersecurity strategy in financial services focused on a single objective: prevention. Build stronger walls, tighten controls, and stop attackers from getting in. That model no longer reflects reality.
Today’s threat environment is shaped by geopolitical instability, increasingly sophisticated threat actors, third-party dependencies, and expanding digital ecosystems. In this environment, breaches are no longer hypothetical events—they are operational realities that must be planned for.
The most resilient organizations are not those that believe they can avoid disruption entirely. They are the ones that assume disruption will happen and design systems that can withstand it, recover quickly, and continue to operate with confidence.
This marks a fundamental shift: from cybersecurity as protection, to cybersecurity as resilience.
Across the Gulf and wider Middle East, financial institutions are navigating a particularly complex landscape. Regional uncertainty has slowed investment decisions, delayed transformation programmes, and heightened executive concern around operational continuity.
At the same time, digitization continues. Banks, insurers, fintechs, and payment providers are modernizing infrastructure, adopting cloud platforms, expanding APIs, and increasing reliance on external vendors.
This creates a paradox: organizations must transform while simultaneously becoming more secure and more resilient.
The answer is not to pause innovation. It is to redesign resilience into the transformation agenda itself.
Many firms still treat security as a final checkpoint in delivery cycles. This creates friction, delays, and avoidable exposure.
Leading institutions are taking a different approach—embedding security directly into architecture, engineering, and operational design from day one.
Security by design means:
This model enables speed and security simultaneously.
Organizations such as IBM have consistently highlighted the importance of integrating security into transformation programmes rather than bolting it on later. The same principle is increasingly visible across global investment banks and digital-first institutions.
Many organizations still approach threat modeling as a technical exercise. In reality, it should be an executive capability.
Threat modeling asks a simple question: if disruption happened tomorrow, where would it hurt most?
For financial institutions, the answers may include:
The most effective firms map these assets against real-world geopolitical and cyber scenarios, then test readiness through simulations.
This turns resilience from theory into measurable preparedness.
When systems fail, data becomes the difference between inconvenience and crisis.
Financial services firms must ensure that critical data can be protected, restored, and trusted under pressure. That requires more than backup policies.
It requires:
Customers may forgive temporary disruption. They rarely forgive loss of trust.
Boards and executive teams should be asking five urgent questions:
The answers often reveal where the real work begins.
Periods of uncertainty often create hesitation. But they also create differentiation.
Organizations that invest in resilience during volatile periods emerge stronger, faster, and more trusted than competitors who delay action.
Cyber resilience is no longer an IT issue. It is a growth, trust, and continuity issue.
The institutions that understand this earliest will lead the market longest.
Every company either has—or definitely “should have” a Business Continuity Plan (BCP). On paper, they’re reassuring; Structured, signed off, tested annually, and neatly filed away for when something goes wrong. The catch? Most of it is hypothetical.
BCPs are built around “what ifs.” What if there’s a snowstorm and no one can get into the office? What if a hurricane takes out power across a region? What if transport links fail, there’s a fire in the building, or even a localized disease outbreak begins to spread?
We try to plan for everything; Weather events, infrastructure failures, terrorism, health risks; it’s a long list of ‘what could really go wrong?’ and how we think we will respond in that situation.
But here’s the real question: “what happens when reality doesn’t follow the plan?”
From Theory to Reality
For nearly 25 years, I worked at a major Wall Street investment bank, where one of my responsibilities was overseeing our division’s BCP across EMEA, as well as collaborating with my colleagues on the global plan. I also sat on the firmwide BCP committee, helping shape broader strategy, so I am somewhat seasoned in crisis response. We experienced all manner of threats to which we had to respond, a fire in a major building, terrorism, the Tsunami in Asia, Bird Flu, Rail strikes. The list goes on.
Our plans were constantly evolving: Updated annually to reflect changes in technology and business needs. Adjusted for new compliance and regulatory requirements. Reviewed and verified by senior leaders every quarter and tested every year, with key functions like trading ‘testing’ from designated backup sites
On paper, we were ready for anything. And then COVID-19 happened.
We’d seen outbreaks before—SARS, H1N1 (Swine Flu), Ebola, Zika. Serious, yes, but largely contained. We had “pandemic scenarios” in our plans, but if we’re honest, they were just that—scenarios.
COVID wasn’t a scenario. It was a full-scale, global disruption that changed everything, overnight.
When the Plan Isn’t Enough
When the pandemic hit, the gaps became obvious very quickly. The designated BCP site? Useless—because “everyone” was affected at the same time and had to remain at home. Suddenly, we had to answer questions we hadn’t fully needed to before
How do you operate when no one can come into the office? What if your systems can’t handle mass remote access? Can regulated activities like trading legally be done from home? Who answers client calls if no one is in the office? How do you maintain compliance and confidentiality ly? How can you protect sensitive information (MNPI) in a home environment? What happens when employees are sharing space with family—or even competitors? And beyond all of that—how do you keep people safe, productive, and supported?
A Rapid Rewrite in Real Time
The response had to be immediate. Banks for example, had to seek urgent regulatory approvals to allow trading from home, something that was previously restricted to licensed office environments.
Technology became the biggest challenge. Not all firms had “soft” phone systems in place; Physical trading turrets and desk phones had to be sourced and delivered to homes; VPN capacity had to scale rapidly; Collaboration tools like Zoom and Teams had to be tested, approved and rolled out—fast!
And then there was the human side. Not everyone had a laptop or pc at home. Some staff didn’t even have a suitable workspace. And suddenly, many employees were juggling full-time work with homeschooling children or caring for sick dependents, or sick themselves, unable to work. It was, without question, a challenge—with a capital C.
What Actually Made the Difference
In the middle of all this, a few things proved absolutely critical.
1. Information is power
Staying on top of developments—globally and locally—allowed decision-makers to respond faster and more effectively.
2. Communication, everywhere
Across teams, across regions, across functions across the firm. The more aligned people were, the faster changes could be implemented. And the more we knew of peoples challenges, the better placed we were to assist with support.
3. Close partnership with risk and compliance
New ways of working required new approvals. Speed mattered—but so did doing things properly.
4. Technology adoption at pace
Tools that weren’t widely used suddenly became essential. The organizations that adapted fastest gained a real advantage and could continue to effectively communicate with clients and vendors.
5. Team culture and support
Daily check-ins became the norm. Managers made a conscious effort to support junior staff and those living alone. Flexibility wasn’t a perk—it was a necessity.
6. Adaptability over perfection
No plan survived intact. The teams that succeeded were the ones willing to adjust, rethink, and move quickly.
So, What Does “Back to Normal” Look Like?
Spoiler: it’s not a switch you flip. A return-to-normal needs to be phased and thoughtful:
Phase 1: Stabilisation
Ensure systems, people, and processes are functioning reliably in the current environment.
Phase 2: Controlled Return
Gradual reintroduction to office spaces, prioritising critical roles while maintaining flexibility.
Phase 3: Hybrid Optimisation
Refine ways of working—who needs to be in-office vs remote? What functions need to be in-office vs remote?
Phase 4: Long-Term Transformation
Embed lessons learned into future operating models, technology, and BCP strategy.
And throughout all of this, one thing matters: listening to your people
Are they comfortable returning? Can they physically return? Do they have childcare challenges or travel restrictions? A successful return isn’t just operational—it’s human.
Preparing for the Next Crisis (Because There Will Be One)
If there’s one takeaway from all of this, it’s that you can’t plan for everything—but you can prepare better.
Here’s how:
Think beyond scenarios” and focus on adaptability, not just specific events.
Invest in scalable technology, especially for remote access and communication
Test real-world conditions not just theoretical exercises
Strengthen cross-functional collaborations; BCP isn’t just an ops issue
Build a culture of communication, support and trust
Keep plans alive and update them with real lessons learned, on a regular basis.
Final Thought
A crisis will always be disruptive. That’s unavoidable. But the “impact” of that disruption? That’s something you can influence. Resilience is how well you adapt to challenges and change, ensuring minimal disruption and maximum efficiency under the circumstances.
The companies that navigate crises best aren’t the ones with the most detailed plans—they’re the ones that can adapt those plans, communicate clearly, and support their people when it matters most. And of course continue to serve clients well and be effective and efficient in spite of the difficulties they face.
We have all been affected by the recent events in the Middle East, whether you are in America, Asia, Europe or the UAE. This too shall pass and those companies who respond well to the current challenges and work with their people, clients and vendors effectively will come out strongest… and more prepared for the next one.
If there’s one takeaway, it’s this: don’t stop at the obvious. The strongest crisis plans come from pushing past assumptions and thinking about what feels unlikely—or even impossible. You can’t predict every threat, but you can challenge your plans, test their limits, and explore where they might break. It’s not just about planning for disruption; it’s about asking “what if everything fails at once?” Even in situations where options seem restricted—like limits on data movement or backup infrastructure—there’s value in thinking through how you’d respond if those boundaries were suddenly tested or changed.
The more you pressure-test these scenarios and walk through them in real terms, the more adaptable and resilient your response becomes. Because when a crisis hits, it won’t play out exactly as expected.
And when theory becomes reality, it’s not the document that saves you.
It’s how you respond.
Artificial intelligence is reshaping how regulators and institutions interact. As AI moves from experimentation into operational decision-making, supervision is shifting toward continuous oversight, shared data environments and earlier engagement in innovation cycles.
The regulator relationship is becoming more collaborative, more technical and more operational.
Insights emerging from VerityXForum discussions suggest this shift represents one of the most significant structural changes in financial services transformation. AI reduces the distance between innovation and systemic risk, requiring regulators to move closer to transformation activity and institutions to evolve how they design operating models.
This evolution does not represent increased control alone — it reflects a new shared responsibility model for safe and scalable innovation.
Historically, regulatory engagement occurred after transformation decisions were largely complete. AI challenges this sequencing.
AI systems influence decisions dynamically, evolve over time and introduce new forms of operational risk. As a result, regulators are increasingly engaging earlier, asking more technical questions and expecting ongoing visibility into how systems behave.
The regulator relationship is therefore moving:
Institutions that adapt their operating models to this reality will scale AI faster and with greater confidence.
Regulatory engagement is shifting upstream. Rather than reviewing outcomes after deployment, regulators are increasingly involved during experimentation, architecture design and control definition.
This reflects the recognition that AI introduces systemic implications before production. Engagement is therefore becoming part of programme design rather than a downstream checkpoint.
For institutions, this requires:
This shift transforms regulatory interaction from approval activity into design input.
The regulator conversation is becoming more technical. Discussions now extend beyond policy interpretation into architecture, model lifecycle management, data lineage, identity frameworks and monitoring. Supervisors increasingly seek to understand how systems behave — not only how they are described.
This elevates the importance of:
Technical design therefore becomes part of regulatory posture. Over time, this dialogue is likely to standardise expectations for AI operating models across markets.
AI challenges supervision models based on periodic reporting. Systems that evolve require oversight approaches that emphasise ongoing visibility.
Continuous supervision focuses on persistent insight into:
This does not imply real-time monitoring of every decision, but it does require institutions to design monitoring capability as infrastructure rather than reporting.
Assurance becomes continuous. Demonstrability becomes operational.
This shift elevates:
Regulatory sandboxes are evolving from experimentation environments into coordination mechanisms.
They increasingly support:
Sandboxes are therefore becoming part of market infrastructure.
For institutions, participation becomes strategic — influencing interpretation, reducing later friction and generating reusable governance patterns.
AI amplifies this value because uncertainty is higher and operating models are still emerging.
The changing regulator relationship reshapes how transformation programmes must be designed.
AI compresses the distance between experimentation, production and systemic impact. Operating models must therefore support continuous transparency, technical demonstrability and coordinated decision-making.
Programmes must be explainable at any stage. Documentation, governance artefacts and architecture traceability must be created alongside build activity.
AI requires persistent collaboration across technology, risk, compliance and business. Handoffs are replaced by co-ownership.
Institutions must show system behaviour continuously. Monitoring, evidence automation and lifecycle visibility become infrastructure.
Sandboxes move into the operating model as acceleration mechanisms that generate reusable standards.
Regulatory engagement becomes a standing dimension of programme governance, with defined dialogue cadence and evidence frameworks.
Institutions that adapt operating models accordingly will scale AI more effectively.
This model describes how institutions evolve toward AI-ready regulator collaboration.
Level 1 — Reactive Compliance
Engagement occurs after build. Documentation is retrospective and dialogue is limited.
Level 2 — Structured Engagement
Defined engagement points exist. Documentation improves and early interpretation discussions begin.
Level 3 — Collaborative Design
Regulator considerations become design inputs. Technical artefacts are created during build and sandbox participation becomes intentional.
Level 4 — Continuous Demonstrability
Monitoring infrastructure supports supervisory visibility. Evidence generation is automated and engagement becomes ongoing.
Level 5 — Strategic Partnership
Institutions help shape supervisory expectations. Sandbox participation is strategic and the regulator relationship is embedded in transformation strategy.
Organisations rarely progress uniformly; the model is most valuable for identifying capability gaps, particularly around demonstrability and cross-functional operating model design.
The next 12 months are about building capability rather than predicting change.
Leaders should take practical steps that improve transparency, engagement and demonstrability without slowing innovation.
Across VerityXForum discussions, a consistent pattern emerges: the organisations scaling AI fastest are those that treat the regulator relationship as a design dimension rather than an external constraint.
Transformation is becoming systemic. AI risk is shared. Trust must be operationalised.
The role of the convener — bringing enterprise leaders, regulators and innovators into structured dialogue — becomes critical in accelerating this transition.
The regulator relationship is no longer peripheral to transformation. It is becoming part of the infrastructure that enables it.
The regulator relationship is entering a new phase defined by transparency, technical dialogue and continuous supervision.
Engagement is earlier. Dialogue is deeper. Supervision is more continuous. Sandboxes are becoming strategic coordination environments.
This evolution reflects a broader structural shift: innovation in regulated markets is becoming a collaborative activity.
Institutions that adapt their operating models to support demonstrability, cross-functional execution and structured engagement will experience faster innovation cycles and reduced regulatory friction.
In the age of AI, supervisory confidence becomes a prerequisite for scale — and a competitive advantage.
