sprawl  of  documentation  spelling  out  how  the  firm’s  controls  meet  each  specific  requirement,  with
            evidence  of  controls  and  analysis  repeated  again  and  again  to  account  for  slight  deviations  in
            expectations from jurisdiction to jurisdiction and rule to rule.

            This manual process consumes thousands of hours of time, imposes on-going demands on the control
            owners, cybersecurity teams and compliance specialists charged with monitoring and keeping up with
            regulatory  changes,  and  creates  real  compliance  risks  for  firms  who  make  mistakes  in  the  static
            documentation or fail to keep up with regulatory revisions.



            The LLM solution

            The emergence of Large Language Models (LLMs) is allowing financial service firms to turn that model
            on its head, changing what was a reactive process into a proactive risk-based program.

            By applying LLMs, cybersecurity teams can create a central repository of controls and use the artificial
            intelligence solution to analyze and document how specific regulatory expectations are being met. The
            LLM can be prompted to identify the general risk being remediated by each control and then translate
            how that remediation applies to meet the varying expectations set by individual regulators and industry
            standards across jurisdictions.

            Consider the example of passwords. A financial services firm operating in the United States, Europe and
            Asia might be subject to at least three regulations on password lengths:

               •  The EU’s DORA (Digital Operational Resiliency Act) doesn’t prescribe specific password lengths.
                   Instead, it mandates that financial entities implement robust ICT risk-management frameworks,
                   including  secure  authentication  mechanisms,  which  are  expected  to  align  with  industry  best
                   practices such as NIST and ENISA.
               •  The New York Department of Financial Services (NYDFS) Cybersecurity Regulation requires
                   firms to implement risk-based policies for access controls, including password complexity. While
                   the rule does not mandate a specific length, it emphasizes strong authentication and periodic
                   review of access privileges.
               •  The  Monetary  Authority  of  Singapore  (MAS)  Technology  Risk  Management  Guidelines
                   recommend  a  minimum  password  length  of  12  characters  for  privileged  accounts  and  eight
                   characters  for  standard  users.  The  guidelines  also  emphasize  the  use  of  multi-factor
                   authentication (MFA) and password expiration policies.

            Rather than manually spelling out how the firm’s controls meet the different expectations of each of these
            three  rules, an  AI solution  uses  a one-to-many  approach. First,  the  LLM  is  prompted  to  identify  the
            firmwide control that addresses the topic of password length. That control is then translated to the specific
            expectations of each requirement. The result is a report on how each and every requirement is being met
            by the firm’s existing controls.

            Let’s look at another example: privileged access expectations. Here again, an international financial
            services company must comply with rules from the EU, the NYDFS and the MAS, among others.






            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          185
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.