← Back to W² Advisory
Field Notes · Cross-Sector

One resilience grammar, three dialects

Finance, healthcare and critical infrastructure are regulated by different agencies, under different statutes, in different language. Yet when you read their resilience obligations side by side, they are saying the same eight things. Here is the evidence — and where the dialects genuinely diverge.

Regulators don’t coordinate across sectors. The banking agencies, CMS, the FDA, the Coast Guard, FERC and the FCC write to their own mandates, and a hospital’s emergency-preparedness rule looks nothing like a bank’s operational-resilience regime on the page. So it is striking that when you strip each rule down to the obligation it imposes — the concrete thing a regulated entity must do — the three sectors converge on a single, short list. We mapped 2,315 in-force resilience obligations across finance (844), healthcare (497) and critical infrastructure (974) onto a common framework. Every principle in that framework appears in all three sectors. The interesting part is what differs: not which principles, but how much weight each sector puts on each one.

Convergence is near-total at the principle level; divergence lives in the weighting. Eight resilience principles — governance, risk assessment, business continuity, disaster recovery, third-party risk, incident reporting, testing, and technical controls — are present in all three sectors. None is unique to one. What separates the sectors is emphasis: finance leans hardest on governance, third-party oversight and incident reporting; healthcare on continuity of care and physical emergency preparedness; critical infrastructure on technical/OT controls and mandatory outage reporting. Same grammar, three dialects.

The evidence: eight principles, every sector

Share of each sector’s in-force resilience obligations that touch each principle. Darker = heavier emphasis. Every cell is populated — that is the shared core.
Finance844 obl.Healthcare497 obl.Critical infra974 obl.Governance & accountability14.3%5.8%3.1%Risk & resilience assessment13.6%12.5%7.6%Business continuity & op. resilience28.6%46.3%6.0%Disaster recovery & backup3.3%2.8%4.3%Third-party & supply-chain risk21.1%5.4%8.9%Incident detection / response / reporting33.9%10.9%36.6%Testing & exercises12.3%8.2%3.5%Technical & cyber controls32.6%23.7%48.3%SHARE OF EACH SECTOR'S OBLIGATIONS TOUCHING EACH PRINCIPLE · DARKER = HEAVIER EMPHASIS (THE BRANCH)EVERY PRINCIPLE IS PRESENT IN EVERY SECTOR — THE SHARED CORE

The shared core, in the regulators’ own words

The convergence is not an artifact of how we labelled things. Read the actual obligations and the family resemblance is unmistakable — four different agencies, four different sectors, asking for the same control. Every quote below is from an in-force rule.

PrincipleFinanceHealthcareCritical infrastructure
Risk assessment “Conduct a periodic Risk Assessment that considers the availability and effectiveness of controls to protect Information Systems.”NYDFS · 23 NYCRR 500.9(a) “Hospitals must conduct security risk management, in addition to security risk analysis, and attest to having done so.”CMS · 42 CFR 495.4 “Conduct a Cybersecurity Assessment… identifying vulnerabilities in critical IT and OT systems.”USCG · 33 CFR 101.650(e)(1)
Incident response & reporting “Notify the Board of incidents… and notify participants and relevant entities of material operational incidents in a timely manner.”FRB Reg HH · 12 CFR 234.3(a)(17) “Notify affected individuals of a breach of unsecured PHI without unreasonable delay and no later than 60 days after discovery.”HHS · 45 CFR 164.404 “Report reportable cyber incidents to the National Response Center without delay.”USCG · 33 CFR 101.620(b)(7)
Third-party risk “Adopt a strategy on ICT third-party risk… and, before contracting for critical functions, assess concentration risk.”DORA · Reg (EU) 2022/2554 Art. 28 “Obtain satisfactory assurances by written agreement that business associates will safeguard ePHI before granting access.”HHS · 45 CFR 164.308(b)(1) “Applicants must report whether they use third-party foreign-adversary service providers in operating the submarine cable.”FCC · 47 CFR Part 1 (submarine cable order)
Testing & exercises “Conduct threat-led penetration testing at least every three years on critical or important live production systems.”DORA · Reg (EU) 2022/2554 Art. 26 “Conduct emergency-plan exercises at least twice a year, including a full-scale community exercise plus a drill or tabletop.”CMS · 42 CFR 482.15(d)(2) “Conduct two cybersecurity drills every 12 months as required by the security-plan regulations.”USCG · 33 CFR 101.635(b)(1)

Why they converge

Three forces, none of them coordination. First, a shared threat surface: a hospital, a bank and a port now run on the same cloud platforms, the same managed-service providers and the same networked operational technology, so the failure modes — ransomware, a critical-vendor outage, a data-integrity loss — are common, and controls written to address them rhyme. Second, supervisory technique travels: the operational-resilience template pioneered in UK and EU financial regulation — identify critical operations, set impact tolerances, map dependencies, test to failure — has been visibly borrowed by health and infrastructure regulators, and the same “name a responsible officer, keep a plan, test it, report incidents” scaffolding recurs verbatim. Third, incident reporting is being standardised as the connective tissue: HIPAA’s 60-day breach clock, the Coast Guard’s “without delay” report to the National Response Center, CIRCIA’s 72-hour reporting rule and DORA’s staged major-incident report are the same instinct — regulators want a fast, structured account of what broke and which supplier sat behind it.

The branches: where the dialects genuinely differ

Finance speaks the management-system dialect. It carries the heaviest load on governance and accountability (14.3% of its obligations, versus 3.1% in critical infrastructure), third-party oversight (21.1%) and formal testing. Its distinctive vocabulary — program, written policy, senior management, customer information — is the language of an auditable control framework wrapped around the institution. Finance regulates the system of management.

Healthcare speaks the continuity-of-care dialect. Business continuity and operational resilience dominate its book (46.3%, the heaviest single principle in its book), driven by the CMS Emergency Preparedness rules — and its distinctive terms are physical and human: emergency, preparedness, communication plan, staff, ePHI. Healthcare’s resilience is about keeping patients safe when the power, the water or the EHR goes down, not about a documentation régime.

Critical infrastructure speaks the keep-the-lights-on dialect. Technical and OT controls (48.3%) and mandatory incident/outage reporting (36.6%) crowd out everything else, and governance is almost absent (3.1%). Its vocabulary — network, outage, BES cyber system, NORS, reliability, submit — is the language of engineered systems and the regulator’s outage inbox. It regulates the machinery and the mandatory phone call, not the boardroom.

The principle-by-principle numbers

Count of in-force resilience obligations per principle, and the share of each sector’s book. An obligation can serve more than one principle, so rows are not mutually exclusive.
PrincipleFinanceHealthcareCritical infraPresent in all 3?
Governance & accountability121 (14.3%)29 (5.8%)30 (3.1%)Yes
Risk & resilience assessment115 (13.6%)62 (12.5%)74 (7.6%)Yes
Business continuity & op. resilience241 (28.6%)230 (46.3%)58 (6.0%)Yes
Disaster recovery & backup28 (3.3%)14 (2.8%)42 (4.3%)Yes
Third-party & supply-chain risk178 (21.1%)27 (5.4%)87 (8.9%)Yes
Incident detection / response / reporting286 (33.9%)54 (10.9%)356 (36.6%)Yes
Testing & exercises104 (12.3%)41 (8.2%)34 (3.5%)Yes
Technical & cyber controls275 (32.6%)118 (23.7%)470 (48.3%)Yes
How this was built — and its limits.
  • What the corpus is. 2,315 in-force obligations that a resilience-focused monitor extracted from primary filings (Federal Register, eCFR, EUR-Lex and agency rules) across the three sectors. It is a resilience lens, not the full rulebook — so shares describe where each sector’s resilience obligations concentrate, which is exactly the question here.
  • The mapping is lexical, reconciled to a canon. Principles were first surfaced bottom-up from the obligations’ own vocabulary, then each obligation was scored against a transparent keyword-and-domain lexicon. It is deterministic and reproducible, not a black box — but a keyword mapping will miss or double-count at the margin. An obligation can map to several principles.
  • Coverage is uneven. The healthcare book (497) is smaller than finance (844) and infrastructure (974), and healthcare/infrastructure remain US-weighted — their EU instruments are now extracted article-by-article from primary EUR-Lex text, while UK and Canada coverage is deliberately lighter and finance carries the deepest international set. Percentages are within-sector shares, so this is comparable — but the international branches of health and infrastructure will sharpen as that coverage is completed.
  • This is a thought-leadership analysis, not compliance advice. Applicability is entity- and activity-specific. Nothing here tells a particular firm what it must do.
What this means

A resilience capability is portable across sectors

Building resilience across more than one sector?

WSquare Advisory builds the operating capability that these regimes increasingly expect — continuity, third-party oversight and incident response — in a form that carries across finance, healthcare and infrastructure rather than being rebuilt for each. If that’s the work in front of you, let’s talk.

Start a Conversation →