A regulatory Target Operating Model (TOM) for the board oversight and assurance of cyber risk.

Cybersecurity risk management is a regulated requirement requiring board oversight, assurance and attestation

U.S and EU regulators are addressing the management of cybersecurity risks by the public and private sector through cyber regulation. They are enforcing cyber compliance on the balance sheets of those covered entities. Transferring cyber risk management from what has for many organisations focused on incident management, ‘right of bang’, to one of regulatory compliance ‘left of bang’.  Requiring boards to take a proactive approach to managing cybersecurity risks, rather than wait to manage cyber incidents when they occur. By setting cyber regulatory compliance as a board requirement, boards will be required to demonstrate ‘situational awareness’ of cybersecurity and risk management.  Through the implementation of a cybersecurity risk management framework, cybersecurity program, board governance and oversight, assurance, and attestation of their organization’s cyber risks.

Boards will be held to account for the oversight and assurance of cyber supply chain risk management and their cybersecurity risk management strategy, governance, and incident disclosure, increasing legal and compliance risk.  Requiring board to implement robust governance oversight and assurance to demonstrate regulatory compliance

Cyber is an enterprise wide risk, that requires an integrated approach to management

Cybersecurity risk management Target Operating model (TOM)

A model for the oversight and assurance of cybersecurity risks, base upon international cyber standards