Cybersecurity is the most significant non-financial risk faced by the public and private sector. It is a complex risk that market forces alone have failed to manage and a risk that governments are starting to regulate.  A dynamic and unstable risk that today is poorly managed in general by public and private sector companies. Demonstrated by the frequency, complexity and severity of cyber attacks; the ability of the insurance industry to economically underwrite and mediate cyber insurance claims, and recent interventions by the US government in cyber legislation and cyber regulatory enforcement

U.S and EU regulators are moving forward with cyber regulation that will enforce cybersecurity risk management compliance for both the public and private sector. When regulation turns to enforcement it will over time set precedence, re-affirm compliance standards and be tested in court. Enforcement actions place corporate boards and security professionals on notice that their decisions could be assessed at a future date, in response to the decisions made in assessing cybersecurity risks, mitigating risks, and responding to cyber incidents.

Without a well articulated and agreed strategy organizations will not affectively manage cyber risk and will likely waste time and money trying to achieve goals it may not actually reach or which do not enable it to manage the risk.

We have written several papers addressing cybersecurity risk management that have been reviewed by and presented to The White House Office of the national Cyber Director (ONCD), Federal agencies, the Cyberspace Solarium commission and international trade associations.