Regulation removes the ability of the board to make decisions based upon the cost of implementation alone. It requires boards to demonstrate a reasonable level of cyber compliance, that while economic in nature has to be justified in line with the boards responsibility to demonstrate due diligence and due care to shareholders. While cyber insurance plays an important role in risk management. If board decide to stay in covered markets them cyber regulation transfers cyber risk management to corporate financial statements. Requiring boards to implement cybersecurity risk management, governance, program oversight, assurance and absorb personal and corporate liability for cybersecurity risk management compliance.
In this paper we discuss cybersecurity risk management regulation and the transfer of risk from cyber insurance to corporate financial statements. The steps organisations should now be considering to take to manage cybersecurity risk. As required under regulations such as EU NIS2, DORA, the CRA, the SEC proposal, and the potential exposure that the White House ONCD strategy and proposed Australian cybersecurity regulations impose on corporate boards.