Cybersecurity oversight and assurance

BOARD GOVERNANCE

Providing the lens through which boards and executive teams oversight and assure cybersecurity risk management

Cyber risk management governance – a requirement under U.S and EU cyber regulation

Current U.S and EU cyber regulations and proposals are driving cybersecurity ‘Left of Bang’, setting out common requirements for board cybersecurity risk management governance, strategy, oversight and assurance of covered entities. Requiring executive board to demonstrate their oversight and assurance of their cybersecurity risk management strategy, cyber security risks, cybersecurity policies and procedures. Board members will be expected to demonstrate their knowledge and experience in assessing their organisations compliance to the appropriate cybersecurity risk management regulations.

Cyber risk management Target Operating Model (TOM)

U.S and EU cybersecurity risk management regulation requires boards and executive leadership teams to oversight, assure and attest to Cybersecurity risk management compliance. This requires a Target Operating Model (TOM) that aligns Board governance, oversight and assurance, regulatory compliance, corporate oversight functions, security capabilities and domains of operation.

Reviewing cyber governance system and effectiveness

Cybersecurity risk management regulatory compliance is developing quickly.  Alongside which regulatory enforcement regimes such as the U.S Department of Justice (DoJ) Civil Cyber Fraud initiative that set precedence in 2022, and the Department of Treasury (DoT) OFAC regime for ransomware payments. U.S and EU cyber regulations set out comprehensive requirements for board governance of cybersecurity risks, oversight of cybersecurity risk compliance, regulatory reporting and cyber incident response.

Typical Projects

1. Evaluating current state cybersecurity risk management governance, oversight and assurance.

2. Creating cybersecurity risk management governance programs.

3. Assessing board cybersecurity knowledge and experience.

4. Updating board members on cybersecurity risk management governance.

5. Developing cybersecurity risk management reporting.

6. Developing appropriate cybersecurity organizational design.