Managing regulatory compliance and the impact of cyber risks to the business strategy and operations

CYBERSECURITY RISK MANAGEMENT

EU and U.S regulators require boards to manage cybersecurity risks 

Cybersecurity risk management

Cyber attacks were once considered a rare event, with many organisations considering them highly unlikely.  Resulting in many organisations not managing cyber security and cyber risks.  This is no longer the case, the frequency, severity and complexity of cyber attacks has increased.  Cyber is considered an expected loss event, that can have a significant impact on corporate value, lading to cyber regulation.

Cyber risk management is requires oversight, assurance and attestation by boards and executive leadership teams.  Underpinned by enforcement regimes that has seen executives tried and convicted in the U.S.  Oversight and assurance that is delivered through a cybersecurity risk management program.

Cyber risk management is a regulatory requirement

The World Economic Forum has consistently assessed cyber risk in the top 5 global risks, assessing cybersecurity as being a clear and present danger for the public and private sector.  Several high profile cyber attacks in 2021 and 2022 including the Colonial Pipeline, JBS Meat, SolarWinds, Kaseya and  Lapsus$ group hacks demonstrated the impact of cyber on supply chains.  Attacks that resulted in U.S and EU regulators introducing cybersecurity risk management regulations, enforcement regimes and proposals in 2022.  Regulatory regimes and proposals that include EU NIS 2.0; EU DORA; the U.S. Securities and Exchange Commission(SEC) cybersecurity risk management, strategy, governance and incident disclosure proposal; the EU released a Cyber Resilience Act proposal; the U.S Department of Defense DFARS regulation will continue into 2023, with the CMMC program. Further cybersecurity risk management regulations will develop in 2023, as the frequency, severity and complexity of cyber attacks continues to increase.

Regulatory enforcement regimes are developing. In the U.S through the Office of the National Cyber Director (ONCD), Department of Justice (DoJ), Department of Treasury (DoT), Department of Defence (DoD) have developed cybersecurity enforcement regimes.  With the DoJ setting precedence in 2022 using the False Claims Act.

These regulations and proposals require boards and executive leadership teams to take an active role in the oversight and assurance of cybersecurity risk management and cybersecurity; implement cybersecurity risk management frameworks; disclose cybersecurity policies; respond to regulators in the event of cyber incidents and seek external advice and guidance over cybersecurity risk management.

Reviewing the cyber risk management strategy, programme and cybersecurity risk mitigation

To manage cybersecurity risk an organisation has to take active steps to understand its cyber risk profile and adopt appropriate cybersecurity practices to manage cyber risks (NIST SP 800-30, 37 and 39).  U.S and EU cyber regulations require boards to demonstrate that their organisations are managing cybersecurity risks using a cyber risk management framework to manage it’s inherent risk, control effectiveness and residual risk profile.

Typical Projects

We work with organisations to assessing their cybersecurity risk posture.  This includes

1.Evaluating its cybersecurity risk management framework, identifying gaps in compliance. Developing an appropriate cyber risk management framework inline with regulatory requirement.

2.Evaluating an organisations cybersecurity controls and highlighting control gaps and deficiencies.

3.Working with boards to develop appropriate cyber risk appetite and risk statements.

4.Developing appropriate cybersecurity risk management governance reports for cybersecurity risk management oversight and assurance, to address regulatory compliance.