The World Economic Forum has consistently assessed cyber risk in the top 5 global risks, assessing cybersecurity as being a clear and present danger for the public and private sector. Several high profile cyber attacks in 2021 and 2022 including the Colonial Pipeline, JBS Meat, SolarWinds, Kaseya and Lapsus$ group hacks demonstrated the impact of cyber on supply chains. Attacks that resulted in U.S and EU regulators introducing cybersecurity risk management regulations, enforcement regimes and proposals in 2022. Regulatory regimes and proposals that include EU NIS 2.0; EU DORA; the U.S. Securities and Exchange Commission(SEC) cybersecurity risk management, strategy, governance and incident disclosure proposal; the EU released a Cyber Resilience Act proposal; the U.S Department of Defense DFARS regulation will continue into 2023, with the CMMC program. Further cybersecurity risk management regulations will develop in 2023, as the frequency, severity and complexity of cyber attacks continues to increase.
Regulatory enforcement regimes are developing. In the U.S through the Office of the National Cyber Director (ONCD), Department of Justice (DoJ), Department of Treasury (DoT), Department of Defence (DoD) have developed cybersecurity enforcement regimes. With the DoJ setting precedence in 2022 using the False Claims Act.
These regulations and proposals require boards and executive leadership teams to take an active role in the oversight and assurance of cybersecurity risk management and cybersecurity; implement cybersecurity risk management frameworks; disclose cybersecurity policies; respond to regulators in the event of cyber incidents and seek external advice and guidance over cybersecurity risk management.