The traditional approach for many organisations to manage cybersecurity risks is to rely on cyber insurance to manage risk transfer.  This has worked when cyber was a low probability, low-impact event. But cyber is no longer a low probability, low impact event; it is a risk whose impact is considered by the U.S Federal Government and the EU Commission to be high enough, with such an impact, that they have seen fit to regulate cybersecurity risk management.

Cyber regulation removes the ability of the board to make decisions based on the cost of implementation alone. It requires boards to demonstrate a reasonable level of cyber compliance, which, while economic in nature, has to be justified in line with the board’s responsibility to demonstrate due diligence and due care to shareholders.  If the boards decide to stay in covered markets, then cyber regulation transfers cyber risk management to corporate financial statements.  Requiring boards to implement cybersecurity risk management, governance, program oversight, assurance, and absorb personal and corporate liability for cybersecurity risk management compliance.

Cyber regulation transfers cyber risk from cyber insurance to corporate financial statements.  The steps organisations should now be considering to take to manage cybersecurity risk. As required under regulations such as EU NIS2, DORA, the CRA, the SEC proposal, and the potential exposure that the White House ONCD strategy and proposed Australian cybersecurity regulations impose on corporate boards.