Cybersecurity regulation


Cyber regulation transfers cyber risk directly into the board room and onto financial statements

Cybersecurity compliance ‘Left of Bang – V2.0’

The traditional approach for many organisations to manage cybersecurity risks has been to rely on cyber insurance as the main form of risk transfer. This worked when cyber was a low probability, low impact event. But cyber is no longer a low probability low impact event, it is a risk whose impact is considered by U.S Federal Government and the EU commission to be high enough, with such an impact, that they have seen fit to regulate cybersecurity risk management.

The historic ‘It won’t happen to me, right of bang approach’ to managing cyber will no longer work. Cyber regulation forces boards to accept that they have to manage cyber risk (if they wish to stay in a given market), accept the capital allocation for cybersecurity onto the balance sheet, that is to the detriment to the organisations capital allocation.


Cyber risk management is a regulated requirement

Regulation removes the ability of the board to make decisions based upon the cost of implementation alone.  It requires boards to demonstrate a reasonable level of cyber compliance, that while economic in nature has to be justified in line with the boards responsibility to demonstrate due diligence and due care to shareholders.  While cyber insurance plays an important role in risk management.  If board decide to stay in covered markets them cyber regulation transfers cyber risk management to corporate financial statements.  Requiring boards to implement cybersecurity risk management, governance, program oversight, assurance and absorb personal and corporate liability for cybersecurity risk management compliance.

In this paper we discuss cybersecurity risk management regulation and the transfer of risk from cyber insurance to corporate financial statements. The steps organisations should now be considering to take to manage cybersecurity risk. As required under regulations such as EU NIS2, DORA, the CRA, the SEC proposal, and the potential exposure that the White House ONCD strategy and proposed Australian cybersecurity regulations impose on corporate boards.

Cybersecurity risk regulation drives cybersecurity compliance ‘Left of Bang’ into the board room

Requiring boards to take accountability and responsibility for compliance