Cyber is a complex, costly, difficult risk to manage and now a regulated risk
Cyber is one of the biggest risks to affect ICT. Cybersecurity failures were recognised by the World Economic Forum in its 2022 annual risk report as a top 7 global risk and one of the biggest non-financial risks faced by nation states, their governments, and organisations other than climate change and global systemic risks, such as covid. Cybersecurity was also received significant focus at Davos 2023, with experts call for a response to the gathering ‘cyber storm’. A storm demonstrated in 2021 and 2022 following cyber-attacks on major US businesses including the Colonial Pipeline, JBS Meat, SolarWinds and Kaseya, by the effect on US supply chains and global organisations of attacks on Microsoft, Nvidia, and Samsung by internationally focused hacker group, Lapsus$ and by the theft of U.S Defense IP. The impact of these attacks led to new legislation: the introduction of US Presidential Executive Order 14017 (February 2021), Securing Americas Supply Chains, and 14028 (May 2021), Improving the Nations Cybersecurity but the threat remains.
In 2022 U.S and EU regulators moved forward with cybersecurity risk management regulations and proposals and will continue to do so in 2023. Regulations and proposals that include EU NIS 2, DORA, the CRA, the SEC cybersecurity risk management proposal, the U.S DoD DFARS/ CMMC program and the soon to be released U.S National Cyber Strategy, that is expected to focus on U.S national cyber regulation. All so far have a core theme of cybersecurity risk management, board accountability and responsibility and regulatory enforcement and affect firms trading in and with the U.S and EU.