January 30, 2024

BOARD GOVERNANCE AND CYBERSECURITY RISK MANAGEMENT CULTURE

Cyber education

Changing culture, educating leadership teams in oversight and assurance of cybersecurity risk management

Education and Awareness

The enterprise wide nature of cyber risk creates a complex lens through which boards must view cybersecurity and risk management. Directors and officers must demonstrate oversight, assurance and attestation of cybersecurity risk and regulatory compliance through EU NIS, DORA and the SEC Cybersecurity risk management proposal.  The complexity of cybersecurity risk management oversight and assurance necessitates good corporate governance.  Cyber is a risk that touches all aspects of an organizations financial statements.  Wherever data is created, stored, used or transmitted the risk of cyber risks must be evaluated and the impact of cyber risk attested by the board.  Whether that is inside and organisation, or between an organizations its customer, suppliers, or ICT venders such as cloud providers.

 

EU NIS 2.0 and DORA regulations released in 2022 require board members of covered entities to undertake regular cybersecurity risk management education, and demonstrate their experience in the oversight and assurance of cyber risks.  The 2022 Securities and Exchange Commissions(SEC) cybersecurity risk management, strategy, governance and incident disclosure proposal, requires board directors and officers to report their cybersecurity knowledge and experience to the SEC, and undergo regular cybersecurity education. Australian regulators expect boards to have suitable skills to effectively challenge the cybersecurity of their organizations. 

Executive cybersecurity risk management education

Boards are required to have knowledge and experience in cybersecurity risk management. That requires knowledge of both cybersecurity and risk management. Demonstrating that they have implemented a cybersecurity risk management framework and the appropriate cybersecurity practices to manage cyber their risks. To enable effective governance, oversight, assurance and attestation of cyber risks.

Typical Projects

1. Delivering cybersecurity risk management education to boards and executive leadership teams

2. 1:1 cybersecurity and risk management coaching for executives.

3. Evaluating and building cyber communications programmes.

Verified by MonsterInsights