Board and organizational accountability for cybersecurity risk management
In what is a response to the increased frequency, severity and complexity of cyberattacks, and the risks associated with cybersecurity incidents on the US and EU economies and market registrants. U.S and EU regulators moved in 2022 to propose and implement cybersecurity risk management regulations. Regulations that included EU NIS 2.0, the EU Digital Operational Resilience Act (DORA), EU Cyber Resilience Act (CRA) and the U.S Securities and Exchange Commission (SEC) proposed cybersecurity risk management, governance and incident disclosure.
All these regulations formalized boards of covered corporate entities to implement cybersecurity risk management; disclose and attest cybersecurity compliance; undertake regular cybersecurity risk management education and declare cyber security incidents in a pre-defined time to appropriate regulators. In the case of the SEC proposal, boards are to declare their personal cyber security risk management experience and engage with external cybersecurity experts to provide board advise for the management of cybersecurity.
Boards will be required to demonstrate their knowledge and experience of cybersecurity risk management to regulators. To assure that as the organisations leaders and those responsible for protecting shareholder value they can effectively remediate cybersecurity risks.
Parava works with boards to enable their effective oversight and assurance of cybersecurity risks. The enclosed paper is a summary of the board education program we deliver to members of executive leadership teams to facilitate their cybersecurity risk management journey.