Cybersecurity risk management
Cyber attacks were once considered a rare event. With many organizations considering them highly unlikely, resulting in many organizations not managing cybersecurity and cyber risks. This is no longer the case, the frequency, severity and complexity of cyber attacks has increased. Cyber is considered an expected loss event that can have a significant impact on corporate value and is a risk to national security, leading to cyber regulation. Cyber risk management regulation requires oversight, assurance and attestation by boards and their Directors and Officers. Underpinned by enforcement regimes that have seen executives tried and convicted in the U.S. for failing to manage cybersecurity.
Cyber risk management is a regulatory requirement
The World Economic Forum has consistently assessed cyber risk in the top 5 global risks and a clear and present danger for the public and private sector. Several high profile cyber attacks in 2021 and 2022 including the Colonial Pipeline, JBS Meat, SolarWinds, Kaseya and Lapsus$ group hacks demonstrated the impact of cyber on supply chains. Attacks that resulted in U.S and EU regulators introducing cybersecurity risk management regulations, enforcement regimes and proposals in 2022 and H1 2023. Regulatory regimes and proposals that include EU NIS 2.0; DORA; the U.S. Securities and Exchange Commission(SEC) cybersecurity risk management proposal; the White House Office of the National Cyber Director (ONCD) cyber strategy; the EU Cyber Resilience Act proposal and the U.S Department of Defense DFARS regulation. Further cybersecurity risk management regulations will develop in 2023, as the frequency, severity and complexity of cyber attacks continues to increase.
Regulatory enforcement regimes are developing. In the U.S through the Office of the National Cyber Director (ONCD), Department of Justice (DoJ), Department of Treasury (DoT), Department of Defence (DoD) have developed cybersecurity enforcement regimes. With the DoJ setting precedence in 2022 using the False Claims Act.
These regulations and proposals require boards and executive leadership teams to take an active role in the oversight and assurance of cybersecurity risk management and cybersecurity; implement cybersecurity risk management frameworks; disclose cybersecurity policies; respond to regulators in the event of cyber incidents and seek external advice and guidance over cybersecurity risk management.
Reviewing the cyber risk management strategy, programme and cybersecurity risk mitigation
To manage cybersecurity risk an organisation has to take active steps to understand its cyber risk profile and adopt appropriate cybersecurity practices to manage cyber risks (NIST SP 800-30, 37 and 39). U.S and EU cyber regulations require boards to demonstrate that their organisations are managing cybersecurity risks using a cyber risk management framework to manage it’s inherent risk, control effectiveness and residual risk profile.
We work with organizations to assessing their cybersecurity risk posture. This includes
1. Evaluating its cybersecurity risk management framework, identifying gaps in compliance. Developing an appropriate cyber risk management framework, inline with regulatory requirements.
2. Evaluating an organizations cybersecurity controls and highlighting control gaps and deficiencies.
3. Working with boards to develop appropriate cyber risk appetite and risk statements.
4. Developing appropriate cybersecurity risk management governance reports for cybersecurity risk management oversight and assurance, to address regulatory compliance.