Cybersecurity compliance ‘Left of Bang – V2.0’
The traditional approach for many organizations to manage cybersecurity risks has been to rely on cyber insurance as the main form of risk transfer. This worked when cyber was a low probability, low impact event. But cyber is no longer a low probability low impact event, it is a risk whose impact is considered by U.S Federal Government and the EU commission to be high enough, with such an impact, that they have seen fit to regulate cybersecurity risk management.
The historic ‘It won’t happen to me’, or Right of Bang approach to managing cyber is not longer viable. Cyber regulation forces boards to accept they have to manage cyber risk, if they wish to stay in a given market. Accept the capital allocation for cybersecurity that is to the detriment to the organizations capital allocation.
Cyber regulation removes the ability of the board to make decisions based upon the cost of implementation alone. It requires boards to demonstrate a reasonable level of cyber compliance, that while economic in nature has to be justified in line with the boards responsibility to demonstrate due diligence and due care to shareholders. While cyber insurance plays an important role in risk management. If board decide to stay in covered markets them cyber regulation transfers cyber risk management to corporate financial statements. Requiring boards to implement cybersecurity risk management, governance, program oversight, assurance and absorb personal and corporate liability for cybersecurity risk management compliance.
In this paper we discuss cybersecurity risk management regulation and the transfer of risk from cyber insurance to corporate financial statements. The steps organizations should now be considering to take to manage cybersecurity risk. As required under regulations such as EU NIS2, DORA, the CRA, the SEC proposal, and the potential exposure that the White House ONCD strategy and proposed Australian cybersecurity regulations impose on corporate boards.