Cybersecurity is a complex, costly, difficult to manage and now a regulated risk

Cyber is one of the biggest risks to affect ICT. Cybersecurity failures were recognised by the World Economic Forum in its 2023 annual risk report as a top 10 global risk and one of the biggest non-financial risks faced by nation states, their governments, and organizations. Cybersecurity also received significant focus at Davos 2023, with experts call for a response to the gathering ‘cyber storm’. A storm demonstrated in 2021 and 2022 following cyber-attacks on major US businesses including the Colonial Pipeline, JBS Meat, SolarWinds and Kaseya, by the effect on US supply chains and global organizations of attacks on Microsoft, Nvidia, and Samsung by internationally focused hacker group, Lapsus$ and by the theft of U.S Defense IP. Attacks that led to new legislation: the introduction of US Presidential Executive Order 14017 (February 2021), Securing Americas Supply Chains, and 14028 (May 2021), Improving the Nations Cybersecurity but the threat remains.

In 2022 U.S and EU regulators moved forward with cybersecurity risk management regulations and proposals. Regulations and proposals that include EU NIS 2, DORA, the CRA, the SEC cybersecurity risk management proposal, the U.S DoD DFARS/ CMMC program and the U.S National Cyber Strategy released in March 2023 that focuses on U.S national cyber regulation.  These regulations have key themes of cybersecurity risk management, board oversight, assurance and attestation, board accountability and responsibility for cybersecurity risks and board reporting of cyber incidents to regulators.  Effecting firms trading in and with the U.S and EU.