Board Cyber Risk Governance

In what is a response to the increase in cyberattacks and the risks associated with cybersecurity incidents on the US economy and market registrants, the Securities and Exchange Commission (SEC) proposed cybersecurity risk management, governance and incident disclosure amendments to its rules on 9th March 2022. Formalizing disclosure of cybersecurity risk management, strategy, governance, and incident reporting by boards of U.S. market public registrants.

In May 2022 the European Union (EU) reached provisional agreement on the text of the Network and Information Security (NIS) Directive 2.0 (COD 2020/0359).  The directive is the first piece of EU-wide legislation on cybersecurity, with the aim of achieving a high common level of cybersecurity across the EU Member States.  In November 2022 the EU adopted the text for the Digital Operational Resilience Act (DORA - COD 2020/0266) that is aimed specifically at the Financial Services sector, requiring covered Financial Institutions to manage their ICT risk exposure and risks of their technology providers including cloud vendors, independent of existing Basel III regulations and in line with global industry cyber standards.  In September 2022 the European Commission published its proposal for a new act which sets out cybersecurity related requirements for the manufacture, service and support of products with “digital elements”, known as the Cyber Resilience Act (the CRA - COD 2022/0272).  The CRA will require digital products and services sold across the EU to demonstrate and maintain their cybersecurity compliance, and hold a certificate of cyber security conformance before they can be sold in EU Member states.

These 4 piece of legislation have common themes for boards of pubic and private organisations, critical national infrastructure (CNI) providers and Financial Services firms.  They will require organisations to

1.  Disclose their cybersecurity risk management framework and cybersecurity program.

2.  Disclose their cybersecurity policies and procedures, for the identification and management of cybersecurity risks.

3.  To demonstrate their compliance to cybersecurity standards and risk management.

4.  Disclose the boards role in the oversight of cybersecurity risk evaluation; the boards role in assessing and managing cyber risks; the board members individual cyber security expertise and management’s role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

4.  Require Board members to undergo regular cybersecurity education.

5.  Report material cybersecurity incidents to regulators within a regulatory defined timeframe.

These proposals hold boards and their leadership teams accountability and responsible for cybersecurity risk management governance, strategy and incident disclosure.  For board members to demonstrate their competence over the oversight and assurance of cybersecurity and cybersecurity risks.  For boards to adopt cybersecurity oversight, assurance and attestation through appropriate governance of their organisations cybersecurity risks, the delivery of a cybersecurity strategy and associated standards, policies and procedures.

These are significant challenges for many organisations.  Existing U.S regulations have set precedents through U.S courts affecting CISOs for their management of cybersecurity.  The Department of Justice(DoJ) and Department of Treasury (DoT) recently implemented cybersecurity enforcement programs.  We expect that U.S and EU regulators will focus on board room cybersecurity compliance.

To address these concerns we have created a cybersecurity risk management program for boards of public and private sector organisations, CNI providers and FS firms.  A program that is aligned with cybersecurity and risk management frameworks and addresses cybersecurity risk management governance, strategy, oversight, assurance and attestation.  A program that is delivered through our Cybersecurity Risk management Target Operating Model, a summary of our program is enclosed below.