Combatting Cybergeddon with cyber governance in 10 steps
The accelerating worldwide trend of digitisation represents a key business opportunity for European organisations, but also brings with it key business risks. With recent cyber attacks increasing concerns on what the risk experts see as a wider lack of focus on risk governance in cyber security, how can companies in Europe meet their obligations under EU regulations?
Cybersecurity is a matter of corporate governance which is high on the list for today’s European risk managers. This aspect of cybersecurity, however, has not been fully explored by European legislation. Joint with the European Confederation of Institutes of Internal Auditing (ECIIA), we recently set up a working group of risk managers and internal auditors to provide guidance on the governance of cyber risk.
Our report, entitled At the junction of corporate governance and cybersecurity, contains 10 recommendations for a cyber governance model that will benefit European organisations in managing their exposures to cyber risks. We will be covering this report in detail at our Seminar in October, but here is the outline of the 10 steps:
- Transparency and regulation
There is a trend toward more transparency and regulation over cyber security. The implementation of the two new European Union laws impacting cybersecurity, the Network and Information Security Directive and GDPR, will reinforce the obligations for organisations.
- Governance framework
With cybersecurity becoming a matter of corporate governance, the right governance framework is crucial to an efficient management of cyber risks.
- Challenge management
With a strong cyber risk management framework in place, organisations should manage the challenges and opportunities of digitisation in a holistic way and ensure effective management of cyber risk across the organisation.
- OECD principles
The OECD developed eight principles for digital security risk management:
- rights and obligations
- risk assessment
- security measures
- preparedness, resilience and continuity.
These are applicable to the private sector and describe all the aspects to be considered to manage cyber risks effectively. We will be joined by a guest speaker from the OECD at our Seminar later this year for more insight.
- Three Lines of Defence
A cyber risk governance framework should be based on the Three Lines of Defence model to define the role of each function, including that of the Risk Committee and the Audit Committee.
- Risk Committee
Risk Managers should coordinate the Risk Committee which will present selected mitigation plans, including investments in cyber security and insurance coverage solutions, to the Board of Directors.
- Governance focus groups
Organisations should create a “Cyber Risk Governance Group”, reporting to the Risk Committee and chaired by the Risk Manager. The aim for this group is to determine the cyber risk exposure, expressed financially, and establish the possible mitigation plans. The group should cooperate with Internal Auditors to avoid silos.
- Internal audit
Internal Auditors review the controls implemented and give an independent assurance to the Audit Committee about the cyber risk, the efficiency of the controls and the mitigation plans.
- Collaboration of Risk Committees and Audit Committees
The Risk Committees and the Audit Committees must collaborate to present a common view to the Board about cyber risk management.
- Collaboration of Internal Auditors and Risk Managers
The collaboration starts with Internal Auditors working together with Risk Managers to identify and mitigate cyber risks, ensure all mitigation measures for can be audited, collate recommendations for improvements to controls and processes, increase the resilience of organisations to cyber risks and promote a greater competitiveness for European organisations globally.
Day 2 of our FERMA Seminar in Antwerp this October focuses on helping European risk managers get to grips with the cyber issues of tomorrow. The day’s introduction session - Cybergeddon or a manageable risk? – will kick off with a presentation on our cyber risk governance report.