Cybersecurity risk management moves ‘Left of Bang’

Nation states and the public and private sector are starting to realise the risk that cyber poses to national, economic and societal security, writes Andy Watkin-Child, Founding Partner, The Augusta Group.

Cyber is a risk that, unlike physical security, most public and private sector organisations are unfamiliar with. For many reasons it is a risk that public and private sector organisations cannot be relied upon to manage themselves.

Cyber is a risk that is unlike physical security where the public and private sector can, in part, rely upon society to help manage through policing and a nation’s physical security services such as the army, navy and air force.

Cyber is one of the biggest non-financial risks to affect the public and private sector.

It is a risk recognised by the World Economic Forum in its 2023 annual risk report, as a top ten global risk and one of the biggest non-financial risks nation states, their governments and organisations face, behind the cost-of-living crisis and climate change.

Its impact is continually being demonstrated through well publicised and documented cyber-attacks.

The frequency, complexity and severity of cyber-attacks continues to increase.

For example, ransomware attacks were the most significant cyber-threat vector in 2022 and are predicted to be one of the largest non-financial threats that organisations face in 2023, alongside other cyber-threats created by geopolitical tensions.

The increased threat of cyber-attacks and the failure of market forces to manage cyber-risk, has driven some US and EU regulators to regulate cyber-risk management. Regulation now being implemented by the US Securities and Exchange Commission (SEC), Food and Drug Administration (FDA) and the European Commission will force public and private sector organisations and their management to adopt cybersecurity risk management – or face significant regulatory, compliance and legal risks.

Regulation that is focused both on organisation and management committee members.

Current US and EU regulation and proposals

Cyber regulation is moving quickly. In 2023, US and EU regulators issued several cyber-risk regulations that will affect organisations that trade in, or with, the US or EU.

In January 2023, the EU issued the Network and Information Security Directive 2.0 (“EU-NIS 2”) affecting Critical National Infrastructure (CNI) providers and the Digital Operation Resilience Act (“DORA”) affecting Financial Institutions, giving EU member states until October 2024 to transpose the regulations into their national law.

The White House Office of the National Cyber Director (ONCD) released the US National Cyber Strategy in March 2023, reaffirming Chris Inglis’s (the First National Cyber Director) statement that cyber regulation is required to manage cyber-risk.

In July 2023, the SEC issued the final cyber rule for market registrants, requiring them to implement cybersecurity risk management governance, oversight and assurance of material cyber-risks and material cyber-incidents, starting in December 2023.

These regulations impact public and private sector organisations and create significant change and impact for covered entities and their supply chains that trade in or with the US or EU member states.

Regulation sets out common themes

US and EU cyber regulation formalises requirements for the management of cyber-risks by covered entities.

CNI providers, financial institutions and registrants of capital markets covered under the SEC final cyber rule (that includes Foreign Private Issuers) will be required to address cybersecurity risk management, requiring organisations and their management to demonstrate:

• They have implemented cyber-risk management frameworks and programs
• The governance, oversight, assurance and attestation of cyber-risks and incidents
• The reporting of material/significant cyber-incidents within clearly defined time frames
• The reporting of cybersecurity processes, policies, procedures
• Board room, board subcommittee and executive accountability
• Cyber risk management education, knowledge and experience

Regulation transfers cyber ‘Left of Bang’ and into the board room

A consequence of cyber-risk regulation is to make cybersecurity risk management a legal and compliance obligation for covered entities.

This requires boards and accountable executives to demonstrate that they understand and are managing the effects of cyber-risks and cyber-incidents with sufficient detail; that a reasonable investor can understand the cyber-risks and the potential impact on investment decisions, under the SEC rule – or demonstrate to EU regulators that CNI providers and financial institutions are managing the risks of cyber-attacks on the critical services that society requires to function.

Cyber regulation changes the balance of the treatment of cyber-risk for covered entities, from utilising cyber insurance as a tool ‘Right of Bang’ to mitigate the impact of a cyber-attack, to requiring organisations to demonstrate they can prevent a cyber-incident before it becomes a significant issue ‘Left of Bang’.

Regulation forces organisations to manage existing cyber-risks and demonstrate the treatment of newly identified cyber-risks, requiring organisations to allocate sufficient capital to manage cyber-risks based upon the registrant’s risk appetite, with a degree of sufficiency to satisfy a reasonable investor.

It requires covered entities to allocate enough capital to treat cyber-risk, and enough cyber insurance to manage residual risk.

Cyber regulation reduces the choices covered organisations have for managing cybersecurity.

The widely recognised “it won’t happen to me” approach to cybersecurity; managing a cyber incident ‘Right of Bang’ and relying on cyber insurance to manage the cost of a cyber-attack is an unrealistic option.

Regulation defines the ‘choices’ available to covered entities for cybersecurity compliance. Covered entities and their management can choose to manage cybersecurity risk, attempt to leave the regulated market or accept the risk of regulatory sanctions if they fail to comply.

A consequence of failing to comply could make a successful insurance claim less likely, as D&O and cyber-insurers are more likely to question an organisation and management’s regulatory compliance.

Failing to comply with cyber regulation could be used as the basis for refusing to pay out against a policy.

The absence of the transfer of cyber-risk to D&O and cyber-insurance and the requirement to comply with cyber regulation shifts the cost of managing cyber-risk onto the financial statements of covered entities.

What does this mean?

Cybersecurity risk management regulation places the onus on boards to manage cybersecurity risks ‘Left of Bang’.

Cyber regulation requires organisations to proactively develop the ‘situational awareness’ that enables them to manage cybersecurity risks, better react to the changing cyber-threat landscape and report cybersecurity risk management compliance to regulators.

Cyber regulation increases legal and compliance risk to the board, D&O and accountable executives.

Boards and subcommittees will have to demonstrate management, oversight and assurance of risks and attest to their organisation’s compliance to cyber regulation.

The transparency required by cyber regulation requires board governance practices and oversight from the board risk, audit, cyber, legal and compliance committees.

Organisations will incur compliance costs to implement a cybersecurity risk management framework and cyber program, to employ advisers and security professionals, to deliver education and training, to gain oversight/assurance of cybersecurity by both internal and external auditors as well as a result of costs associated with incident management.

Cyber is a significant legal compliance risk to both board members and security professionals, as regulators and market participants that include investors rely on declarations made by management and accountable executives; an approach that will develop as regulators expect boards and security professionals to take accountability and responsibility for cybersecurity risk management over the coming months and years.