Page 44 - the SyI Quarterly 11
P. 44
Cyber Updates
The pace of change of Cybersecurity • Undertaking an independent cybersecurity testing and report compliance to national and/
assessment and certification before a DoD
or international regulators. The proposed
regulation and its impact on public and contract is awarded. cybersecurity risk management regulations will
require organisations to implement cybersecurity
The regulations are underpinned by enforcement risk management programs and practices that
private sector organisations. regimes that include the Department of Justices are far more comprehensive than those that
(DoJ) Civil Cyber Fraud Initiative; Department of
are currently in place. Such as the DoD DFARS
Treasury OFAC rules for ransomware payments; program originally implemented in 2017, updated
By Andy Watkin-Child CSyP MSyI Basel accords for regulatory capital for covered in 2019 and in 2023 likely to require compliance
Financial Institutions; the Securities and Exchange to NIST SP 800 – 171 prior to DoD contract award.
Cybersecurity risk management is recognised requirements that affect Critical National Commission (SEC) the EU Commission. U.S. The SEC proposal will require boards of public
as a significant issue by many Governments Infrastructure (CNI) providers. The EU has issued Federal Agencies adopt Whistleblower programs, companies to implement, attest and report to
and legislators. Recent cyberattacks including the draft Digital Operational Resilience Act (DORA the government obtained more than US$5.6 regulators their cybersecurity risk management
those on SolarWinds, JBS Meat, Kaseya, Colonial - 2022), regulating the governance, oversight, and billion in False Claims Act (FCA) settlements and compliance, board oversight, assurance, and
Pipeline and Toyota demonstrate the impact of assurance of ICT risk management by EU Financial judgments in 2021. An act recently tested in court cybersecurity competence. Likewise, DORA
cyber on supply chains. The average cost of a Institutions (FI) and their ICT suppliers. All of with both the Comprehensive Health Services and the EU – NIS 2.0 directive stipulate similar
cyber-attack increased in 2021 to $4.24 million, these legislative programs have similar regulatory (CHS) and Aerojet Rocketdyne cases citing DFARS, cybersecurity risk management oversight,
from $3.86 million in 2020. 2021 saw the rise of requirements and extend beyond their national as applied to the DoDs DIB contracts. assurance, attestation and reporting.
ransomware as the predominant cyber threat boundaries, touching organisations that are both
vector confronting businesses of all sizes. Cyber- national and international. Requirements that The developments in cybersecurity regulations Driving ‘Left of Bang’, cybersecurity compliance
insurance costs are increasing, coverage is include: in the U.S. and EU impact both National Cybersecurity risk management is not the same
falling, insurers are adding policy exclusions or and International public and private sector as cybersecurity. Cybersecurity risk management
cancelling policies if they cover the Ukraine Russia • Reporting cybersecurity policies and organisations. For organisations that trade with requires an understanding of inherent enterprise-
conflict. The recent cyberattacks on Electronic procedures, if any, for the identification and the U.S. and EU there are clear expectations of wide risk, control design and effectiveness, and
Arts, Microsoft, Samsung, Ubisoft, Nvidia and Okta management of risks from cybersecurity threats, cybersecurity risk management compliance if risk mitigation to affect residual risks. Managed
by the Lapsus$ group demonstrated that script including whether the registrant considers they are covered by specific regulations. Such under a risk management framework. The
kiddies can successfully disrupt major brands. cybersecurity risks as part of its business strategy, as implementing appropriate cybersecurity adoption of appropriate cybersecurity practices to
financial planning, and capital allocation. risk management and cybersecurity programs, mitigate agreed risks, and formal reporting to key
In response the U.S. and EU Governments are boards implementing appropriate governance, stakeholder’s that include regulators and market
turning to legislation and regulatory regimes to • Confirming Board governance roles for oversight, assurance, reporting and attesting to participants. The U.S. and EU regulatory proposals
enforce cybersecurity compliance. The Securities the oversight of cybersecurity risk. Detailing their organization’s cybersecurity risk management and enforcement regimes drive cybersecurity ‘left
and Exchange Commission (SEC) proposed management’s role in assessing and managing compliance. of bang’, requiring cybersecurity risk management
amendments to its rules on 9th March 2022, such risk, management’s cybersecurity expertise, compliance, rather than the traditional ‘right of
formalizing disclosure of cybersecurity risk and management’s role in implementing the Impact on National and International bang’ incident response and risk remediation post
management, strategy, governance, and incident registrant’s cybersecurity policies, procedures, and organizations incident.
reporting by boards of U.S. public registrants; the strategies. Proposed U.S. and EU legislation set a high bar
Options Clearing Corporation (OCC) filed notice for compliance, that organisations may find Regulatory enforcement regimes will expose
with immediate effect of proposed rule changes • Implementing a cybersecurity risk challenging. Cybersecurity risk management and organizations to a level of cyber scrutiny that they
concerning the adoption of a cybersecurity management framework and associated cybersecurity have not been specifically regulated have not had to deal with prior to regulation,
attestation program in June 2022; U.S. Federal cybersecurity program. with such breadth or depth by Nation states prior including regulating board member accountability
Government and their suppliers are required to 2022. As demonstrated by the cybersecurity for cybersecurity risk management. The regimes
to comply with the Federal Information Security • Reporting material cybersecurity incidents regulations and standards that are currently are being tested in court, setting precedence,
Modernization Act (FISMA – 2002, 2014 & 2022) for within four business days. enforced in the U.S., UK and EU. Existing UK, EU that will develop over time as cyber incidents are
supply chain risk management. The Department and U.S. data protection or cybersecurity laws evaluated in court against regulatory compliance
of Defence (DoD) requires global Defence Industry • Providing regulatory updates on do not have the breadth or depth of data and programs.
Base (DIB) contractors and subcontractors cybersecurity risk management compliance and corporate coverage proposed by the SEC, EU
globally to comply with DFARS 252.204-7012, previously reported cybersecurity incidents. (DORA) and EU NIS 2.0 regulations. Requiring
7019, 7020 and implement the NIST SP 800- covered entities to implement cybersecurity risk
171 cybersecurity standard. The EU is finalising • Undertaking independent testing of management, board governance, cybersecurity
the Network Information Security 2.0 directive cybersecurity risk management compliance.
(EU NIS 2.0) detailing a suite of cybersecurity
44
