Page 45 - the SyI Quarterly 11
P. 45

Cyber  Updates











 The pace of change of Cybersecurity   •   Undertaking an independent cybersecurity   testing and report compliance to national and/

           assessment and certification before a DoD
                                                                or international regulators. The proposed
 regulation and its impact on public and   contract is awarded.  cybersecurity risk management regulations will
                                                                require organisations to implement cybersecurity
           The regulations are underpinned by enforcement       risk management programs and practices that
 private sector organisations.  regimes that include the Department of Justices   are far more comprehensive than those that
           (DoJ) Civil Cyber Fraud Initiative; Department of
                                                                are currently in place. Such as the DoD DFARS
           Treasury OFAC rules for ransomware payments;         program originally implemented in 2017, updated
 By Andy Watkin-Child CSyP MSyI  Basel accords for regulatory capital for covered   in 2019 and in 2023 likely to require compliance
           Financial Institutions; the Securities and Exchange   to NIST SP 800 – 171 prior to DoD contract award.
 Cybersecurity risk management is recognised   requirements that affect Critical National   Commission (SEC) the EU Commission. U.S.   The SEC proposal will require boards of public
 as a significant issue by many Governments   Infrastructure (CNI) providers. The EU has issued   Federal Agencies adopt Whistleblower programs,   companies to implement, attest and report to
 and legislators. Recent cyberattacks including   the draft Digital Operational Resilience Act (DORA   the government obtained more than US$5.6   regulators their cybersecurity risk management
 those on SolarWinds, JBS Meat, Kaseya, Colonial   - 2022), regulating the governance, oversight, and   billion in False Claims Act (FCA) settlements and   compliance, board oversight, assurance, and
 Pipeline and Toyota demonstrate the impact of   assurance of ICT risk management by EU Financial   judgments in 2021. An act recently tested in court   cybersecurity competence. Likewise, DORA
 cyber on supply chains. The average cost of a   Institutions (FI) and their ICT suppliers. All of   with both the Comprehensive Health Services   and the EU – NIS 2.0 directive stipulate similar
 cyber-attack increased in 2021 to $4.24 million,   these legislative programs have similar regulatory   (CHS) and Aerojet Rocketdyne cases citing DFARS,   cybersecurity risk management oversight,
 from $3.86 million in 2020. 2021 saw the rise of   requirements and extend beyond their national   as applied to the DoDs DIB contracts.  assurance, attestation and reporting.
 ransomware as the predominant cyber threat   boundaries, touching organisations that are both
 vector confronting businesses of all sizes. Cyber-  national and international. Requirements that   The developments in cybersecurity regulations   Driving ‘Left of Bang’, cybersecurity compliance
 insurance costs are increasing, coverage is   include:  in the U.S. and EU impact both National   Cybersecurity risk management is not the same
 falling, insurers are adding policy exclusions or   and International public and private sector   as cybersecurity. Cybersecurity risk management
 cancelling policies if they cover the Ukraine Russia   •   Reporting cybersecurity policies and    organisations. For organisations that trade with   requires an understanding of inherent enterprise-
 conflict. The recent cyberattacks on Electronic   procedures, if any, for the identification and   the U.S. and EU there are clear expectations of   wide risk, control design and effectiveness, and
 Arts, Microsoft, Samsung, Ubisoft, Nvidia and Okta   management of risks from cybersecurity threats,   cybersecurity risk management compliance if   risk mitigation to affect residual risks. Managed
 by the Lapsus$ group demonstrated that script   including whether the registrant considers   they are covered by specific regulations. Such   under a risk management framework. The
 kiddies can successfully disrupt major brands.  cybersecurity risks as part of its business strategy,   as implementing appropriate cybersecurity   adoption of appropriate cybersecurity practices to
 financial planning, and capital allocation.   risk management and cybersecurity programs,   mitigate agreed risks, and formal reporting to key
 In response the U.S. and EU Governments are   boards implementing appropriate governance,   stakeholder’s that include regulators and market
 turning to legislation and regulatory regimes to   •   Confirming Board governance roles for   oversight, assurance, reporting and attesting to   participants. The U.S. and EU regulatory proposals
 enforce cybersecurity compliance. The Securities   the oversight of cybersecurity risk. Detailing   their organization’s cybersecurity risk management  and enforcement regimes drive cybersecurity ‘left
 and Exchange Commission (SEC) proposed   management’s role in assessing and managing   compliance.  of bang’, requiring cybersecurity risk management
 amendments to its rules on 9th March 2022,   such risk, management’s cybersecurity expertise,   compliance, rather than the traditional ‘right of
 formalizing disclosure of cybersecurity risk   and management’s role in implementing the   Impact on National and International   bang’ incident response and risk remediation post
 management, strategy, governance, and incident   registrant’s cybersecurity policies, procedures, and   organizations  incident.
 reporting by boards of U.S. public registrants; the   strategies.  Proposed U.S. and EU legislation set a high bar
 Options Clearing Corporation (OCC) filed notice   for compliance, that organisations may find   Regulatory enforcement regimes will expose
 with immediate effect of proposed rule changes   •   Implementing a cybersecurity risk   challenging. Cybersecurity risk management and   organizations to a level of cyber scrutiny that they
 concerning the adoption of a cybersecurity   management framework and associated   cybersecurity have not been specifically regulated   have not had to deal with prior to regulation,
 attestation program in June 2022; U.S. Federal   cybersecurity program.  with such breadth or depth by Nation states prior   including regulating board member accountability
 Government and their suppliers are required   to 2022. As demonstrated by the cybersecurity   for cybersecurity risk management. The regimes
 to comply with the Federal Information Security   •   Reporting material cybersecurity incidents   regulations and standards that are currently   are being tested in court, setting precedence,
 Modernization Act (FISMA – 2002, 2014 & 2022) for  within four business days.  enforced in the U.S., UK and EU. Existing UK, EU   that will develop over time as cyber incidents are
 supply chain risk management. The Department   and U.S. data protection or cybersecurity laws   evaluated in court against regulatory compliance
 of Defence (DoD) requires global Defence Industry   •   Providing regulatory updates on   do not have the breadth or depth of data and   programs.
 Base (DIB) contractors and subcontractors   cybersecurity risk management compliance and   corporate coverage proposed by the SEC, EU
 globally to comply with DFARS 252.204-7012,   previously reported cybersecurity incidents.  (DORA) and EU NIS 2.0 regulations. Requiring
 7019, 7020 and implement the NIST SP 800-  covered entities to implement cybersecurity risk
 171 cybersecurity standard. The EU is finalising   •   Undertaking independent testing of   management, board governance, cybersecurity
 the Network Information Security 2.0 directive   cybersecurity risk management compliance.
 (EU NIS 2.0) detailing a suite of cybersecurity


 44
   40   41   42   43   44   45   46   47   48   49   50