Observing these developments, regulators are prescribing increasingly stringent requirements for Cyber Risk management. New and emerging regulation will force changes on many fronts and will compel firms to demonstrate that they are taking cyber seriously in all that they do. However, compliance with these regulations will only be one step towards assuring effective governance and control of institutions’ Cyber Risk.
In this paper, we explore the underlying challenges with regard to Cyber Risk management and analyze the nature of increasingly stringent regulatory demands. Putting these pieces together, we frame five strategic moves which we believe will enable businesses to satisfy business needs, their fiduciary responsibilities with regard to Cyber Risk, and regulatory requirements:
- Seek to quantify Cyber Risk in terms of capital and earnings at risk
- Anchor all Cyber Risk governance through risk appetite
- Ensure effectiveness of independent Cyber Risk oversight using specialized skills
- Comprehensively map and test controls, especially for third-party interactions
- Develop and exercise major incident management playbooks