Our reliance upon on-demand data and our dependence on digital infrastructure, products and services has created a twofold digital risk: first for the public and private sectors themselves, and secondly, for the customers of the products and services they create. We all depend on digital products and services to the extent that they now influence nearly all aspects of our daily lives. Food production, healthcare, pharmaceuticals, financial services, transportation, energy and water supply, defence and manufacturing all rely heavily on digital infrastructure and ICT (information communications technology). But the technology they use to create, store, manage and transmit data generates ICT risks that threaten the operational resilience, performance and stability of the very organisation that rely on it.
In this article, we look at the current landscape of cyber risks and how businesses are developing their approach to regulation and risk management. In this respect, the US and EU are very much leading the way, with the UK yet to clarify how it will implement the outcome of its consultation on proposals to improve the UK’s cyber resilience.
For UK businesses, in particular those trading with the US and EU, it will pay to get ahead of the game and consider how to manage the increasing risks inherent in cyber.
Details of who and how you can contact us for advice are at the side of this article.
Cyber is one of the biggest risks to affect ICT. Cybersecurity failures were recognised by the World Economic Forum in its 2022 annual risk report as a top 7 global risk and one of the biggest non-financial risks faced by nation states, their governments and organisations other than climate change and global systemic risks, such as covid.
Its impact was amply demonstrated in 2021 and 2022 following cyber-attacks on major US businesses including the Colonial Pipeline, JBS Meat, SolarWinds and Kaseya, and by the effect on US supply chains and global organisations of attacks on Microsoft, NVidia and Samsung by internationally focused hacker group, Lapsus$. The impact of these attacks led to new legislation: the introduction of US Presidential Executive Order 14017 (February 2021), Securing Americas Supply Chains, and 14028 (May 2021), Improving the Nations Cybersecurity but the threat remains.
We need only look at the Ukraine-Russia crisis to see the first example of a hybrid war demonstrating the use of cyber-attacks by all sides in the conflict. The theft of intellectual property from the US Defense Industrial Base (DIB) has raised significant concerns within US Congress over the impact of cyber-attacks on US national security.
The frequency, complexity and severity of cyber-attacks is increasing. Ransomware attacks were the most significant cyber threat vector in 2021 and these, alongside cyber threats created by geopolitical tensions, are predicted to be one of the largest non-financial threats that organisations faced in 2022. Cyber-attacks are predicted to remain a significant issue in 2023, driving the need for US and European Union regulators to continue developing further cybersecurity risk management regulations. Chris Inglis, national cyber director at The White House, has stated several times – and as recently as January 2023 - that market forces have not yet addressed cybersecurity, and that regulation will therefore be used as the means. We can therefore expect more cyber regulation in 2023 and beyond.
Current US and EU cybersecurity risk management regulation and proposals
In 2022, US and EU regulators released several cybersecurity risk management regulations and proposals. These included the Securities and Exchange Commission (SEC) cybersecurity risk management, strategy, governance and incident reporting proposal, affecting firms that access US capital markets, governed under the Securities and Exchange Act 1934. The US Department of Defense (DoD) reaffirmed its plans to implement the Cybersecurity Maturity Model Certification (CMMC) regime on the global Defense Industry Base (DIB), under Defense Federal Acquisition Regulation Supplements (DFARS). The EU released an update to its Network and Infrastructure Security (EU NIS 2.0) Directive, that affects the suppliers of Critical National Infrastructure. The EU released the Digital Operational Resilience Act (DORA) that impacts financial institutions. In 2022 US and EU regulators proposed that manufacturers of ICT products and services certify to cybersecurity risk management standards, before products and services can be sold in the EU or US.
The White House Office of the National Cyber Director (ONCD) is expected to release a national cybersecurity strategy in Quarter 1, 2023, reaffirming Chris Inglis’ statement that cyber regulation is required to manage cyber risk. It is anticipated that these regulations are the start of cybersecurity regulatory proposals for the US and EU.
US and EU cybersecurity regulatory enforcement regimes
In 2021 the US Department of Justice launched its Civil Cyber-Fraud Initiative to address failures in compliance to cybersecurity standards set out in government contracts, with the intent to use the False Claims Act (FCA) to address cyber-related fraud by government contractors. The FCA has a unique and well-tested whistleblower provision, allowing private parties to assist the US government in identifying and pursuing fraudulent conduct. By way of example, the FCA recovered over $5.6 billion in 2021, with whistleblowers being paid between 10% and 30% of the recovered amount.
In 2021 the US Department of Treasury reaffirmed the potential sanctions risks that organisations face if they facilitate ransomware payments in connection with cyber-related activities under OFAC (Office of Foreign Asset Control) sanctions. In 2022, US regulators addressed cybersecurity compliance in court, with notable cases involving Uber, Aerojet Rocketdyne, CHS health, Drizzly and Mondelez that have started to set legal precedent, resulting in civil and criminal penalties. The Uber case (October 2022) resulted in Uber’s chief security officer receiving a criminal conviction for obstructing the Federal Trade Commission and ‘misprision’ (knowingly concealing a crime), a case that raises issues over cybersecurity governance, transparency, and incident reporting.
EU regulators are in the early stages of implementing cyber regulations and have yet to define enforcement regimes for the public and private sector. The EU has however set enforcement precedent through GDPR since 2018.
Cyber regulation is driving cybersecurity risk management ‘Left of Bang’
As regulators address the management of cybersecurity risks by the public and private sector, they are enforcing cyber compliance on the balance sheets of those covered entities, transferring cyber risk management from incident management or ‘right of bang’ - which is what many organisations previously focused on - to one of regulatory compliance or ‘left of bang’. This requires boards to take a proactive approach to managing cybersecurity risks rather than wait to manage cyber incidents when they occur. By setting cyber regulatory compliance as a board requirement, boards will be required to demonstrate ‘situational awareness’ of cybersecurity and risk management through the implementation of a cybersecurity risk management framework, cybersecurity programme, board governance and oversight, assurance and declaration of their organisation’s cyber risks. Boards will be held to account for the oversight and assurance of cyber supply chain risk management and their cybersecurity risk management strategy, governance and incident disclosure, increasing legal and compliance risk.
The impact of US and EU cybersecurity regulation in the boardroom
The aim of US and EU cyber regulation is to improve the cybersecurity risk management of public and private sector organisations. The by-product of this will affect national and international companies that are based in, or trade with, both the US and EU. For example, the SEC proposal impacts public firms that trade on SEC regulated markets (that includes foreign private issuers); EU NIST 2.0 regulates Critical National Infrastructure (CNI) providers, and their supply chains; EU DORA affects financial institutions and requires supply chain risk management over their ICT product and service manufacturers, including cloud; and US DoD DFARS affects defence contractors covered under DFARS 252.204-7012.
The US and EU regulations mentioned above share some common themes, requiring covered entities:
- To implement a cybersecurity risk management framework
- To demonstrate cybersecurity risk management governance
- Boards to undertake regular cybersecurity risk management education and training
- Boards to declare their cyber skills and experience and ensure appropriate qualified oversight and assurance of their organisation’s cybersecurity risks and cyber programme
- To declare cyber incidents to regulators.
What this means for board members, compliance teams and security professionals
Cyber regulation increases legal and compliance risk to the board function, executive officers and security professionals. Boards will have to demonstrate their management, oversight and assurance of cybersecurity risks, the skills and experience of the board to evaluate cyber risks, evaluate and attest their organisation’s compliance to cybersecurity and report cyber incidents. In the case of US and EU cyber proposals, this will require products and services to have a certificate of cyber security compliance, and boards will be exposed to requirements that could impact their access to markets.
The transparency required by cyber regulation requires board governance practices and board committee oversight of cyber risks that will likely include oversight from the board risk, audit, cyber, legal and compliance committees. Organisations will incur compliance costs to implement a cybersecurity risk management framework and cyber programmes, to employ board advisers and security professionals, to deliver cyber education and training, the oversight and assurance of cybersecurity by both internal and external auditors and costs associated with incident management and incident.
Regulatory reporting increases legal risks on both board members and security professionals, as regulators will fall back on declarations made under cyber regulations if an organisation is unfortunate enough to have to report a cyber incident. The recent Uber CSO and Drizzly cases demonstrate an approach regulators are taking in respect to an organisation’s handling of cyber incident reporting, an approach that will develop as regulators expect boards and security professionals to take accountability and responsibility for cybersecurity risk management.
This article is co-written with Andy Watkin-Child, founding Partner of Parava Security Solutions, a consultancy specialising in helping leaders manage cybersecurity risks.