In 2014, NIST released the Cybersecurity Framework (CSF) to set a standard for organizations to understand, manage, and reduce cybersecurity risk. Created through collaboration between the US government and private sector, the CSF provides a series of flexible cybersecurity guidelines that can be tailored to each organization’s unique needs. It has been downloaded more than two million times across 185+ countries, and translated into at least nine languages.
Since it was last updated in 2018, a lot has changed in the world. We’ve witnessed a pandemic-fueled surge in digital transformation, the coming of age of AI, the rise of the metaverse, and datafication – all of which have amplified cybersecurity risks. Last year, global cyber-attacks increased by 38%. Ransomware alone hit 66% of organizations, compared to 37% in 2021.
In response, regulators have issued a slew of cybersecurity mandates – be it the SEC’s rules on cybersecurity risk management, or the EU’s proposed Cyber Resilience Act or the upcoming EU Digital Operational Resilience Act and not to mention the various cybersecurity related legislations in over 150 countries worldwide.
All these events and changes perhaps nudged NIST to revisit, refresh and update the CSF. Which is exactly what NIST has done. In August 2023, the agency announced its biggest reforms yet to the CSF with the release of a draft of the CSF 2.0. The new framework is expected to address both current and future cybersecurity challenges, while also making it easier for organizations to put the CSF into practice.
The NIST Cybersecurity Framework 2.0 provides guidance to industry, government agencies, and other organizations to reduce cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. Over the past year, NIST has conducted workshops with thousands of stakeholders across countries to develop and refine the CSF 2.0. The final version is expected to be published in early 2024.
Here’s what has changed in the framework:
For years, organizations across industries have been using MetricStream’s CyberGRC suite of solutions to simplify compliance with the NIST CSF, as well as multiple other cybersecurity standards and regulations. With MetricStream, you can proactively identify, assess, and mitigate cybersecurity risks to achieve the outcomes of NIST CSF.
CyberGRC enables you to:
Want to know more about how MetricStream can help you strengthen NIST compliance?
The clock is fast ticking for public-listed organizations to ensure compliance with Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules (rules) recently adopted by the U.S. Securities and Exchange Commission (SEC). The rules, set to come into force from December 2023, are expected to improve transparency for investors, customers, and other stakeholders in matters related to a company’s cybersecurity risk management and governance processes.
One of the key requirements under the new rules is for public companies to report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident. However, what constitutes “material” is somewhat of a gray area.
Let’s take a closer look.
As per the final rules:
In the press release, the SEC relied on the definition set by judicial precedent, “Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the 'total mix' of information made available.”
Further, the SEC explained that companies should consider both qualitative and quantitative factors to determine the material impact of an incident. It explained:
“By way of illustration, incidents violating a company’s security policies or procedures, or affecting a company’s reputation, financial condition, operations or causing harm to a company’s customer or vendor relationships, or competitiveness may all be considered as examples of a material impact on the company. Similarly, the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities, may constitute a reasonably likely material impact on the registrant.”
While these are good examples of cybersecurity incidents, it leaves ample scope for subjective judgment on the part of organizations as to what constitutes “materiality”. It will also vary from organization to organization depending on factors such as the scale of their operations, nature of business, type of products, and criticality of the information residing in their systems.
So, in the absence of a clear definition, it is advised that CISOs, IT risk professionals, and other executives in charge of compliance with the rules, display complete honesty and transparency, erring on the side of caution.
The other aspect to consider is that the rules require organizations to make their materiality determinations “without unreasonable delay” – which, again, seems open to interpretation. The SEC explains:
“A company being unable to determine the full extent of an incident because of the nature of the incident or the company’s systems, or otherwise the need for continued investigation regarding the incident, should not delay the company from determining materiality. Similarly, if the materiality determination is to be made by a board committee, intentionally deferring the committee’s meeting on the materiality determination past the normal time it takes to convene its members would constitute unreasonable delay.”
To put things into perspective, the mean time to identify a breach in 2023 is 204 days, according to IBM’s Cost of a Data Breach Report 2023. So, the timelines for an organization to detect a breach, determine its materiality, and then report it to the SEC – could be ambiguous in practice.
Nonetheless, the final rules are a great initiative in the right direction. Among other things, it will compel organizations to improve the maturity of their incident detection & response and overall cyber risk management and governance processes. We could see future revisions that offer more clarity and/or more requirements for companies to adhere to.
Join our upcoming webinar on September 13th, where we will analyze the SEC’s new cybersecurity rules and discuss key strategies and best practices to achieve compliance, along with domain experts:
In a previous blog, I delved into the key requirements that organizations need to meet and the strategies that can help them achieve this goal. Here’s a look at how MetricStream CyberGRC can help you achieve compliance:
Under the SEC Rules, You Need to | With MetricStream CyberGRC, You Can |
---|---|
Report material cybersecurity incidents to the SEC within 4 days of determining the materiality of the incident, subject to an additional extension of the timeline at the Attorney General’s discretion | - Establish consistent procedures for incident documenting, analyzing, and remediating all the way till closure - Maintain a single source of truth for incident lifecycle for quick and efficient reporting |
Annual Reporting on the processes for assessing, identifying, and managing material cybersecurity risks, including third-party risks, and whether any cyber risks have had a material effect or are likely to do so | - Assess and manage IT and cyber risks in a standardized manner using industry frameworks, such as ISO 27001 and NIST - Generate comprehensive reports providing in-depth visibility into the overall security posture |
Annual Reporting on the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, and how the board/subcommittee is informed about cyber risks | - Leverage user-configurable reports with role-based views into relevant risk, threat, vulnerability, and control data in real-time – which can be presented to the board and top management - Record and maintain the expertise of the members of the management team or cyber risk committee/subcommittee members |
Disclose whether they are engaging with third-party assessors, consultants, or auditors in connection with any cybersecurity processes | - Document and maintain information on third parties mapped to relevant details such as IT assets, business units, products or services, contracts, spend, certifications, ongoing assessments, country, risk or compliance issues, due diligence status, etc. - Generate reports that provide insights into risks, compliance, and performance of third-party vendors |
Describe whether and how cybersecurity processes have been integrated into the overall risk management system or processes | - Implement an integrated GRC solution to obtain real-time status monitoring and comprehensive reports, providing in-depth visibility into overall risk management systems and processes |
Learn more about how MetricStream can help achieve compliance with the SEC’s cybersecurity rules:
According to the X-Force Threat Intelligence Index 2023, the energy industry is the fourth-highest industry sector to be targeted by cyber attacks. The Colonial Pipeline incident—despite it being two years since the ransomware attack occurred—still remains a poignant example of the serious repercussions that a cyber attack can exert on critical infrastructure. This event underscored the impact of a cyber event on the energy supply chain: fuel shortages for countless citizens, substantial expenses for mitigation and recovery, and long-term damage to the reputation of the affected company.
With nearly every business decision in our world relying on the thousands of companies producing electricity, coal, oil, natural gas, nuclear power, and renewable fuels such as geothermal, hydropower, solar, and wind, cyber risk management is a top priority.
However, effectively managing and mitigating cyber risk and building cyber resilience can be challenging. Apart from dealing with a multi-threat environment with geographically dispersed targets, energy companies face several other cyber risk challenges unique to the industry.
The energy industry continues to be a prime target for cyber threats, ranging from nation-state actors seeking to cause economic dislocation to cybercriminals aiming for financial gain. These threats are further intensified by the industry's expansive attack surface, resulting from the geographic and organizational complexity and the increasing use of interconnected systems. Vulnerabilities exist across the entire value chain, from generation to transmission to distribution, and pose significant risks to operational technology (OT) infrastructure and third-party entities within the supply chain.
The energy industry's reliance on Internet of Things (IoT) technologies for operational efficiency creates unique interdependencies between physical and cyber infrastructure. Malicious actors can exploit these connections, leading to disruptive events with severe economic and physical consequences. For instance, cyberattacks on wireless smart meters, smart thermostats, or OT systems controlling critical assets can have devastating impacts on operations and supply.
Maintaining good internal cyber hygiene presents challenges for the energy industry. With multiple interconnected systems, tracking and managing all cyber risks becomes difficult. Additionally, a decentralized approach to cybersecurity leadership and third-party cyber risk sharing across various departments can lead to vulnerabilities. The industry also faces a shortage of qualified cybersecurity professionals, making it challenging to build a robust defense against cyber threats.
Energy companies often operate across diverse global industrial environments, each subject to different regulatory requirements and standards. Ensuring compliance while managing cyber risks demands dedicated resources and expertise to protect critical infrastructure effectively. Failure to comply with regulations can lead to severe legal and financial repercussions.
The energy industry's adoption of cloud services for flexibility and scalability has introduced new cyber risks. Cloud-based data breaches can result in the loss of consumer trust and reputational damage. Energy companies must ensure robust data security measures and stringent access controls to safeguard sensitive information stored in the cloud.
Safeguarding this crucial sector and the communities it serves necessitates proactive and comprehensive measures to address cyber risk effectively. A robust cyber risk program should leverage technologies such as AI and automation, which can process and analyze large amounts of data. Additionally, Continuous Control Monitoring (CCM) and automation are essential because of the ability to work all the time and identify and flag anomalies.
With CyberGRC, your organization is empowered with:
To explore more about the challenges faced by the energy industry and how your organization can transition from a conventional approach to a connected cyber risk strategy, check out our eBook, which provides valuable insights and practical steps to fortify your organization against cyber threats in the energy landscape.
As a cybersecurity or IT risk professional, it would have been impossible to miss all the buzz around the cybersecurity rules for public companies. On July 26, the U.S. Securities and Exchange Commission (SEC) adopted the new rules, which will require companies to transform their cyber risk management and incident reporting processes.
The new rules do not come as a surprise, given the escalating number of cybersecurity incidents and the elevated levels of cyber risks that organizations face today. In addition, it could be said that voluntary disclosures from companies have been below expectations, which impacted the visibility of customers and investors into the cyber risk postures of these companies. The “inadequate & inappropriate responses” in data and cyber breach incidents in recent years highlighted the lack of stringent regulatory mandates.
With the new rules, the SEC is standardizing the process of making disclosures about cybersecurity risk management procedures and practices by public companies, which will improve transparency and visibility for all stakeholders.
Gary Gensler, the current SEC Chair, explains, “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
In short, the rules will require public companies to:
For risk management, strategy, and governance disclosure requirements, companies will be required to provide the disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023, while compliance with incident disclosure requirements will commence from the later of either 90 days after the date of publication of the final rules in the Federal Register or December 18, 2023. The rules also apply to smaller reporting companies and foreign private issuers (FPIs) but with extended compliance timelines.
The rules will require a robust and proven cyber risk management program, significant changes in board and management involvement, revised governance structures, effective management of third-party risks, and more.
A key takeaway is that while the rules do not directly apply to private companies, by virtue of being part of the third-party ecosystem of public companies, the rules may in effect extend to them. Implementing a cyber governance, risk, and compliance program without factoring in the extended enterprise cannot be deemed effective or complete in today’s interconnected business environment.
Here are a few measures for you to start preparing:
Review and update cybersecurity and risk management programs, policies, and processes, including:
and whether it is integrated into the overall risk management system
Organizations can implement advanced and robust cyber GRC solutions, with capabilities for effective risk identification, assessment, and management, continuous control testing and monitoring, compliance management, incident reporting and response, graphical reports, and dashboards, to streamline their processes and achieve compliance with the new requirements.
There is a heightened regulatory focus on all things cyber today. The SEC rules are not the only cybersecurity and risk-related legislation that has been passed this year. Here are a few more:
Going forward, we expect to see more cyber resilience-focused regulatory initiatives not just in the U.S. but worldwide – and not just applicable to public companies but to organizations across all sectors and industries. Organizations, however, must not look at compliance as a checkbox exercise but as an enabler of business value and growth. Done right, organizations stand to benefit from the enhanced cybersecurity and compliance posture, streamlined processes, and improved efficiencies.
Request a personalized product demo to explore how MetricStream CyberGRC can streamline your cyber risk management program and revolutionize your compliance efforts.
Check out our other recent blogs featured in the 'Cyber Risk Series: The Power of Resilience' blog series.
Stay Prepared: Know 2023’s Top Cyber Risks
What are IT and Cyber Controls and How to Achieve Control Harmonization?
In the foreseeable future, the unavoidable trend is that IT and cyber risks will continue to rise in volume while simultaneously improving in sophistication and complexity. There is no doubt about this, with the digital world advancing at an unprecedented pace. Today cyber risk is a top 10 risk according to the World Economic Forum, while the cost of a data breach is at a global high of $4.4M, according to thinktank, Ponemon Institute. Additionally, the interconnectedness of global systems and the increasing interdependence of economies will result in cyber risks getting amplified.
The solution lies in staying one step ahead by gaining a holistic view of your organization’s cyber risk posture, continuously adapting security strategies, and building cyber resilience—only possible with the right cyber risk product. Scroll down as we explore the key areas of cyber risk management, the criticality of a centralized platform, and how MetricStream’s CyberGRC Prime package can help.
The generally considered key areas of IT & Cyber risk management are:
This includes potential threats and vulnerabilities that can impact the confidentiality, integrity, and availability of an organization's information technology systems. These risks can arise from internal factors such as inadequate IT infrastructure or lack of employee awareness or external factors like cyberattacks. Organizations must identify and manage these risks effectively to ensure the continuity of their operations and protect sensitive information.
A key area that ensures compliance with relevant IT regulations and standards. Compliance refers to adherence to legal, industry-specific, or internal requirements related to IT security and data privacy. Non-compliance can result in severe consequences, including financial penalties, reputational damage, and loss of customer trust. Therefore, organizations must establish robust IT compliance programs that include regular audits, risk assessments, and the implementation of controls to mitigate identified risks.
A vital area that plays an integral role in ensuring risk mitigation by implementing rules, guidelines, and processes for threat detection, vulnerability assessments, compliance with regulatory and framework requirements, ensuring operational efficiency for internal activities such as user roles, social media engagement, onboarding/offboarding employees, vendors and partners, incident response and resolution. Policies and, more importantly, adherence to them go a long way in ensuring the organization stays on top of its risk posture.
Third and fourth-party risks have become an unavoidable and indispensable part of any organization’s IT ecosystem. From day-to-day applications to cloud storage, software development, or network management, these relationships introduce additional risks as the organization is dependent on the security practices and controls implemented by the third party. Failure to adequately assess and manage third-party risks can lead to data breaches, service disruptions, or non-compliance with regulatory requirements. Therefore, organizations must conduct thorough due diligence before engaging with third parties and establish proper oversight mechanisms to monitor their performance.
In today's world, all the above key areas of IT and cyber risk management are becoming increasingly complex and interconnected, and thus they need to be viewed together. It is, therefore, crucial for organizations to have a centralized platform to manage these risks effectively. By consolidating IT risks, IT compliance, and third-party risk on a single platform, businesses can streamline their risk management processes and reap numerous benefits such as:
Managing IT risks, IT compliance, and third-party risks on a single platform allows organizations to have a holistic view of their risk landscape. This comprehensive perspective enables businesses to identify potential vulnerabilities and threats within their IT infrastructure, ensuring that all areas of risk are adequately addressed. By having a centralized platform, companies can align their risk management efforts, improving overall efficiency and effectiveness.
Consolidating these different aspects of risk management helps organizations in achieving IT compliance. Compliance with various regulations and standards is essential to protect sensitive data and maintain customer trust. By having a single platform that incorporates all compliance requirements, businesses can easily monitor and track their adherence to industry regulations. This not only saves time and resources but also reduces the risk of non-compliance penalties and reputational damage.
With the increasing reliance on outsourcing and partnerships, organizations often share sensitive information with external parties. However, these third-party relationships can introduce significant cybersecurity risks. By centralizing third-party risk management on the same platform as IT risks and compliance, businesses can ensure that all potential vulnerabilities are identified and addressed. This proactive approach minimizes the chances of a cyber breach or data compromise through third-party channels.
Consolidating these risk management processes on a single platform enhances collaboration and communication within the organization. Different departments can easily access and share information related to IT risks, compliance requirements, and third-party risks. This improved visibility enables cross-functional teams to collaborate effectively and make informed decisions that align with the organization's overall risk management strategy.
While the numerous benefits are inherently apparent, the current challenge faced by organizations is the unavailability of integrated and consolidated platforms that can proactively manage all the key areas in IT and cyber risk. The market currently offers only single-solution products. High-quality and reliable products that can cater to the comprehensive needs of cyber risk leaders are still in a nascent stage.
This is where MetricStream's CyberGRC Prime Package comes in. CyberGRC Prime Package is a pre-packaged, integrated SaaS solution designed to streamline and enhance your IT and cyber risk and compliance program. You gain:
One of the most significant advantages of the CyberGRC Prime package is its comprehensive and integrated approach to cyber risk management and compliance. With four built-in modules covering Risk Management, Compliance Management, Policy Management, and Third-Party Risk Management, the package provides a holistic view of an organization's risk landscape. Some specific benefits include:
In turn, this integration allows companies to break down silos and create a unified risk and compliance framework. Teams can collaborate seamlessly across functions, sharing information and insights that lead to better risk mitigation strategies and streamlined compliance efforts.
When it comes to adopting new software solutions, time is of the essence. CyberGRC Prime package's pre-packaged nature ensures a rapid deployment process in a matter of weeks and not months, thus allowing your organization to get your risk and compliance programs up and running quickly and realize quick time-to-value. In practical terms, this translates into immediate risk visibility and actionable insights. Your organizations can now identify vulnerabilities and potential threats promptly, enabling you to respond faster to emerging risks and incidents. This agility is crucial in today's fast-paced cyber threat landscape.
It is important to determine the total cost of ownership of any solution. The CyberGRC Prime package makes this possible with fixed costs for the duration of the term with no hidden costs or surprise price escalations, which provides management with clear and unambiguous visibility into investment requirements and returns on such investments.
By leveraging the CyberGRC Prime package, your organization is empowered to confidently navigate the complex landscape of cyber risks and regulatory requirements, safeguarding your operations and reputation in an increasingly digital world.
So why wait any further?
Learn more: Download our CyberGRC Prime package product overview.
Today, everything is digitally connected and moving fast – and so are risks. Organizations today are exposed to multi-dimensional, high-velocity, high-impact, and interconnected risks – from cyber to compliance to environmental.
At the same time, regulations, security, and compliance requirements are rapidly escalating and becoming increasingly complex. You need speed, agility, and accuracy to not just navigate but succeed in today’s hyper-digitized business environment. But how?
Automation, Autonomy, Analytics – these are the three A’s that will shape future companies and business models, and help them advance on the governance, risk, and compliance (GRC) maturity curve, as well as prevent escalating cyber security risks. Let’s take a closer look.
One might say that automated workflows and processes are a given today. But you would be surprised by the number of organizations that are still highly dependent on manual efforts, spreadsheets, and siloed operations – from managing risks and compliance requirements to cash management, to project management, to recovery planning, and more. Automation is on every company’s strategic agenda, but it’s a long road ahead.
Adopting technology solutions and software tools can significantly accelerate various processes and minimize human effort. For GRC professionals, chief risk officers, and CISOs, automation can enable focus on analysis of risk and compliance data, risk prevention, and robust GRC strategic plans than focusing on mundane, repetitive tasks, such as conducting risk and control assessments, capturing regulatory alerts, and sending alerts/notifications to relevant users.
That said, automation alone is not enough.
Organizations need to move away from siloed and disjointed processes to integrated, connected approaches. Integration and connection help to eliminate redundancies, get the right information to the right person at the right time, and reduce cost, effort, and workload. Only then can an organization truly realize the benefits of automation.
Finally: pivoting towards automation is not easy. Success depends on a number of factors – backing from the C-suite and top management, budget and financial resources, and, above all, enterprise-wide culture change and acceptance.
It wouldn’t be an exaggeration to say that autonomous business processes are the future. While automation means using tools and technology to reduce human effort, it still depends on some human involvement for monitoring and supervising the processes.
Autonomous processes are those that can function without any human intervention – they are always on and running continuously in the background. Automation could be regarded as the first step toward becoming autonomous.
Autonomous processes and business models will be critical to keeping up with the ever-evolving risk and regulatory landscape going forward. It is next to impossible for any organization to continuously identify threats and vulnerabilities, test and monitor controls, etc. with a manual approach.
Usually, one establishes a cadence for performing such activities – quarterly, half-yearly, annually – mainly due to the cost and the effort involved. However, this periodic approach fails to provide real-time insights and results in a reactive approach to GRC and cyber risk management.
By ensuring continuous and complete testing and monitoring, autonomous processes help eliminate blind spots. They’re working even when you aren’t, flagging your team to risks so you can remediate them before they become full-blown issues. Timely insights improve agility in decision-making required to stay ahead of the game.
Continuous control monitoring (CCM) is part of the MetricStream strategy to use machines vs humans to perform tasks and provide autonomous capabilities to organizations. CCM allows you to detect more deviations more often compared to the manual testing method that fails to spot risks and potential compliance failures, letting them slip through the cracks. With CCM, you can proactively identify risks, improve cybersecurity and compliance posture, reduce audit costs, and support rapid remediation while increasing efficiency, visibility, accuracy and scalability.
Read More: Improve Your Cyber Risk Posture and Compliance with Continuous Control Monitoring from MetricStream
Harnessing the power of data is critical to bring accuracy to decision-making. Data powers modern business. However, data alone cannot add business value. By leveraging analytics, AI, and statistical tools, organizations can transform raw data into actionable insights to make better-informed decisions.
First, though, organizations need to ensure data integrity and structure. In our conversations with companies across industries, we often hear that a lack of a single view of risks is a key challenge. Different business units use their own risk languages and definitions. This results in unstructured data that is difficult to consolidate and analyze. Establishing a common taxonomy is crucial for analytics and next-gen technologies, such as AI, to turn data into insight.
Automation, autonomy, and analytics are central to MetricStream’s product vision with many capabilities in today’s products and many more to come. Artificial intelligence (AI), Natural Language Processing (NLP), a simulation engine, and API technology are all core capabilities of the MetricStream Platform:
Read More: A Comprehensive Guide to Cyber Risk Quantification
What does the future hold? It’s never sure, but’s clear that you’ll continue to see more autonomy with automated risk rankings with no humans required, automatic connections of risks to controls and standards/regulations, and much more. Stay tuned!
How can MetricStream help you today? Let us show you how we can help you manage your GRC and cyber risk needs – automatically, autonomously, and with powerful analytics. Reach out today for a demo.
Today’s boards don’t need to be convinced that cyber risk management is important. 88% of boards of directors view cybersecurity as a business risk, according to the 2021 Gartner Board of Directors Survey. Over half (51%) of board members surveyed by PwC cite cyber-attacks as a serious risk (and another 35% as a moderate risk) – more than any other category. Also, 68% of directors told MIT Sloan researchers that their board discusses cybersecurity regularly or constantly.
Despite this, only 33% of directors say they think their board understands the company’s cybersecurity vulnerabilities very well. What’s more, boards are often out of sync with their CISOs. Sixty-five percent of board members surveyed by Proofpoint and MIT Sloan believe that their organization is at risk of a material cyber-attack in the next 12 months, compared to 48% of CISOs.
Clearly, there is room for improvement in aligning board members with your cyber risk strategy. Here are four tips that you, as a cyber risk or security leader, can use to communicate cyber risks to your board in a way that gets them in sync with your vision, helps them understand what’s at stake, and drives them to bolster your organization’s cyber defenses.
While today’s boards are much more cyber-savvy, it’s still important to convey risks in a language that everyone understands. Keep your presentation simple, minimizing technical speak. Focus instead on the business metrics and impacts that matter most to the board.
For example, instead of presenting a list of vulnerabilities and threats, you might want to talk about how these issues will impact the organization’s revenue, reputation, and strategy.
Map out the attack surface, so the board can clearly visualize which threats are most critical, which pathways they can take through the organization, and which assets are most at risk. Support your case with real-world breach stories and the losses faced by peers in your industry.
Also, remind your board that cyber risk management is about more than securing data. With increasing digitization, more processes are going online, more operations are being managed remotely, and more systems are being connected. So, a threat anywhere along this chain can have a devastating snowball effect. The more clearly boards understand this, the faster they can act.
Words don’t always make a compelling cyber case – but numbers do, especially financial numbers. If you want your board to invest more in cyber risk management, find a way to quantify the monetary impact of risks. Saying that a ransomware attack could be “fairly severe and fairly likely to occur” is far less impactful than saying that a ransomware attack could cost the organization $1 million with a 60% chance of that loss occurring.
Cyber risk quantification makes it easier to answer the board’s questions on how much to invest in cybersecurity, what the return on investment will be, and which risks to focus on first. It also helps companies measure how much of risk reduction has been achieved over time.
There are plenty of tools and frameworks to assist with cyber risk quantification. The Factor Analysis of Information Risk (FAIR™) model can help you quantify security risk exposure in terms of the dollar value at risk. A Monte Carlo analysis simulates various cyber risk event scenarios so that you can predict potential financial losses from each one.
And of course – a picture is always worth a thousand words. Express your numbers in visuals and graphs for maximum understanding and impact.
Boardroom conversations around cyber risk management often revolve around technology-based defenses and controls – be it firewalls, encryption software, packet sniffers, or vulnerability scanners. While these tools are essential, they’re just one part of the cybersecurity program. CISOs also need to be talking to boards about:
The idea is to create multiple layers of protection, each supporting the other, and together providing a solid defense against cyber threats.
The sheer number of IT vendors that we as organizations depend on for cloud services, data back-up, remote IT support, and more makes it essential to have a robust third party and IT vendor risk management program. Ensure that your board understands why. Showcase the impact of IT vendor risks in relation to enterprise risks.
Consider creating a centralized map of IT vendors, the business units they serve, where they operate, associated regulations, controls, etc. – so that the board has a clearer picture of the IT vendor risk universe and where to allocate resources for optimal impact.
Also, be prepared to answer targeted questions from the board, such as: How do you monitor fourth-party cyber risks? Do you conduct due diligence only at the beginning of the vendor relationship or at regular intervals? And how do you offboard IT vendors to ensure that they no longer have access to sensitive data?
MetricStream CyberGRC gives you and your board comprehensive visibility into IT and cyber risks, assets, processes, and controls. Using our cyber risk quantification capabilities, you can swiftly measure the dollar impact of cyber risks to help your board prioritize their cyber investments more efficiently.
You also get powerful capabilities to assess cyber risks and controls, monitor the threat landscape, manage cyber compliance and policies, and keep IT vendor risks in check – all of which goes a long way towards strengthening the board’s confidence in your cyber risk management program.
Check out more resources on managing cyber risk:
eBook: CyberGRC Buyer’s Guide
Infographic: 7 Urgent Cyber GRC Challenges to Prepare for Now
Case Study: U.S. Telco Giant Makes Cybersecurity Decisions 60% Faster by Quantifying the Dollar Impact of Cyber Risks
Request a demo now!
As a cyber risk leader, effectively managing and mitigating cyber risk is a critical priority due to the potential impact it can have on your organization's operations, reputation, and financial health. With the increasing sophistication of cyber threats and attacks, the cost and frequency of data breaches are on the rise. The World Economic Forum’s Global Risks Report 2023 highlighted ‘widespread cybercrime and cyber insecurity’ as a top global risk.
We understand the many challenges you face in developing and implementing an effective cybersecurity strategy for your organization. They say that a picture is worth a thousand words… so in the spirit of that age-old wisdom, we present three infographics to help you better understand and manage cyber risk.
Scroll down to discover valuable insights and actionable recommendations to help you stay ahead of the cyber risk curve!
In today’s interconnected digital landscape, thanks to increasing global connectivity, new hybrid work models, the adoption of cloud services, the evolution of technology, and a myriad of other factors, cybersecurity risk is more relevant than ever before. But among the many cyber challenges, what are the most important and urgent ones that need to be on your radar? Check out the 7 most urgent cyber GRC challenges and what steps you can take to stay prepared.
Cybersecurity standards and frameworks are the essential starting point in managing cyber risks and building cyber resilience. They provide a systematic approach to identifying and prioritizing risks. This helps organizations to focus their resources on the most critical areas of risk and develop a mitigation strategy. It also helps demonstrate compliance with regulatory requirements and industry standards and provides a common language to communicate cyber risk effectively with stakeholders, including executive management, customers, partners, and regulators. Take a look below at the essential cyber frameworks:
The elastic nature of cloud infrastructure, while bringing advantages like speed and efficiency and accelerating innovation, increases the complexity of your IT footprint, which in turn complicates the effective management of cyber risk. This is where continuous control monitoring (CCM) comes into play. By enabling an organization to continuously monitor its cloud systems for cyber threats or non-compliance issues in an automated manner, CCM identifies potential problems and threats in real time so that they can be addressed as soon as possible. Discover more in the infographic.
To build cyber resiliency and plan an effective cyber risk management strategy, it's important to stay informed about the latest cyber risk trends. Our infographic on the top Cyber Risk Trends for 2023 helps you do just that. Check it out!
Enjoyed exploring the infographics? Check out more recent cyber risk and compliance resources to help you stay ahead of the cyber risk curve. Need help with your cyber risk programs? Request a demo now!
eBook: Towards a Secure Cloud:Top 6 Strategic Priorities for Cyber Risk Leaders
Analyst Report: Ten Cyber and IT Risk Fundamentals You Must Get Right By Gartner Analyst(s): Claude Mandy and Jie Zhang
Case Study: U.S. Telco Giant Makes Cybersecurity Decisions 60% Faster by Quantifying the Dollar Impact of Cyber Risks
I woke up the day before our recent New York City Roundtable event for CISOs, cyber risk professionals and enterprise risk leaders to some exciting headlines: “First Major Snowstorm of the Season Hits the City Tomorrow!”
Of course! It wouldn’t be a cyber and risk event without some last-minute drama!
Luckily, the snow turned out to be a ferocious 1 inch and more than 30 risk leaders braved the cold to make it to the Marriott Marquis, a classic New York city landmark hotel in the center of Times Square. As the cold air blew, the just-right size group settled in for a 3-hour meeting with their peers on how to modernize, optimize and connect their risk strategies in today’s volatile world.
We heard speakers from AWS, Capco, Sumitomo Mitsui Bank, Thomson Reuters, of course MetricStream, and many more, in discussions ranging from best practices for integrating GRC programs to automating compliance in the cloud to how business continuity and resilience must come together. The day ended with networking and hors d’oeuvres and it was terrific to see how many people stayed to chat and interact.
I had the privilege of moderating and being able to chat with most attendees. What an honor! Here are just a few things I learned during the day (besides that “big snow” also means “bring an umbrella”
One of the most active panels was on cyber and enterprise resilience. Two panelists were from Jefferies Group, an investment bank, one a CISO and one on the business side of IT. They had a terrific back and forth on why it’s so important for the business and IT to stay interlocked on resilience and recovery, including many quotable thoughts like:
We also discussed the criticality of resilience in today’s post-modern economy – hyper digital, always on, always unexpected.
“I don’t like the term ‘new normal,’” one of the panelists said. “It’s not the new normal. Business unusual is now the usual.”
I was struck by that sentiment. Today, the unusual really has become standard. At this meeting, Silicon Valley Bank hadn’t yet failed, Credit Suisse hadn’t been taken over, and who knows what will have happened by the time this is published. But in any case, the nugget of wisdom was the same: Anything can happen at any time. We must all collaborate and be prepared.
Static business continuity plans were yesterday’s normal. Of course, business continuity plans are still the foundation for business unusual, but agility and resilience – business and tech working closely together – connected risk: Those are today’s watchwords. Simple but brilliant!
Another key theme that came up was the idea of inevitability of cyber attacks and incidents.
More than 422 million individuals were affected by data breaches in 2022, according to Statista. The average data breach costs $4.4M, the highest in 17 years, according to the Ponemon Institute. ChatGPT, Chick-Fil-A, Google, and T-Mobile are among the high-profile brands who’ve experienced breaches so far in 2023, and that’s not even looking at items like ransomware.
“It’s not if, it’s when it happens,” said a panelist, and I saw lots of nodding heads. The mindset of cyber risk management has moved from complete prevention (although of course that remains the goal) to anticipatory preparation and resilience, especially when it comes to emerging risks.
One example is generative AI. While innovations like ChatGPT have captured the collective imagination with their uncanny ability to seemingly “know” almost everything, they also pose great cyber risks.
ChatGPT can create credible phishing emails to accelerate spoofing, already a top cause of cyber crime. So-called “deep fakes,” images created by AI, could create convincing news stories (although AI reportedly still can’t duplicate hands and fingers well – it’s been focused on faces.) Policies and contracts can be spoofed. The list goes on…
The obvious point is that whatever technologies are developed to protect from risk are also available to, and are being used by hackers and threat actors.
“It’s not if, it’s when” does not mean bowing to the inevitable. It’s being prepared and resilient, and always a step ahead to recover and bounce back.
In fact, the theme of resilience was a clear overlay to the day – and attendees and panelists were not talking about operational resilience products. They were discussing resilience as a mindset. As the Japanese proverb says, “fall down seven times, get up eight.” In today’s times, resilience is our only option.
In addition to resilience and cyber risk, modern compliance – and particularly, automation -- was a major topic of discussion.
Our expert from AWS talked about compliance in the cloud and what it requires to be secure –implementing processes that are automated, continuous, and aligned to across the business and IT. (Sounds familiar to the themes above!) Testing samples for compliance or manually testing at sporadic intervals can’t protect you when risk changes so fast.
In particular, the idea of continuous monitoring is essential when we face more than 200 regulatory changes a day, according to our outstanding speaker from Thomson Reuters, Todd Ehret.
One regulatory change that’s of special interest in cyber risk are the proposed updates to the SEC cyber security rules. They will amplify the need for strong, solid cyber risk management, including the disclosure of cybersecurity governance capabilities, the periodical review and updating of cyber risk management programs, and the evaluation of the organization’s current cybersecurity reporting structure.
Speaking of the cloud, several audience members had excellent observations – namely, that just because most of us are moving to the cloud doesn’t mean the cloud guarantees security or resilience. Of course, it’s better than tons of outdated legacy systems.
But the cloud is still a server at heart and its digital nature opens up new attack surfaces. Even with the rigorous security standards offered by commercial cloud providers, there’s no resting. Constant monitoring, control testing, and vigilance are more essential than ever.
We dive deeper into this topic in our new eBook on securing the cloud.
Finally, in addition to the key advice to be vigilant, monitor and stay resilient – all perhaps obvious but so critically important – another theme rose above the rest: We must stay connected across the business and even the industry to defend against cyber risk. Topics like new technologies, exotic breaches, and future trends capture the imagination, but the basic block and tackle of connect, collaborate, and communicate somehow manage to surface in every discussion of tackling risk and staying resilient.
To throw in another saying, this time an African proverb: “Alone we go fast. Together we go far”--managing cyber risk obviously takes speed and agility, but resilience is a long game.
Thank you for bearing with my sayings and cliches, and most of all thank you to all the terrific speakers and attendees. We look forward to our next roundtable, and as always, if we can help you manage your cyber risk or any governance, risk, and compliance needs, please reach out to us at info@metricstream.com. You could also request a personalized demo.
Register for our upcoming webinar: Cyber Regulations Review: Managing Cyber Risk with the Proposed Cyber SEC Rules and Biden Executive Cyber Orders
For over a decade the MetricStream’s GRC Summit has brought together thousands of GRC professionals from various industries, providing opportunities to learn, connect, and succeed. Registrations are open for the 2023 GRC Summit to be held on June 14 and 15 at the Hyatt Regency in Miami, US. Register now!
As a cyber security or IT risk professional, it would have been impossible to miss all the buzz around the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” draft rules (Rules) issued by the Securities and Exchange Commission of USA (SEC), early last year. Since then, there has been continuous commentary, analysis and even checklists of the proposed rules and more recently, the SEC has announced further amendments to the rules.
The Rules, which will be applicable to all public/listed companies, are likely to be brought in force in April 2023. It appears that the SEC is no longer satisfied with voluntary disclosures or unsatisfactory adherence to its earlier guidelines on the topic and is now serious about having public companies disclose their approach to cybersecurity risk, strategy and governance. This should not come as a surprise in light of the growing number of attacks on some of the largest companies in the world (listed in USA and under SEC regulations) and the “inadequate & inappropriate responses” provided by some such as Uber and Equifax – both of which adversely affected customers and investors.
However, the main concern, is best expressed by Gary Gensler, the current SEC Chair: “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies' cybersecurity practices and incident reporting”.
Paraphrased, the SEC intends to provide investors with more visibility into the cyber risk posture of companies to enable them to make more informed decisions about their investments.
In short, the Rules propose two fundamental changes in the way public companies should manage cyber security and IT risks:
The specific requirements of the Rules, to be complied with by public companies, are as follows:
It may be inferred from reading the Rules and the above requirements, that the SEC may be pushing its regulated companies towards achieving cyber resilience, rather than simply enhancing their cyber security and risk posture. Currently however, some of the requirements are open to different forms of interpretation (such as determining threshold for material cybersecurity incidents, the 4-day time limit for disclosures, whether the board committee on cyber risk and governance is sufficient) and these will either be clarified further in the final rules or through court orders.
Another takeaway from the Rules is that while they don’t extend to private companies, but by virtue of being part of the third-party eco-system of public companies, the Rules may in effect, vicariously extend to these private companies. Today it is impossible to implement a comprehensive cyber security, risk, governance program, without including the extended third-party eco-system.
What is undeniable though, is that the Rules will require significant changes in board and management involvement, additional cybersecurity expertise on boards, revised governance structures and upgrades to processes in place. While the final rules are likely to be released in April 2023, here are a few ways companies can start preparing:
Also, important to note is that the SEC Rules are not the only cyber security and risk related legislation to be passed this year. Here are a few more:
With the increasing number of cyber regulations and the likelihood that the legislation will be applicable to all, not just public companies, organizations are quickly realizing that they must amp up their resources and budgets to effectively manage the influx of regulations and build cyber resilience. This will include expanding budgets to include investing in technologies to gain visibility into the organization’s cyber risk posture, hiring additional staff, and implementing stronger security measures such as automated monitoring of controls to protect against cyber threats.
Need help getting your programs in shape? Please contact MetricStream for help at info@metricstream.com
Check out our other recent blogs featured in the 'Cyber Risk Series: The Power of Resilience' blog series.
Stay Prepared: Know 2023’s Top Cyber Risks
AWS Security Lake and OCSF: A Cyber Risk Perspective
What are IT and Cyber Controls and How to Achieve Control Harmonization?