Complying with the slew of new regulations that are coming means companies must act fast to up their game to overcome cybersecurity regulation hurdles, a webinar panel heard
Boards grappling with a wave of new rules regulating cybersecurity should remember that these rules apply to “material” processes, not all systems.
The warning comes in a new webinar from Board Agenda in association with Diligent, in which experts dissect the preparations needed to cope with cybersecurity measures issued by rule makers and regulators worldwide.
Martin Tyley, a partner at KPMG and the firm’s global lead on cyber risk insights, spoke on the difficulties boards and their organisations face when attempting to comply with new rules.
He says regulators are primarily focused on how organisations defend the critical parts of their IT infrastructure.
“What that means,” said Tyley, “is you don’t have to have everything at the same level; you’re not trying to fix everything simultaneously.”
Critical importance
Critical systems may differ from company to company. One organisation may rely on intellectual property, while another needs to keep a factory running. The controls and protections for such diverse business aspects may differ.
Companies are facing a slew of recently launched cybersecurity demands. EU member states have until October this year to implement the Network and Information Security Directive (NIS), which expands mandatory reporting of cybersecurity breaches to more companies and sectors, clarifies risk management obligations, and asks large companies to assess the cybersecurity risk in their supply chains.
Both the first and second iterations of NIS are under consideration by the U.K and show the movement towards similar regulations in other regions like South Africa.
Last year, Securities and Exchange Commission (SEC) regulators introduced similar reporting responsibilities for U.S. companies. These included asking for disclosure on whether cybersecurity would be a board committee responsibility or handed to a lead individual.
Supply chain vulnerability
Supply chain issues figured heavily in the webinar panel discussion.
“The bad actors have realised that large entities are beefing things up…So, the targets now have become the supply chain,” said Dale Waterman, Solution Designer and a compliance and governance expert at Diligent.
However, panellists agreed that human behaviour is the key element in cybersecurity and requires smart management. Christiane Wuillamie, chief executive and co-founder of the advisory firm Pyxis Culture Technologies, says organisations need the right “culture” to beat cyber breaches.
“You have to create a culture of individual accountability. And to do that, you need to have positive reinforcement, not ‘compliance and punishment’. “You also need to have a no-blame culture, which is pretty hard as human beings.”
Fellow panellist Kamal Bechkoum, a visiting professor at Abertay University and a veteran researcher in cybersecurity, warned that boardroom leaders would need to get involved.
“The cyber landscape can be overwhelming; the legal framework can be confusing sometimes.
“You don’t have to be an expert in either, but you need to have structures in place that enable you to be informed and enable you to take an active part in the resilience of your organisation.”