Cyber Resilience: Prepare to be Aware

What’s new in compliance

• Board members need to be more in the know
• Need to shift the conversation to preparedness 
• There is an explosion in European Directives e.g. NIS 2 (Network Information Systems)
• The European Directive DORA that comes into effect in January 2025 will become a model for sectors outside the financial sector that it relates to.
• Most countries in the world now have data security rules and laws
• In the US there’s no federal law, it’s state by state so the laws don’t necessarily overlap which can cause issues.
• All the laws point to more accountability for boards.
• The common features of regulation and laws now are:
  • Speed of implementation – it now happens much more quickly than before
  • Extraterritoriality: GDPR, AI Act, Patriot Act, Cloud Act or FISA (US), PIPL (China)
  • Risk approach
  • Measure of materiality
  • Speed of reporting – usually around three or four days
  • Heavy fines – GDPR requires 4% of global turnover; NIS 2 and DORA will be around 2% of global turnover
  • Accountability & cyber liability for c-suites and boards 
  • From compliance to business impact

Board responsibilities in a hyper-connected world

• No longer have everyone in the same location
• Explosion of Internet of Things 
• If you’ve remote workers, you need policies in place for that
• Organisations need to make sure company information is not being compromised or put at risk by employees using unsecured networks
• Not just limited to cyber digital risk but it also include physical risk such as card operators getting into a building
• Question your board: Who is responsible for cyber risk in your organisation? Is your CIO capable of doing this? I.e. Do they have the budget, the people, the knowledge

A holistic approach to cyber risk in a hyper-connect world

• Develop a risk management philosophy/programme within your organisation
• What is the risk appetite in your organisation? How do you get better data? How much money needs to be allocated?
• The questions you need to ask as board or your c-suite and organisation:
• Physical
  • Are third parties vetted with background checks?
  • Are there IP security and privacy requirements included in all third party contracts?
• Behavioural:
  • Has the organisation’s information security policy been actively communicated to all relevant external parties?
  • Are privacy awareness training obligations extended to the organisation subcontractors or third parties?
• Technical:
  • Are there IP security and privacy requirements included in all third party contracts?
  • Is there a vendor risk management programme addressing the security of data, that may be accessed, processed, communicated to, or managed by external parties? 

Is the board aware of what third party contractors do with data provided to them by the organisation?

• If you can answer yes to this question, your company is in a solid position.

Questions the board should ask regarding data governance:

• They should do this from two lenses, operational and strategic
  • Operational: You’ll need to map out, have procedures and identify an owner
  • Strategic: Good data governance helps you manage your data use, protects intellectual property, communicates with the market and grow in a controlled environment. It adds value.

Questions the board should ask regarding data governance

• Physical
  • Are you aware of your organisation’s backup policy/procedures?
  • Have you met the facility manager and do you know what data is being collected?
• Behavioural:
  • Do you know what training is provided by whom?
  • Is there a Data Protection Officer (DPO)? And have you met them?
• Technical:
  • Is there a secure platform for board members to share information?
  • How is AI being used in the organisation?

Questions the board should ask regarding business continuity

• The board needs to be well-rehearsed to manage any crisis
• The board should know when and how to intervene
• Board members should remain reachable and have first responders identified
• Need to ensure the proper resources are being used and mobilised

• Physical:
  • Is there an approved business continuity plan for the organisation? Is it tested regularly and does the board get an update on the results of the tests?
  • Is there an approved Disaster Recovery Plan for the business? Is it tested regularly and does the board get an update on the results of the tests?
• Behavioural
  • Is there a business-aligned risk governance programme that has been approved by management?
  • Are cyber risks included in the organisation risk map?
• Technical
  • Does the organisation perform regular data backups?
  • Is the board made aware of the physical location of the cloud backup?

Main takeaways:

• Cyber resilience is an enterprise risk but also an opportunity – you can see how better to allocate resources, to see what cyber benefits can bring to your organisation
• Track silos – this is the biggest risk. Make sure people are talking to each other. It’s essential to carry out simulations, set-up a good response team that includes all areas of the organisation.
• Mind the data: Your responsibility extends throughout the supply and value chain. You need to know what people are doing with the data, how it’s being used, and how it’s being transported.
• Be aware and be prepared. Know what to ask. 

Is any business safe from a cyber attack? Not likely. And as these attacks become increasingly sophisticated, it’s almost a guarantee that more organisations will suffer as a result.

That’s why governance and digital resilience are essential for every organisation.

Join us for this webinar where we’ll discuss the steps you can take to improve your oversight of data governance. Learn how to avoid the physical, behavioural, and technical pitfalls in this ever-changing landscape.

The key takeaways from this webinar will be:

– Cyber resilience is an enterprise risk and everyone’s responsibility.
– Be aware and be prepared. Know when and where to look.
– Mind the data: Your responsibility extends throughout the supply chain.

Noëlle Brisson, FRICS, MAI, with expertise in real estate finance as a valuer, rating analyst, loan servicer, investor, issuer, and lender. Noëlle held senior executive positions at Bank of America, Security Pacific Bank, EY, GMACCM, Standard & Poor’s, and advised the World Bank, Icade (Caisse des Dépôts) and BlackRock. Her focus on operational risks and data governance led her to cyber risk management. She is Co-founder of CyberReady, LLC, a company using a holistic approach to identify and manage cyber risks through training and assessments with offices in Dallas and Paris. She also serves as chair of the Audit Committee for a large (2000 employees) micro-finance institution and is a former member of the RICS-Americas board, where she still sits on their Data and Technology working group. Noëlle is a certified director by IFA (Institut Français des Administrateurs) and led the update of their Guide “Sécurité Numérique et Gouvernance”, published in April 2024.

Dr. Michael Savoie, Ph.D. is a Clinical Professor in Operations and Supply Chain Management at the University of North Texas. He is CEO and Chair of the Board of HyperGrowth Solutions, Inc., specializing in the integration of business and technology for competitive advantage, and Co-Founder of CyberReady, LLC., providing holistic cyber risk management training and assessments that allow organizations to evaluate the business risk of physical, behavioral, and technical infrastructure and operations. He is an internationally-recognized speaker, serves as a consultant to numerous companies, and is a technology advisor to federal, state, and local governments. Dr. Savoie was appointed to the Texas Guaranteed Student Loan Corporation Board of Directors in 2008 and reappointed in 2011. He served as Chair of the Budget, Finance and Audit (BFA) committee, overseeing roughly $30 billion in federal student loans, a $700 million loan portfolio, and an operating budget of $180 million per year.