Note To The C-Suite: It’s Time To Stop Avoiding Cyber Risk Governance
The significant threat cyber attacks represent to commerce and infrastructure is intensifying calls for government to “encourage” companies and agencies to act more responsibly. Pending actions, which include a presidential executive order, bills in the U.S. Congress, and legislation in 35 state governments, call for standardized cyber risk reporting and management based on a de facto standard, namely the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). What is driving all this activity?
The recent revelation of two massive Yahoo breaches raised the bar for the scale and awareness of devastating cyber attacks. The $350 million drop in the valuation of the company’s acquisition by Verizon made it clear that technology alone won’t overcome a lack of management and board commitment to protect an enterprise from cyber risk. Ripple effects of the Yahoo breach and multiple breaches of U.S. government agencies has led to widespread calls for more and better oversight of cyber risk on a par with oversight of financial risk, and it is rapidly elevating the importance of cyber risk governance (CRG).