Boards grappling with a wave of new rules regulating cybersecurity should remember that it applies to “material” processes, not all systems.
The warning comes in a new webinar from Board Agenda in association with Diligent, in which experts dissect the preparations needed to cope with cybersecurity measures issued by rule makers and regulators across the world.
Martin Tyley, a partner at KPMG and the firm’s global lead on cyber risk insights, was speaking on the difficulties faced by boards and their organisations attempting to comply with new rules.
He says regulators are mostly focused on how organisations defend the critical parts of their IT infrastructure.
“What that means,” said Tyley, “is you don’t have to have everything at the same level; you’re not trying to fix everything at the same time.”
Critical importance
Critical systems may differ from company to company. One organisation may be reliant on intellectual property, while another needs to keep a factory running. The controls and protections for such diverse aspects of business may be very different.
Companies are facing a slew of recently launched demands on cybersecurity. European Union member states have until October this year to implement NIS2, the Network and Information Security Directive, which expands mandatory reporting of cybersecurity breaches to more companies and sectors, clarifies risk management obligations and asks large companies to assess the cybersecurity risk in their supply chains.
Both the first and second iterations of NIS are under consideration by the UK.
Last year, regulators at the Securities and Exchange Commission introduced similar reporting responsibilities for US companies, which included asking for disclosure on whether cybersecurity would be a board committee responsibility, or handed to a lead individual.
Supply chain vulnerability
Supply chain issues figured heavily in the webinar panel discussion.
“The bad actors have realised that large entities are beefing things up…So, the targets now have become the supply chain,” said Dale Waterman, a compliance and governance expert with Diligent.
However, panellists agreed that the key element in cybersecurity is human behaviour. And that requires smart management. Christiane Wuillamie, chief executive and co-founder of the advisory firm Pyxis Culture Technologies, says organisations require the right “culture” to beat cyber breaches.
“You have to create a culture of individual accountability. And to do that, you need to have positive reinforcement and not ‘compliance and punishment’.
“You also need to have a no-blame culture, which is pretty hard as human beings.”
Fellow panellist Kamal Bechkoum, visiting professor at Abertay University and a veteran researcher in the field of cybersecurity, warned boardroom leaders would need to get involved.
“The cyber landscape can be overwhelming; the legal framework can be really confusing sometimes.
“You don’t have to be an expert in either, but you need to have structures in place that enable you to be informed and enable you to take an active part in the resilience of your organisation.”
Watch the full Board Agenda webinar in association with Diligent here