Cyber Regulators on Your Case? Call on the “Trinity of Good Governance”
At the recent 2024 FAIR Conference, two FAIR Institute Board members and veterans of regulatory audits, James Lam, Board Director, Blackrock iShares and Christopher Porter, CISO, Fannie Mae, suggested a proactive approach for CISOs to get ahead of the regulators enforcing standards for financial, health and other industries.
Chris and James were interviewed by Neila Zerguini, Partner, Deloitte Canada for the session:
Left to right: Neila Zerguini, Chris Porter, James Lam
Regulators and cyber risk managers often start out from their separate corners – as James said, risk and security managers think the regulators “don’t know anything” while the regulators think the managers “must be hiding something. But it’s important to really understand each other and have good alignment.”
To bridge the gap, Chris and James suggest these techniques:
>>Don’t start the relationship when the regulators are sitting in your office. Reach out well in advance and meet outside the context of an audit.
>>Recognize that the regulators typically work from a narrow-scope list of requirements. Take on the obligation to educate them about the wider business context that drives your risk and compliance decisions.
>>Calling in a board member can defuse a tense situation – directors often have a similar outlook to the regulators, a “shared interest in good risk management and governance,” and a broader, industry-wide perspective, James said. He calls a healthy board-regulators-risk managers relationship the “Trinity of Good Governance.”
Board members and regulators share an interest in three checkpoints: 1. What is your risk exposure? 2. How does exposure compare to risk appetite? 3. What strategies are you implementing to mitigate that risk and what is the trend? All questions you can answer with FAIR analysis.
>>Run tabletop exercises within the organization, gaming out a major stress test and share the results with your regulators. FAIR analysis as part of the tabletop can help produce an accurate, actionable result here too.
Chris concludes that throughout sometimes contentious interactions,“FAIR is a structured way of showing risk assessment. It gives a better conversation with the regulators about your business.”
Watch the FAIRCON24 video:
Unlocking Regulatory Alignment: Harnessing FAIR Standards for Effective Dialogues with Regulators