UK Proposed Cybersecurity Code Says Cyber Risk Is Material Risk
“As cyber risk now comprises a material risk to any business with a digital footprint, whether directly regulated or not, all organizations should adopt the Cyber Governance Code of Practice.”
So states the introduction inviting comment on a proposed governance code the UK Department for Science, Innovation & Technology wants to see adopted by boards and executive leadership across the British economy – another important step in the international movement toward risk-based cybersecurity.
The introduction document makes a critique of cyber risk management practices that will sound familiar to FAIR advocates pushing to re-focus decision-making on business, not technical thinking. As American companies are finding with the new SEC disclosure rules, defining “material risk” inevitably points the way to quantifying cyber risk in financial terms.
The FAIR Institute has released the FAIR Materiality Assessment Module (FAIR-MAM™) to help quantify material cyber risk.
“Across industry, there are a number of best practice standards, particularly in IT operations, security operations and enterprise risk management, but less so when it comes to governance and providing directors or boards with direction.
“When looking across the breadth of standards and guidance, it is clear that the majority do not specifically target directors and therefore do not use language that they are familiar with.
“In addition, the majority are also predominantly outcomes focused which can be difficult to interpret and implement without a reasonable understanding of cyber security…
“Collectively, the current standards and guidance landscape has not led to sufficient action being taken by directors on foundational cyber governance issues to keep pace with this changing risk environment.”
As evidence, the document cites a Department for Science, Innovation & Technology survey finding that “One example of insufficient director involvement is demonstrated in less than half (47%) of medium organizations and only 64% of large organizations having a formal incident response plan in place.”
The proposed code is a model of non-technical language that lays out in a short format the “critical governance areas that directors need to take ownership of in one place”, with sections on risk management, people management, cyber strategy, incident planning and response, and assurance and oversight. Each section includes five action steps (for example in risk management, identifying and prioritizing critical assets, setting a risk appetite and expanding cyber risk ownership beyond the CISO).
To drive uptake, the agency will cooperate with regulatory agencies to embed the code in the UK GDPR and other standards. The UK’s National Cyber Security Centre (NCSC) co-authored this new code and will work on guidance for implementation.
Learn how FAIR practitioners have responded to the regulatory regime for cybersecurity in Britain – watch this video of a panel discussion at the 2023 FAIR Institute Europe Summit with representatives from NHS England and the Dept. for Digital, Culture, Media and Sport.
Developing Cyber Risk Regulations in the EU Also Point to Quantification
- The NIS 2 Directive came into force in 2023 with the goal of standardizing cybersecurity law across the EU. Regulated companies must quickly report significant cyber incidents but the threshold for “significant” (like “material”) is still under debate – pointing out a need for risk quantification.
- The Digital Operational Resilience Act (DORA), a new EU regulation for the financial industry being finalized in 2024, will mandate companies to conduct a comprehensive risk management program that will sound familiar to FAIR practitioners, including analysis of risk scenarios for financial impact and documenting relationships among assets and controls.
Learn More about the Outlook for EU and UK Cyber Regulations and the FAIR Response – Attend the FAIR Institute Europe Summit
Join us in Paris, March 13, 2024, for a full day of keynote addresses, panel discussions and many use case presentations, plus ample time for networking and informal learning. This year’s theme “Managing Cyber Risk in the Age of New Incident Disclosure Rules,” is right on target for the issues of most concern to EU and UK companies.