The recent FAIR Institute Summit in London hosted a panel discussion on “What Does Effective Cyber Risk Oversight Look Like?” that brought together regulators and regulated. The takeaway: It’s a complicated relationship, with more give and take than it looks.
On the panel:
Phil Huggins, National CISO for Health and Social Care, NHS England
Naomi Gilbert, Head of Cyber Resilience Policy (Incentives and Regulation), UK Dept. for Digital, Culture, Media and Sport
Jo Armstrong, Head of UK Card Technology Risk Management, Capital One
Daniel May, Regional CISO, Commerzbank
(FAIR Institute Contributing Membership required - join now!)
Highlights of the Discussion on Cyber Risk Oversight
On the role of boards in oversight:
The internet is now “inherent in business,” said Huggins, and it’s not acceptable for boards to look at cybersecurity issues as “specialist stuff.” “We’ve got a generational shift before we have board members who are deep into the technology and understand the concepts that we are talking about, but they do have to meet us halfway.”
On the current state of board sophistication on risk:
When it comes to setting a risk tolerance, Daniel May said, in most organizations “it’s a wordy statement, something along the lines of ‘we’ve got a low tolerance. It’s really not a useful tool when you are trying to implement things.” At Commerzbank, the organization has been steadily moving toward a focus on key risk indicators that involve the board in calibrating where the red lines should be, “but we still have a long way to go on it.”
On the regulatory environment:
“There are more regulatory responsibilities coming,” said Gilbert. “In the UK, new audit reforms are coming in the next few months, and they are raising (cyber risk) to the board level by mandating in the future you need to produce a resilience statement that touches on digital risk.” The pressure will be on boards to take responsibility for material risks, requiring a quantitative approach, she added.
On the limits to regulation:
Huggins regulates a large number of small businesses that are in the NHS healthcare provider network. “Historically, we have been compliance-based. That works as far as compliance gets you.” The new challenge, he says, is around discovering where the CISO office can or should step in to mitigate risk. “We’re at their point where we are still trying to figure out how do we help businesses that don’t have technology talent, that don’t have cyber talent and for the most part don’t make a profit.” Regulators “can be very strict with what we want people to do but an awful lot of them won’t be able to do it.”Mandating security investment is not the only answer:
Jo Armstrong said “The point is to be sensitive…It may be OK to not invest… We shouldn’t use risk as a threat. It’s an enabler as well...You shouldn’t always say ‘if you don’t invest, this will happen.’ if we pause here, your product could move apace and hit the market quickly. So, it’s important to not just look at the worst case that can happen but also look at the best case.”
On innovating with FAIR to complement regulation:
The whole purpose of regulation is to account for factors that may not immediately hit the balance sheet, and therefore not get prioritized by private businesses, Naomi Gilbert said. “This is where the FAIR methodology is actually quite helpful…Starting to quantify secondary impact should make it quite clear to you why you’re regulated…and why you have to have a compliance agenda in the organization.”
Watch the video “What Does Effective Cyber Risk Oversight Look Like?” Join the FAIR Institute as a Contributing Member to view.
