FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
•Download as PPTX, PDF•
1 like•1,336 views
The recommendation for a cyber risk governance model came in a report published 29 June 2018 by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA). FERMA and ECIIA presented their report at a high-level event at the European Parliament with representatives of the EU institutions, the World Economic Forum, risk and audit practitioners from European businesses, and other European stakeholders. The report, At the junction of corporate governance and cybersecurity, aims primarily at supporting European organisations in meeting their obligations under the EU General Data Protection Regulation and Network Information Security Directive. Recent cyber attacks, however, increased concerns on what the risk experts see as a wider lack of focus on risk governance in cyber security. More information here: https://www.ferma.eu/ferma-webinar-junction-corporate-governance-and-cyber-security?type=events What will you learn from this presentation? - Compare and assess your own governance of cyber risks against the proposed cyber risk governance model - Know where you stand in the evolutionary journey towards cyber resilience: reactive, proactive, predictive... - Define the key stakeholders for cyber security and conditions for success - Find mechanisms that help leadership determine effective and efficient resource allocation - Plan for the next move to improve your cyber risk governance
Recommended
More Related Content
What's hot
What's hot (20)
Similar to FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
Similar to FERMA Webinar: At the Junction of Corporate Governance and Cyber Security (20)
More from FERMA
More from FERMA (14)
Recently uploaded
Recently uploaded (20)
FERMA Webinar: At the Junction of Corporate Governance and Cyber Security
- 1. www.ferma.eu LIVE WEBINAR – FOLLOW US @FERMARISK #FERMAWEBINAR FERMA Risk Leadership at the heart of Europe Suscribe to our newsletter: www.ferma.eu Contact us: enquiries@ferma.eu
- 2. www.ferma.eu AT THE JUNCTION OF CORPORATE GOVERNANCE AND CYBER SECURITY LIVE WEBINAR @FERMARISK #FERMAWEBINAR
- 3. www.ferma.eu
- 5. www.ferma.eu Why corporate governance and cybersecurity are now linked? • A business need – Help organisations to increase their resilience to cyber event while creating value with digitalization opportunities • A new global legal context – European cyber laws (NIS, GDPR, ePrivacy for telecommunications), a strict new cyber law in China; evolving US cyber laws (state enacted: MA, NY; Federal: CISA, more pending), amongst others, are introducing new IT security and legal requirements for organisations but all remain silent on the governance aspect of cybersecurity • Beyond IT, a corporate issue – Risk management readiness can only be achieved within a strong governance framework, and through a highly coordinated approach across all departments of an organization
- 6. www.ferma.eu What do we mean by governance of cyber risk? 1. Similar to corporate governance: it is a set of processes, practices and policies put in place to direct and control the cyber security 2. It’s a framework whose objective is to increase cyber resilience 3. It’s important to identify the most important stakeholders who can influence and affect the governance of cyber risk (role of the Board, IT, legal, finance…)
- 8. www.ferma.eu Two strong pillars to support the proposal • The eight principles set out in the OECD recommendation on Digital Security Risk Management (2015) • The Three Lines of Defence model, recognised as a standard of Enterprise Risk Management (ERM)
- 9. www.ferma.eu Main proposal: a cyber risk governance group – A cross-function team headed by the risk manager • Composed of operational functions from the 1st line of defence and key functions from the 2nd line of defence • To determine cyber risk exposures in financial terms and design possible mitigation plans – Why cross-disciplinary? • Expertise, by being cross-disciplinary, the group has the subject and organisational knowledge to identify the most harmful cyber risks for the organisation and list the suitable responses
- 10. www.ferma.eu Risk Management – Internal Audit relationship • “Auditability by design” – Right from the beginning, cooperation between the cyber risk governance group and Internal Audit is needed to ensure continuous measurement and improvement of mitigation plans – Unique capacity for Internal Audit to independently review the efficiency of the cyber controls, risks and governance processes implemented • A Risk Committee – as a board committee, it might be responsible for enterprise risks and reviews the cyber risk assessments performed by the Group • The Audit Committee – It independently reviews the audit of the cyber risk governance system performed by the Internal Audit function
- 12. www.ferma.eu Case Study • Educational Testing Service (ETS) – Our Mission: To advance quality and equity in education by providing fair and valid assessments, research and related services. Our products and services measure knowledge and skills, promote learning and performance, and support education and professional development for all people worldwide. • Global • Data intensive • Complex IT Systems • Real time • Heavily partnered • Complex global legal/regulatory environments • Cyber threats to confidentiality, integrity, availability • Transformative change on many fronts
- 13. www.ferma.eu • ETS maintains dedicated organizations and staff with responsibility for information security, physical security and test security, as well as disaster recovery/business continuity, privacy and internal audit. • These organizations communicate and collaborate via a corporate-level Security Steering Committee, lead by our Chief Information Security Officer and comprised of the leaders responsible for each function. ETS Security Ecosystem Audit BC/DR Privacy Legal Compliance Test Security Physical Security Information Security Security Steering Committee
- 14. www.ferma.eu CAPA/Risk Management and Quality Policies Security Steering Committee: • Determines risk exposures and mitigating controls • Oversight of significant security initiatives and capital investments • Also defines policy and responds to complex incidents ETS Cyber Risk Governance Structure
- 15. www.ferma.eu CAPA/Risk Management and Quality Policies • Risk Committee = Enterprise Risk Executive Committee • Cyber Risk Governance Group = Security Steering Committee • Security Steering Committee made up of representatives from 1st, 2nd, and 3rd lines of defense Remember the proposal?
- 16. www.ferma.eu CAPA/Risk Management and Quality Policies • Evolving as predictive • Decision support for top leadership • Guardrails • What needs to be true? How did we come up with this approach? • Initially reactive • From the ground up over several years • Firefighting – incident management – joint projects • Gradually more proactive • Risk identification – mitigating controls • Task Force
- 20. www.ferma.eu Q&A
- 21. www.ferma.eu SUBJECT: Applying Enterprise Risk Management to Environmental, Social and Governance-related Risks with WHEN: end of April HOW: email invitation and/or register on www.ferma.eu THANK YOU & JOIN OUR NEXT WEBINAR RECORD YOUR 2 CPD POINTS CONTACT US: enquiries@ferma.eu
Editor's Notes
- Julie to ask question: What is most important in order for a cybersecurity governance structure to work for your organization? + present answers (multiple answers are possible) Laetitia to launch poll … then share results live Julie to comment results Julie– NEXT SLIDE: Polling question 5: - Do you take cross-functional purchase decisions on cyber insurance in cooperation with business units and IT?