A new report has called for organizations to create dedicated internal cyber risk governance groups to address digital risks across the whole enterprise as the threats evolve.
The recommendation for a cyber risk governance model comes in a report published by the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA).
FERMA and ECIIA presented their report at a high-level event at the European Parliament with representatives of the EU institutions, the World Economic Forum, risk and audit practitioners from European businesses, and other European stakeholders.
The report, At the junction of corporate governance and cybersecurity, aims primarily at supporting European organizations in meeting their obligations under the EU General Data Protection Regulation (GDPR) and Network Information Security Directive. Recent cyber attacks, however, increased concerns on what the risk experts see as a wider lack of focus on risk governance in cyber security.
The report calls for the creation of cyber risk governance groups, chaired by the risk manager, to operate across functions within the enterprise. The role of the group is to determine the potential cost of cyber risks across the whole organization, including catastrophic risk scenarios, and propose mitigation measures to the risk committee and the board.
In addition to the risk managers, the group should be composed of representatives of all key functions at an enterprise level involved in digital risk, notably IT, human resources, communications, finance, legal and the data protection officer (DPO) and chief information security officer (CISO). Internal audit would provide the necessary assurance to the board that the cyber risk controls are operating effectively.
The full report ‘At the Junction of Corporate Governance & Cybersecurity’ is available here (PDF).