Cyber Resilience on the Clock: Meeting Compliance Deadlines

Facing the Growth in Cyber Incidents: A Continuous Battle

The World Economic Forum states, "2023 was a big year for cybercrime." However, the true situation goes much deeper than this broad statement. Cybercrime encompasses more than just dealing with cyberattacks; it encompasses enforcement, i.e. legal liability, exposure, and accountability.

A perfect example of the legal implications of a cyber event is TSB Bank's IT disaster. The bank's attempt to migrate customer data to a new system led to prolonged outages, affecting millions of customers' access to their accounts and services, and led to data breaches. Consequently, TSB's Chief Information Officer (CIO) was personally fined under the British Senior Managers Regime.

Similarly, the SEC charges against the Chief Information Security Officer (CISO) of SolarWinds in the USA for fraudulent statements on cybersecurity practices following the hack of their Orion platform demonstrates how accountability comes under the cybercrime umbrella and how easily one can become personally liable for a company's cybercrime.

In 2018, the estimated cost of cybercrime worldwide was $0.86 trillion. By 2027 this is predicted to increase to $23.82 trillion3. This vast growth demonstrates the ongoing, continuous battle that is evolving against cybercrime.

Navigating the Cyber Resilience Maze: The Role of International Regulations

A survey by the World Economic Forum asked, "Do you believe cyber and privacy regulations effectively reduce cyber risks?" In 2024, 60.4% of respondents agreed with this statement, compared to 39.2% in 2022. This increase shows organizations' willingness to accept guidance on cyber resilience through regulations, in their effort to safeguard the organization from cyber incidents.

The number of regulations is increasing to ensure organizations comply and avoid damaging situations.

The main regulations include:

• EU DORA
• PRA/FCA Operational Resilience (UK)
• OCC Sounds Practice for Cyber Resilience (US)
• SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (US)
• RBI, Master Direction on Information Technology (IN)
• APRA, CPS 234 (AU)

As IT supports every part of the business, it takes a leading role in managing the cyber resilience framework, which is also impacted by broader regulations such as the EU AI Act and GDPR.

However, each part of the world tackles the aspects of cyber resilience differently. For example, some places more focus on prevention rather than recovery, and vice versa.

Consequently, a significant issue is how to harmonize the many regulations to ensure resilience and agility for organizations – i.e. not looking at what's happening now, but the potential for disruption and the impact it could have.

Europe appears to be much more active than North America in terms of cyber resilience, which is driven by the EU and UK regulations. However, US organizations dealing with Europe must meet these requirements, which prompts them to increase their cyber resilience initiative.

Cyber resilience particularly affects financial institutions as they are all interconnected. If one undergoes an attack, it can have a domino effect on many others. “Imagine the worst-case scenario, where a cyber-attack affects the whole global financial system, and you can see just how important cyber resilience is.“

Navigating Growing Cyber Threats

Every business is vulnerable to cybercrime from many different angles. There will always be a risk, and organizations need to find a balance between operating successfully and managing and mitigating cyber risk.

Here are the main challenges, organizations face today:

Increasing cyber menace

• Protect the enterprise from cyber attacks
• Maintain and restore operations following cyber disruptions
• Increase efficiency in mitigating cyber incidents

Increasing cyber regulations

• Ensure compliance with cyber resilience regulations
• Avoid financial and reputational damages
• Provide regulatory reporting of effective cyber resilience

Increasing need for cyber alliance

• Mobilize stakeholders to enhance cyber resilience
• Prioritize cyber efforts on the most critical assets for the company​
• Optimize cybersecurity budgets in line with the organization's objectives​

Cyber Resilience Throughout the Organization

All stakeholders need to collaborate to build and implement policies to strengthen cyber resilience. This collaboration means understanding cyber regulations and how they can affect their areas of responsibility and impact others. For example, the legal department needs to be aware of the regulations to be included in contracts to avoid cyber liability. 

These key sectors of the organization include:

• The Board of Directors
• Risk, Control & Compliance
• IT
• IT Security
• Data Office
• Procurement
• Legal

One challenge is communicating cyber security to members of the organization in an easy-to-understand manner. This is crucial to ensuring the business and IT visions work in harmony while addressing the cyber risks together. The key is to keep things simple, using images and diagrams rather than text-filled reports that are hard to read.

Cyber Resilience as a Transformation Project

Clear communication requires a significant understanding of the business, its goals, and how it operates. Full cyber resilience can only be achieved with this detailed knowledge of how the business runs.

Awareness of cyber resilience and how to prevent and deal with attacks is reflected in the many processes of an organization, such as:

• Application Portfolio management
• Risk & Compliance management
• Vendor management
• Incident Management
• Penetration testing
• Business Continuity management
• Audit (Internal and External)
• Regulatory reporting

There are several different tools available to facilitate these processes:

• IS repository (CMDB, etc.)
• Business Process Manager
• GRC Software
• Business Continuity Solution
• Incident Manager
• Cybersecurity solutions
• Data Governance solutions
• Reporting tool

The Implication of the Interconnection of Risk

Understanding the bigger cyber resilience picture is essential to managing cyber risks and setting up a cyber resilience strategy. It requires a 360° contextual vision of critical business processes and services and their interdependencies with ICT systems. Getting granular visibility into IT assets and information provides a better understanding of how those processes and services are powered. It facilitates the analysis, prioritization, and accountabilities required for effective cyber resilience.

To implement this approach, the organization needs a strong leader with an overall vision that understands the company and how a cyberattack could impact any department. This person should have a vertical and horizontal perspective across all aspects of the business, enabling them to advise and guide others on the effectiveness of cyber resilience.

Think of it as a ship that only runs smoothly, with everyone following orders from the captain and understanding their role in the overall journey. Similarly, cyber resilience needs a captain and employees to follow guidance and understand their part in the complete picture.

The Path to Cyber Resilience

Effective cyber resilience is an evolving matter that takes time to tackle. It requires planning, implementation, and management as an ongoing strategy.

The following steps provide the foundation upon which to build and achieve cyber resilience.

1. Design a cyber resilience framework – identify critical processes and supporting IT assets/vendors
2. Evaluate the framework – assess cyber risks and controls
3. Plan the cyber resilience strategy – define, document, and test continuity procedures
4. Manage cyber incidents – identify, report, and follow-up
5. Monitor the resilience – continuously improve the framework

The outcome of the above steps leads to addressing cyber resilience and cyber agility. This involves the ability to recover from an event and minimize the risk for the future.

The Need for a Unified Cyber Resilience Platform

To provide the complete solution for an effective cyber resilience program, organizations need a solid foundation that aligns cyber and business strategies to shield the organization from cyber disruptions, by natively managing:

• IT – applications, technologies, networks…
• GRC – processes, risks, controls…
• Data – flows, classification…
• Connecting – with external bodies such as CMDB and CVSS…

In addition, business process modeling can prove useful in linking IT assets with business parts of the organization to ensure the correct management of cyber risks. A core business process document is the foundation for reducing and managing cyber risks through:

• Quality diagrams to simplify the message
• Connection of processes and roles
• Analysis of cyber resilience and critical dependencies
• Detecting and managing risks

The objective of these actions is to keep the business online and operating securely in the event of an attack. This minimizes losses and maintains reputation (think of the damage to TSB’s profile when it prevented thousands of customers from having access to their money for a prolonged period).

The key benefits of a strong cyber resilience framework and a connected approach are:

• Strengthening digital operational resilience
• Optimizing cyber budgets
• Preventing regulatory non-compliance and fines
• Fostering collaboration
• Mutualizing compliance efforts
• Sharing a common vision of digital risk

Would your business maintain its continuity in the event of a cyberattack? MEGA provides an overall solution and can help you strengthen your organization's cyber resilience.