Cyber Risk Series

cyber risk series slideshow

UST’s Risk Leadership Initiative is pleased to connect again with Ms. Kristine Raffel, co-author of the recently published case study “Everything is Connected:  Risk Leadership at Copenhagen Airports”.  Dr. Patricia Stephan will collaborate with Ms. Raffel on a multi-part whitepaper aimed to reflect on the research and findings of FERMA, connect the cyber risk dialogue with local risk leaders, and enhance leadership capabilities on the topic through professional discussion, ongoing education, and formal, graduate studies.  

FERMA is investigating the question:

Are there optimal/recommended cyber risk governance processes that would be particularly adapted to help organizations manage cyber risks across their operations?

Looking to utilize the three lines of defense model, cyber risk governance needs to be further assessed to comply with two recent EU cyber laws, the Network and Information Security (NIS) Directive (adopted July, 2016) and the Data Protection Regulation. (adopted May, 2016).  Given these very recent directives, FERMA’s working committee plans to publish their recommendations in Brussels, June, 2017.

Early Observations:

ERM practices promote a high level of interaction between corporate functions.  However, in some organizations, the IT department may only be a “third-rank partner” in the practice of risk management.  To respond effectively to the mandated timelines of the new EU laws, public and private sectors must react within a two-year window to both revise local legislation and designate national cyber authorities.  This transformation, effectively addressing IT’s important place in ERM practices, will generate key outcomes:

  1. New rules on data protection
  2. New rules on data storage standards
  3. Harmonization efforts across Europe

The EU’s Data Protection Regulation is focused on protecting personal data, non-EU business interaction with EU citizens, data and consent principles including privacy, and data breach notification.  The Regulation also calls for certifications and a EU Data Protection Board be established.

Read more … for an introduction to FERMA’s ongoing work check out:

February 2017 - World Economic Forum recommendations enhance FERMA’s work on cyber risk governance<>

December 2016 - New working group on cyber risk governance<>