Navigating Cybersecurity Risk Management: Aligning Stakeholder Expectations in Response to Regulations

Navigating Cybersecurity Risk Management- Aligning Stakeholder Expectations in Response to Regulations
Tim Grieveson
Written by Tim Grieveson
Senior Vice President - Global Cyber Risk Advisor
Written by Nicole Matusek
Invesement Management Partnerships Director

In light of the SEC's cybersecurity disclosure regulations in the US and NIS2 in Europe, corporate executives and institutional investors are facing a pressing need to align their expectations and improve understanding around cybersecurity risk management. The evolving threat landscape and regulatory environment highlight the importance of cohesive strategies to measure, prioritize, mitigate, and communicate cyber risks effectively. As organizations navigate this complex terrain, fostering strong alignment among key executives, stakeholders, and investors becomes imperative to enhance cybersecurity resilience and ensure sustainable business performance and new regulations such as SEC and NIS2 expert organizations to know what their supply chain’s posture looks like and have a comprehensive plan for remediation as well as improved incident detection, reporting, and response.

The SEC's cybersecurity disclosure regulations and NIS2 represent a significant milestone in addressing the growing impact of cyber threats. By mandating enhanced disclosures related to cybersecurity risks and incidents, regulators aim to improve transparency and accountability in corporate governance. For corporate executives, compliance with these regulations entails a deeper understanding of the evolving cybersecurity landscape and a proactive approach to risk management otherwise organizations could face both financial and non financial sanctions such as orders to comply, mandated and more stringent audits or even alerts to an organization’s clientele about potential risks or incidents.

Organizations that demonstrate strong cybersecurity governance and leadership are better positioned to build and maintain trust with shareholders, regulators, and customers. The ability to articulate an understanding of risks—and their impact on business operations—will prove to be competitive advantages.

Corporate leaders play a pivotal role in driving a culture of cybersecurity resilience within their organizations. Beyond mere compliance, executives must champion robust cybersecurity practices that permeate every facet of the organization. This includes fostering a cybersecurity-aware culture, investing in cutting-edge technologies, and establishing clear lines of communication and collaboration across departments.

Good Security must be security led and not compliance led to activate security effectively, otherwise organizations are in danger of missing opportunities to spot threats. Good security needs to be holistic and threat informed, not just a tick box for compliance." - Tim Grieveson, SVP,  Global Risk, Bitsight

Organizations that embed security properly into normal business processes, and where awareness becomes the catalyst for spotting potential threats in a timely manner, are more likely to be able to react and minimize the disruption caused by a cyber incident.

Organizations where everyone is responsible for security and risk identification and these are threat informed, aligned to importance of a service or asset, have been assessed for impact and likelihood of a cyber incident, are much more informed about where investments can be made and where focus on reducing  risks and improving resilience can be achieved in addition to ensuring compliance requirements can be met. By integrating cybersecurity considerations into strategic decision-making processes, executives can mitigate risks effectively and safeguard the organization's interests.

In parallel, institutional investors are increasingly scrutinizing corporate cybersecurity practices as part of their investment decision-making process. With cyber incidents posing significant financial and reputational risks, institutional investors are keen to assess the adequacy of cybersecurity measures implemented by their portfolio companies. This entails evaluating the quality and transparency of cybersecurity disclosures, assessing the effectiveness of risk mitigation strategies, and reducing risk as a competitive differentiator to peers.

To align stakeholder expectations effectively, organizations must embrace a holistic approach to cybersecurity risk management. This entails fostering dialogue and collaboration among corporate executives, institutional investors, and cybersecurity experts.

Boards and executives are keenly aware of the need to be well-informed about the company’s strategies for risk management and readiness to effectively address and mitigate cybersecurity threats. These new regulations also emphasize the critical need for disclosure in this area for investors. Many boards are working to address these needs by enhancing both disclosure and the board’s skill set through continuing director education and searches for director candidates with cybersecurity and technology expertise.” -Brianna Castro, Senior Director, United States Research, Glass Lewis

Security Leaders have a tremendous opportunity and privileged position to show real business value evolving to help educate executives on how regulation can support business to protect revenue & brand and build trust - become the “Chief Storytelling Officers” to help inform business risk dialogue. They have the opportunity to provide measurable and actionable reporting to improve executive governance and oversight, reduce likelihood and impact of sanctions as well as fines and lost reputation.

Prioritisation, Visibility and ability to pivot quickly is key to ensure compliance and ensure cyber security investments are appropriate and proportionate to the evolving risk landscape.

The Chief Risk Officer, Legal Council and Security Leader relationship being strong is essential to enabling businesses to achieve compliance and understanding of assets to achieve timely response or facilitate reporting will be key and in doing so should turn regulation discussions in a business differentiator and these collaboration should improve speed to market, reduce down time and allow opportunities to optimize cross team processes and capabilities to be explored. By facilitating open communication channels and sharing best practices, organizations can enhance transparency, build trust, and foster a collective commitment to cybersecurity resilience.

Moreover, organizations must stay aware of emerging trends and technological advancements in the cybersecurity landscape. From the integration of artificial intelligence and machine learning to the adoption of proactive threat intelligence solutions, staying ahead of cyber threats requires continuous innovation and adaptation. By leveraging the latest tools and methodologies, organizations can bolster their defenses and mitigate cyber risks proactively.

The alignment of key stakeholder expectations on cybersecurity risk management is paramount in the wake of SEC & NIS2 regulations. By fostering collaboration between corporate executives and institutional investors, organizations can navigate the complexities of the cybersecurity landscape with confidence. Together, they can fortify their resilience against cyber threats, enhance investor confidence, and safeguard their long-term viability in an increasingly digital world.

Tips to embrace security to support SEC & NIS2 compliance -

  • Establish a cybersecurity culture: This includes promoting security best practices, investing in training for staff, and emphasizing the importance of policies and reporting of incidents to staff.
  • Set security objectives: Treat cybersecurity as a priority and integrate it into all key business stakeholder committees.
  • Allocate supporting resources: Approve sufficient budget, staff, and technological resources for managing cybersecurity programs in an effective manner.
  • Develop a cybersecurity policy framework: Liaise with CISO Teams to establish a robust cybersecurity policy and governance model for risk mgmt.
  • Establish a risk management framework: Review Risks, KRIs, incident mgmt programs for continued oversight.
  • Foster collaboration amongst teams and third parties - collaboration between security teams, and other business units to ensure a smooth working culture.
  • Ensure compliance with relevant regulations: Stay informed about industry-specific regulations and legal requirements. Periodically review and ensure compliance with requirements.
  • Engage in third-party risk management: Review risks associated with third-party vendors, CSPs and suppliers.Ensure that contracts include appropriate security clauses for data protection.
  • Review security assessments on a continuous basis: Regularly assess the cybersecurity posture through independent audits, tabletops, simulations and penetration testing. Assure complete independence to internal audit teams.
  • Stay informed about emerging threats: Engage with industry forums, attend conferences to stay abreast of the evolving threats.

Bitsight and Glass Lewis partner to include critical cybersecurity information with Glass Lewis’ Proxy Paper research reports to help investors better understand how cybersecurity issues may affect their investments. Learn more about the partnership here.