The Criminal, The Regulator, and The Hero

Criminal, Regulator MSI Blog
4 min read


Did you hear the story about the entire cyber security team disappearing, only for people to find out that they ‘ran-some-ware.’

Ok, maybe not my best joke, but neither is the one about the rock band called 1023MB - they are yet to play a gig. Even if you managed a half smirk, which I very much doubt, I don’t need to remind you of the sheer shudder and fear that cyber breaches are causing across all industries.

Cyber risk has been the number one risk for a few years for Chief Information Security Officers (CISOs), and now this risk has visibility across the entire organization. It has become much more than just an IT risk and the CISO’s problems. It’s been elevated to conversations in the boardrooms. It has everybody’s attention, with the entire C-suite sitting up and taking note. Cyber risk is now both a strategic and business risk. According to the 2021 Gartner Board of Directors Survey, 88% of boards now view cybersecurity as a business risk. Interesting to note is that this number has gone up by 30% since 2017.

Research shows that it is not only companies that are falling prey to these criminal minds, countries too are being targeted by these intrusion masterminds.


Cyber criminals continue to expand their capabilities and look for weaknesses in the organization’s networks. Like a tiger ready to pounce, attackers are never far away. They are becoming more sophisticated and it is questionable how many organizations are truly prepared for an attack. On average there are 270 attacks on a company in a year as per Accenture's State of Cybersecurity Resilience 2021 study. Alarming to note is that this is a 31% increase compared to the previous year!

Being able to quantify your losses, seems like a hard task. How do you put a price on leaked and missing data which inevitably will cause reputational damage? This damage which might take decades to earn and seconds to lose.

The most common types of attacks are email fraud, ransomware attacks, theft of personally identifiable information, and financial fraud. Oh, and there are virus attacks, phishing attacks, password hacks, etc. I could go on and on.

What’s worrying is that as new technologies bring a wealth of opportunities, criminals with limited technical knowledge are learning how to attack one computer and then use the infrastructure to infiltrate the entire network, sometimes looking at multiple entry points.

Similar to how we have pivoted our working environment over the last few years, and have the ability to work remotely, criminals can also be located anywhere in the world. They may be sitting in countries halfway across the globe and still cause a cyber fatality.


Regulation is evolving and almost every major country is issuing some guidelines or legislation on data protection. In March this year, under the proposed cybersecurity regulation, all European Union (EU) institutions, bodies, offices, and agencies were required to have cyber security frameworks in place for GRC.

The Computer Emergency Response Team (CERT-EU) has extended its mandate to include threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider.

The Council of the European Union highlighted the importance of a solid and consistent security framework to protect all EU personnel, data, communication networks, information systems, and decision-making processes.

And in the UK, as part of the £2.6 billion National Cyber Strategy 2022, the government is actively working to improve the cyber resilience of individuals and organizations across the economy. 

The UK’s National Cyber Security Centre (NCSC) published guidelines on strengthening cyber security and part of this consideration was of third parties associated with companies and their ability to stand against a cyber threat.

In the United States, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March 2022. Critical infrastructure companies, including financial services, will now be required to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA).

In March 2022, the US Securities and Exchange Commission (SEC) has also proposed a rule which will require publicly listed companies to report to the SEC the occurrence of cybersecurity incidents, cybersecurity capabilities, and the board’s cybersecurity expertise and oversight.

Ensuring your business continuity and incident management provisions are up to date is high on the list as you need to meet your regulatory obligations.

MetricStream—the Hero

With criminals causing havoc and regulators working to increase oversight of cyber incidents, what if your organization could stay one step ahead of the game and thrive with its cyber risk program?

What if you could:

  • Quantify your cyber risk
  • Adopt a cybersecurity framework like ISO 27001 or NIST
  • Use automation and artificial intelligence
  • Protect your critical assets
  • Reinforce visibility into the overall compliance profile
  • Access intuitive real-time dashboards
  • Perform third-party risk assessments and monitor your risk exposures
  • Save costs by harmonizing controls across multiple IT regulations
  • Test once and comply many times with Continuous Control Monitoring

Well, with MetricStream CyberGRC you can do all the above and more. You can focus on your most critical controls across your entire organization and improve your risk posture, visibility, and efficiency.

To learn more, request a demo now.

Read our eBook on Five Critical Capabilities for Effective Cyber Risk Management

Stay up-to-date with the trending discussions and insights in the risk community. Subscribe to the Instagram of Risk Blog Series authored by Suneel Sahi, VP, Product Marketing at MetricStream.

Check out Suneel’s other ‘Instagram of Risk’ ’blogs:

Insurance Industry: We Have You Covered


Be Resilient, I Whispered to My Car

If You Think Compliance is Expensive, Then Try Non-Compliance

An Ounce of Prevention is Worth a Pound of Cure

Don’t Aim To Be Perfect, Aim To Be Anti-Fragile

Enforcements Will Come in All Directions

There is One Way Traffic – Downhill