In July 2023, the U.S. Securities and Exchange Commission introduced the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules to improve resilience and transparency in processes related to cybersecurity, risk management, and governance. These rules came into effect by December 2023 and applied to publicly traded companies. It has been a year since these rules came into effect, and it is important to understand their strategic implications and how organizations are navigating the evolving compliance landscape.
The SEC cyber security rules required publicly traded companies to disclose material cybersecurity incidents in Form 8-K within four business days of determining materiality. They also had to provide detailed information on their cybersecurity risk management strategy and governance in their annual reports and in Form 10-K. The aim was to ensure that investors and other key stakeholders had clear information on how companies were managing cybersecurity threats and managing incidents. And this aligned with the SEC’s mandate of protecting investors and maintaining free markets.
(Read our blog for a comprehensive mapping of how we can help you achieve compliance with the various aspects mandated by the SEC Rules.)
The SEC cybersecurity rules set down conditions that were unprecedented, causing some business leaders to be apprehensive about compliance measures. Added to the challenge was the fact that it did not clearly define “materiality.” It only established qualitative factors under materiality such as harm to organizational reputation, customer and partner relationships, possibility of legal or regulatory cases and investigation. This left the concept of materiality up to interpretation, leading to the risk of compliance gaps.
Some of the terms were also difficult to implement. Form 10-K led to some confusion as the rules did not specify how much information had to be disclosed, or the extent of the details that had to be disclosed to ensure transparency. The 8-K had to be filed when materiality was determined, instead of when an incident was detected. But materiality was to be determined quickly after the incident was discovered. And the determination could not be postponed to a later date after the impact of an incident was evident. This put organizations under significant pressure to assess materiality quickly and not just in terms of immediate impact, but future anticipated impact as well. And while mitigating a cybersecurity incident can also be time consuming, the SEC’s rules require organizations to report incidents once materiality was determined even if the incident had not been fully resolved. Revealing details about the incident even before it is fully addressed, opens up the risk future cyberattacks following the same pattern.
This lack of clarity led to organizations reporting non material incidents under the wrong items. As a result in May 2024, the SEC issued some more guidelines on disclosure of cybersecurity incident under Form 8-K.
(Read our blog that dives into what “material” means, including examples of quantitative and qualitative factors that companies should consider when assessing the materiality of a cyber incident.)
Last year, the SEC filed a lawsuit against SolarWinds, accusing the company of misleading its shareholders about cybersecurity vulnerabilities and the risk of Russian-linked hackers breaching its systems. This was the first case of the SEC filing civil fraud charges against a publicly traded company that had faced a cyberattack. During the investigation the SEC learned that 4 other companies were attacked by the same threat actor but had downplayed the incidents in their SEC filings. It penalized the four companies almost USD 7 million, for providing materially ambiguous disclosures about risks and breaches. The charges were under two categories: not revealing complete material information about cyberattacks despite making disclosures (Avaya Holdings Corp. and Mimecast Limited) and not updating risk factors after a cyberattack (Check Point Software Technologies Ltd. and Unisys Corporation). But in July 2024, a federal judge dismissed part of the case against SolarWinds, stating that some of the claims were grounded in "hindsight and speculation."
Currently, the SEC does not impose any additional penalties on organizations for failing to meet the four-day deadline for determining materiality and reporting incidents. So far, the SEC has only imposed a fine of USD 10 million on Intercontinental Exchange and nine of its affiliates for not disclosing a cyber intrusion within the stipulated period.
The fact that the SEC is now focussing on cybersecurity highlights the fact that there is now greater understanding of how cyber threats can damage a company’s business and reputation in addition to its financial health. The rules are also forcing organizations to re-assess “materiality” of cyber incidents. They are revising the ways incidents are analyzed, documented and disclosed. And given the requirement of disclosing material incidents within 4 days, organizations are trying to find a balance between complying with the rules, and minimizing the risk of giving out too much information too early.
The SEC’s focus on cybersecurity disclosures will only intensify over the next year. Organizations must ensure thorough quantitative and qualitative assessment of incidents before disclosure with a strong focus on correctly evaluating materiality. Ongoing monitoring of incidents and updating of SEC filings in case of any material developments is important. Risk factors detailed in disclosures must accurately present actual risks and not hypothetical ones with updated information on material incidents. And companies must strengthen their disclosure and escalation processes to ensure effective response to incidents as well as compliance.
Good governance and oversight are crucial and organizations must review incident review plans to quickly assess materiality and meet reporting obligations. The board directors must understand the full extent of the cyber risks facing the company and their impact. Their involvement is crucial for ensuring compliance with the SEC’s cyber rules as well as managing cyber risks. Clearly defined board oversight responsibilities are important and the board must be kept informed on risks, incidents and readiness. Organizations must work closely with their legal teams to draft accurate disclosures and prepare annual reports that encapsulate processes and oversight that may still be evolving. Organizations need a robust technology foundation to not only quickly identify incidents, but also ensure errorfree reporting and disclosures.
The SEC cybersecurity rules are indicative of increasing understanding of cyber resilience and the severity of cyber risks. The first year saw some definite action against organizations that did not comply with the requirements as well as streamlining of corporate effort to ensure accurate reporting and disclosures. With the right technology platform in place, ensuring compliance with the SEC’s cyber security rules in the years to come should be errorfree, seamless, and accurate.
MetricStream’s CyberGRC solution can help you streamline your cyber risk management program and achieve compliance with the various aspects mandated by the SEC Rules, including:
Interested to know more? Request a personalized demo.
Download eBook: Overview of SEC Cyber Disclosure Rules 2023
View Infographic: SEC’s New Cybersecurity Rules 2023: Top FAQs Answered
I enjoy cliches not just because they’re a little bit homespun, but also because they’re true. One of my favorites is “risk never sleeps.” If it’s cybersecurity risk, not only does it not sleep, it multiplies and accelerates instead of sleeping!
Already this year, we’ve seen a 75 percent increase in cyberattacks across the world and the average cost of a data breach up to an all-time high of USD 4.5 million. Organizations are under tremendous pressure to protect their data and systems from breaches and cyber-attacks, all while keeping pace with new and evolving cyber regulations. AI is a powerful new weapon in the fight against hacks – but malicious actors are also using Artificial Intelligence (AI) to launch sophisticated and stealthy attacks. And the vast third-party ecosystem that most modern organizations work within leaves businesses exposed to threats arising from vulnerabilities within partner or vendor organizations.
As we wrap up 2024 and enter a brand-new year, it is important to understand the key trends shaping Cyber GRC in 2025. But before that, here is a quick dive into the top developments that shaped this year.
2024 was marked by escalating geopolitical tensions, humanitarian crises, and political instability on one hand and increasing adoption and use of AI on the other. Consequently, cyber security regulatory focus has been ensuring cyber resilience as well as regulating AI development and innovation.
In May 2024, the US government announced that several aspects of the US National Cybersecurity Strategy were already in action. This strategy includes creating cybersecurity exercises to help critical infrastructure operators prepare for attacks by hostile countries and bad actors. It also includes proposed reforms to the government’s procurement processes for Internet of Things devices to ensure they are secure by design.
And in October 2024, the EU’s Network and Information Security (NIS) Directive 2 came into effect with the objective of strengthening cybersecurity around critical infrastructure like energy systems, healthcare networks and transportation services. Meanwhile, Singapore rolled out the Operational Technology Cybersecurity Masterplan 2024 to strengthen cybersecurity measures around operational technology that powers public-facing digital equipment such as traffic light controllers, fuel station pumps, and energy grid control systems.
On the AI front, the European Union was the first to enact a law to regulate AI development with the Artificial Intelligence Act in August 2024. It aims to encourage responsible AI development and deployment in the region. Other nations are also working on their AI regulations and this trend will continue for the foreseeable future. There was also an increased focus on managing third-party risks with 44 percent of businesses experiencing third-party data breaches in the last year. 2024 also saw organizations increasing cyber security investments and deploying automated continuous GRC tools to ensure error-free compliance in an increasingly fraught cyber risk environment.
So what will 2025 look like?
All of the trends above point to a cyber risk landscape that’s likely to become more sophisticated and interconnected. In this environment, CISOs will need to be equipped with the key trends that will impact Cyber GRC in the next year to build cyber resilience and ensure robust cyber risk management strategies.
AI Comes of Age - AI continued to drive innovation, productivity, as well as risks throughout 2024. Organizations are accelerating the adoption of Gen AI to transform operations, improve productivity, and shape cyber risk management strategies by leveraging AI’s ability to analyze huge volumes of data. 65 percent of companies are already using generative AI regularly, while 18 percent have it fully integrated across their organization, marking a 5-point increase in just 6 months. But malicious actors also have equal access to the technology, using it to launch increasingly sophisticated attacks across industries. Cyber teams have to relook at their strategies to manage these risks. Proper AI security measures coupled with effective AI-driven cybersecurity policies will be critical as more companies adopt the technology in the future.
Regulatory Focus on Cyber Resilience– Regulatory action has increased significantly, to keep pace with the rapidly escalating risk landscape. Over 170 new cybersecurity regulations were drafted across 150 countries in just the last two years. And most key regulations - US SEC’s cybersecurity rules, the EU’s Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the UK’s proposed Cyber Security and Resilience Bill - focus on proactive measures for identifying, managing, mitigating and reporting cybersecurity risks. The spotlight now is on cyber resilience and organizational ability to resume business as usual after a cyber incident. Organizations have to reshape their cybersecurity and compliance strategies to align with evolving regulations and address the need for cyber resilience.
The Changing Role of the CISO– Cyber risks are significant business risks. A cyber incident can disrupt business, expose confidential customer and operational data, and cause severe damage to reputation and customer trust in the brand. As a result, cyber security is now a top priority leadership concern, and the modern CISO now has a seat in the boardroom. CISOs are no longer only concerned with the technical and operational management of cybersecurity, and have a larger, more strategic role to play in aligning cyber strategy with business objectives.
Third-Party Risk – Today, almost all organizations work within a complex ecosystem of partners and vendors. A single vulnerability in a vendor’s infrastructure can result in major data breaches, non-compliance risks, and financial losses. In 2024, two major data breaches at American Express and Fidelity Investments resulted from attacks on third-party systems. Organizations are now focussing on continuous monitoring of third-party vendors and demanding strict adherence to security standards and encryption protocols across the vendor ecosystem. Robust incident response strategies and regular audits and testing of third-party systems will be a key priority for CISOs in 2025, and regulations will increasingly include third-party risk management as well.
Continuous Risk and Control Monitoring - Cyber risks are continuously evolving, necessitating round-the-clock monitoring and assessment. Security teams need continuous risk monitoring tools to detect and address threats in real-time. Continuous monitoring delivers vital insights into network, application, and cloud activity. Automated data collection processes and AI-driven continuous monitoring mechanisms can help security teams quickly identify threats.
The cyber risk landscape is not showing any signs of de-escalation, and organizations need to know the key trends impacting cyber risk management to anticipate and manage risks effectively. We have identified the top 10 cyber risk trends to watch out and prepare for in 2025.
Our eBook also offers insights on how MetricStream CyberGRC can safeguard your business. Built as an interconnected, intuitive, and intelligent GRC product set, CyberGRC empowers enterprises to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.
With MetricStream CyberGRC, you can:
See how MetricStream CyberGRC can help you stay ahead of these trends – and identify new risks as they emerge. Request your personalized demo today!
Cybersecurity and cyber or IT risk management are essential components of any organization's strategy to navigate the complex and ever-evolving landscape of cyber threats.
But while the two terms – cybersecurity and cyber risk management-- are often used interchangeably, they are two distinct practices that work in conjunction to protect an enterprise from cyber attacks. As the threat landscape evolves further, it is crucial to have calculated and robust strategies for both to maintain a strong, secure, and proactive digital environment. And to do so, it is important to clearly understand the similarities and differences between the two.
As the word implies, cybersecurity practices aim to protect and safeguard not just information/data, networks, and digital infrastructure but also physical devices and even premises from malicious attacks and damage.
Cybersecurity includes a set of people, methods, processes, practices, and technologies that are put in place to protect an enterprise’s data, systems, and networks from threats ranging from unauthorized access and damage to attacks, disruptions, and theft, among others. Cybersecurity is a broad strategy that includes factors like infrastructure security, data protection, network application security, disaster recovery, and end-user education and awareness. It focuses on threat prevention, vulnerability management, and incident response to protect information and information systems and ensure confidentiality, integrity, and availability of data.
Specifically, this includes four key aspects:
or measures to protect computer systems and networks from unauthorized physical access and/or damage from events like fire or vandalism, and to safeguard from breaches resulting from theft. Some methods employed include security guards, access controls, fencing, and boundaries, among others.
that focuses on protecting computer networks from unauthorized access. This is achieved through measures like firewalls, antivirus systems, intrusion detection systems, and encryption.
that aims to protect software applications from attacks and manipulations. Modern applications are being developed with intrinsic security measures – where security is built into the design rather than being added on later. Despite this, there can still be vulnerabilities within an application that hackers can exploit. Cybersecurity strategies are designed to protect applications from such attacks/manipulations.
that protects enterprise data – which includes the enterprises’ own information and even customer and third-party data. Cybersecurity practices focus on protecting sensitive enterprise data from unauthorized access, disclosure, or modification, and some methods to achieving this are encryption, access control, firewalls, authentication protocols, backups, and regular purging, among others.
Cyber and IT risk management involves identifying, assessing, prioritizing, managing, and responding to the various risks associated with information/data, IT assets, and the use of digital technologies, and their potential impact on an organization. Identifying and mitigating risks of this nature requires strategic planning and informed quick decision-making.
The key steps/processes involved in cyber / IT risk management are:
– In this step, it is crucial to identify and inventory the digital assets, potential threats, and vulnerabilities, and to determine the criticality and value of each asset in terms of its impact on business operations.
– This is a systematic process that evaluates an organization's vulnerabilities, threats, and potential impacts related to its information systems and digital assets. It involves defining the scope, identifying critical assets, and pinpointing potential threats. The assessment also includes examining system vulnerabilities and analyzing risks based on likelihood and impact. Mitigation strategies are then developed to reduce or address the identified risks, and an action plan is created. Ongoing monitoring ensures the effectiveness of implemented controls and the need for adjustments. Through this process, organizations can gain a clearer understanding of their cyber risk posture, enabling informed decisions and improved resilience against cyber threats.
- This is followed by risk mitigation or the development and implementation of strategies to address identified risks. These may include measures like implementing robust security controls, adopting best practices, creating processes to be followed, and even inculcating a risk-aware culture within the enterprise.
– This stage involves continuous monitoring of assets, systems, and networks to detect potential cyber incidents. It also includes the implementation of a bespoke incident response plan and processes to analyze incidents and contain and remediate them, communicate with essential stakeholders, and conduct post-incident analysis.
– in this stage, regular review and updates to the cyber risk assessment should be carried out to account for changes in the threat landscape, technology landscape, and business environment. Cyber risk teams must assess the effectiveness of implemented controls and adjust mitigation strategies as needed and consider conducting periodic comprehensive assessments to ensure ongoing risk management effectiveness.
Evidently, there is some overlap and similarities between cybersecurity and cyber risk management strategies, and they complement each other:
- Both practices aim to protect enterprise assets—including systems, devices, networks, and data—from cyber threats.
- Both practices aim to improve threat awareness as they require a thorough understanding of the evolving risk landscape and the threats facing the organization.
- Both practices aim to minimize not just the likelihood of threats and risks, but also their impact on the organization.
For all the similarities, there are significant differences between the two. They vary significantly in their focus, strategic approach, and scope, as listed below:
Point of Difference | Cybersecurity | Cyber Risk Management |
---|---|---|
Scope and Focus | Primarily focuses on protecting computer systems, networks, and data from unauthorized access, attacks, and damage. It involves implementing preventive measures, such as firewalls, encryption, access controls, and security patches, to safeguard against potential threats. | The focus is broader and involves the identification, assessment, and prioritization of potential risks and vulnerabilities in an organization's digital infrastructure. It encompasses not only technical aspects but also the business impact and financial consequences of cyber threats. It aims to manage risks proactively, considering a range of factors such as threat likelihood, potential impact, and risk tolerance. |
Objectives | To establish a secure environment, protect sensitive data, maintain confidentiality, integrity, and availability of information, and prevent unauthorized access and malicious activities. | To identify, assess, and mitigate potential risks to the organization's information assets. It involves understanding the likelihood and potential impact of various cyber risks and implementing strategies to minimize or transfer those risks. |
Approach | Focuses on implementing security measures, policies, and technologies to prevent and detect security breaches. It involves deploying firewalls, antivirus software, intrusion detection systems, and other security controls to protect against known threats and vulnerabilities. | Takes a holistic approach that goes beyond technical controls. It involves risk assessment, risk analysis, risk treatment, and risk monitoring. This includes identifying and prioritizing risks, implementing risk mitigation strategies, developing incident response plans, and regularly monitoring and updating risk management practices. |
Perspective | Typically takes a narrow view from a technical standpoint, emphasizing the protection of systems and networks. It focuses on defending against specific threats and vulnerabilities using technical controls and measures. | Takes a broader organizational perspective. It considers business objectives, regulatory compliance, legal implications, reputation management, and financial consequences. |
One can consider cyber risk management as the strategic foundation that assesses a wide variety of risks and identifies ways in which to mitigate each one, while cybersecurity is a tactical, hands-on approach to defending assets against whatever threatens them. Managing cyber risk requires a deep understanding of the potential consequences of a cyber incident and effective implementation of risk mitigation strategies to minimize the impact on an organization's objectives and stakeholders.
Cybersecurity and cyber risk management align in their objective of safeguarding organizations against cyber threats, yet they adopt distinct perspectives and methodologies. The practices complement each other and have equally important roles in ensuring comprehensive protection and effective risk mitigation. By integrating both disciplines into their overall cybersecurity and risk management strategies, organizations can build a robust and proactive defense posture against a continuously evolving risk landscape.
MetricStream’s IT and cyber governance, risk, and compliance solution, CyberGRC empowers organizations to connect all types of cyber risk data from across the enterprise and leverage actionable business intelligence to make data-driven decisions to build cyber resilience. With CyberGRC, your organization can:
Want to learn more about how CyberGRC can help your organization build an effective and resilient cyber risk management program? Request a demo now.
Check out our latest eBooks on cyber risk:
Cyber Risk Management for Energy Companies
7 Top Cyber Risk Strategies for Banking and Financial Services
5 Connections Every Cyber Risk Leader Must Make for Driving Cyber Resilience
The NIS2 Directive, effective as of October 17, 2024, marks a significant milestone in the European Union's efforts to bolster cybersecurity. This directive is a crucial update from its predecessor, the NIS Directive (2016), expanding requirements and strengthening cybersecurity obligations for critical sectors across the European Union (EU).
The new directive has expanded scope, new risk management and incident reporting requirements, and stricter financial penalties. We answer some of the top FAQs on NIS2 to guide your organization through compliance.
The NIS2 Directive is the EU's enhanced regulatory framework for cybersecurity network and information systems, setting a high common level of security to protect essential and important entities in sectors like energy, healthcare, digital infrastructure, and finance. These organizations are now required to implement stronger security measures to ensure resilience against cyber threats.
NIS2 expands both the scope and depth of regulatory requirements. Key changes include:
NIS2 targets medium and large organizations, especially those involved in critical national infrastructure, with some exemptions. It applies to organizations with a minimum of 250 employees and €50 million in annual turnover for essential services, or at least 50 employees and €10 million in turnover for important services. Member states have the discretion to make exceptions for high-risk entities that fall outside of these parameters.
NIS2 regulations cover not only essential and important services but also extend to their entire supply chain. This means that subcontractors and suppliers, regardless of location, must meet the same security standards as required by NIS2.
The NIS2 Directive mandates:
Under the new essential and important entities must notify any incident with significant impact without undue delay.
To streamline this process, the Directive encourages Member States to:
Yes, NIS2 also applies to non-EU companies that provide essential services within the EU. Sectors like healthcare, digital infrastructure, and transportation are particularly impacted, even if services originate outside the EU.
Member states oversee enforcement by designating authorities to monitor compliance, enforce penalties, and ensure that all organizations within their jurisdiction align with NIS2 standards. Additionally, national governments guide organizations in adhering to the directive’s rules.
Yes, the NIS2 was formally adopted in 2022, and EU member states were required to implement the directive into national law by 17th October 2024.
To meet NIS2 mandates, organizations must strengthen cyber resilience by focusing on proactive risk management and robust incident response. Start your NIS2 compliance journey by:
MetricStream’s CyberGRC platform simplifies NIS2 compliance with built-in frameworks, automated incident reporting, vendor risk management, and robust continuity planning tools. With MetricStream, organizations can efficiently manage cyber risks, streamline compliance processes, and respond swiftly to incidents, aligning seamlessly with NIS2 requirements.
The NIS2 Directive signals a new era of cybersecurity compliance. As the directive takes hold, staying informed and proactive is essential. For more detailed guidance on the next steps and how to ensure compliance, download our comprehensive eBook today.
Request a personalized demo today.
As we mark October as Cybersecurity Awareness Month, this year's theme, Secure Your World, highlights the growing importance of robust cyber risk management practices and an increased focus on cyber resilience as threats evolve. For CISOs (Chief Information Security Officers) and CSOs (Chief Security Officers) staying informed about the latest cyber risk management strategies and cyber regulatory updates is essential to building and maintaining robust cyber risk frameworks.
To help you strengthen your cyber resilience, we’ve compiled a list of 5 MetricStream must-reads that offer valuable insights into the evolving landscape of cyber risk management, governance, and compliance. These resources will equip you with the knowledge to better safeguard your organization in today's complex digital environment.
The role of CISOs is transforming. They no longer serve solely as enforcers of cybersecurity rules but now take on a strategic role, integrating cybersecurity with broader business goals. This eBook dives into the expanding responsibilities of modern CISOs and outlines the critical connections they must build to drive resilience.
Key insights include:
This guide is invaluable for CISOs looking to adopt a more integrated, business-aligned approach to cyber resilience.
As organizations aim to consolidate their IT governance, risk, and compliance (IT GRC) programs, this white paper provides a deep dive into how an integrated approach can optimize risk-based decision-making. It outlines the critical components of a successful IT GRC strategy and provides practical insights for building a robust cyber risk management framework.
Highlights include:
For those looking to advance their IT and cyber risk management programs, this is must-read.
With the EU’s Digital Operational Resilience Act (DORA) deadline fast approaching, financial institutions must prepare for this significant regulatory change. DORA aims to enhance digital resilience and tighten regulations around Information and Communications Technology (ICT). This eBook helps security and compliance professionals understand DORA's core requirements, its impact on cyber risk strategies, and how to align IT systems with new regulations.
Key takeaways:
This resource is perfect for CISOs in the financial sector who need to fortify their ICT frameworks against operational disruptions.
A well-rounded Cyber GRC strategy requires more than just technology—it demands organizational maturity. This eBook explores how businesses can assess their current Cyber GRC posture and outlines a structured approach to advancing their GRC maturity levels. It offers a holistic view of the journey toward integrated cyber risk management.
Key topics covered:
This resource is designed for organizations at any stage of their Cyber GRC journey, helping them elevate their cyber governance and risk strategies.
With the increasing complexity of cyber regulations, staying compliant has become one of the biggest challenges for CISOs. This eBook provides practical best practices for navigating today’s fast-evolving regulatory environment, from recent SEC cybersecurity rules to EU DORA.
What you’ll learn:
For any CISO tasked with maintaining compliance in the face of evolving regulations, this eBook is a critical resource.
MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent connected GRC product set, empowers CISOs to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.
With MetricStream CyberGRC, you can:
Need more reading material? Download the complete overview of what CyberGRC can do for you https://info.metricstream.com/cyber-grc-product-overview.html
Or, let us show you the capabilities to you in action! Request a personalized demo now.
Every year, since 2004, the month of October is globally recognized Cybersecurity Awareness Month, a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity. This year’s theme provided by Cybersecurity and Infrastructure Agency (CISA) is Secure Our World, which recognizes the urgent need to build cyber resilience in the growing interconnected risk landscape that enterprises operate in today. Whether it is keeping IT vendor risk in check with intelligent issue management or proactively improving cloud security with continuous control monitoring, enterprises need to build connected risk management strategies to become more resilient.
The cyber risk landscape is showing no signs of de-escalating, and as a result, cyber risk management is growing increasingly complex and challenging. On an average, the world faces 2200 cyberattacks a day, or an attack every 39 seconds. The average cost of a data breach is USD 4.5 million. 44 percent of businesses have suffered a third-party data breach in the last year and 82 percent of data breaches took place in the cloud.
We explore some of the biggest cyber risks facing organizations in 2024 and how these trends will shape cyber resilience strategies in the year to come.
A large number of data breaches over the last couple of years were caused by vulnerabilities in their third-party vendor ecosystems. For example, earlier this year, American Express warned cardholders about a cyber-attack at one of their merchant processors that may have compromised their data. And more than 28000 customers were impacted by a data breach at Fidelity Investments as a result of an cyber-attack on their services provider Infosys McCamish Systems. In an increasingly interconnected world, third party vulnerabilities are a serious challenge for organizations. A breach somewhere in the ecosystem can expose vast volumes of sensitive data from across organizations. The problem is that even with due diligence, and contractually mandated obligations, it is difficult to completely prevent third party breaches.
Organizations today operate within a highly complex risk landscape, and they must address new risks like third party risks or interconnected systems risks. Older cyber risk management approaches are no longer effective, and strategies are changing rapidly to keep pace with this evolving risk landscape. Here are some of the trends shaping cyber risk management in 2024:
The Changing Role of the CISO
In the past, cyber risk was considered to be a purely technological issue. Today, organizations understand that cyber risk is inextricably linked with business and operational risk, with escalating cost of data breaches, and impact to reputation. Cyber risk is now a CXO concern and a top priority for board discussions. This shift in priorities and understanding of the impact of cyber risks has led to a shift in the role of the CISO. The role is no longer purely operational or technical but has evolved to include business risk management. The CISO who now has a seat in the boardroom is expected to align cyber security strategies with business goals. They are expected to integrate cyber risk management and security practices across the entire enterprise as well as its external third-party ecosystem.
CISOs are approaching cyber risk management the same way as financial risks management with quarterly engagements with CXOs including the CFO and CEO. This demonstrates the increasing relevance of cybersecurity in controlling operational costs, aligning security initiatives with sales, marketing, and overall profit protection. It also helps to integrate cybersecurity efforts with broader business objectives and strategies.
AI: Risk, Reward, and Governance
Artificial Intelligence (AI) is changing the way cyber security strategies are crafted and implemented. On the one hand, AI poses a significant risk, as bad actors have equal access to the technology and can use it to mount highly sophisticated attacks. The fact that AI models leverage vast volumes of data compounds the cyber security challenge, as a single breach can expose vast volumes and range of confidential information.
On the other hand, AI is a tool that when used correctly can greatly augment cybersecurity management. It can automate routine and manual tasks, help prioritize threats and vulnerabilities accurately and improve threat detection capabilities. In fact, 70 percent of organizations surveyed by the Ponemon Institute say that AI is highly effective in detecting previously undetected threats. This will enable cybersecurity teams to focus on higher value projects that can drive business outcomes.
53 percent of organizations are in the early stage of adoption of AI within their cyber risk management and security strategies. As the use of AI increases further, organizations must focus on training their teams to leverage the technology effectively and securely. Cross functional teams that focus on governance can help drive the responsible and secure use of AI in cyber risk management.
Increasing Regulations – SEC Rules, DORA, EU AI Act
Regulators worldwide are trying to keep pace with the evolving cyber risk landscape by passing new laws and frameworks for improving cyber risk management and security. Data privacy and security is a key focus area and most regulations aim to ensure comprehensive data protection strategies, covering not only internal operations but also third-party interactions. Many regulations like SEC's cybersecurity rules for public companies and the Digital Operational Resilience Act (DORA) in Europe require organizations to report incidents and risks more transparently. This is necessitating a shift from decentralized data security measures to a more structured framework, with some organizations even appointing Chief Privacy Officers to ensure compliance.
The emergence of AI and IoT have also significantly impacted cyber risk management and data security, as these technologies deal with vast volumes of potentially sensitive data. There are complex privacy and legal issues to be addressed that requires close collaboration with legal teams to ensure third party risks are managed effectively.
Focus on Resilience
Cyber attacks are showing no signs of slowing down, and cyber risk management strategies are expanding to incorporate resilience and recovery. This is especially significant in critical sectors like healthcare where interconnected systems face catastrophic disruptions in the case of breaches within the third-party ecosystem. No organization is immune from cyberattacks and the focus must be on continuous monitoring, proactive recovery planning, operational resilience, and recovery strategies.
Third party risks must be monitored, their preparedness and recovery plan in the event of breaches must be evaluated, and basic cyber hygiene must be enforced. Resilience, must be embedded into daily operations. Only then can critical functional areas quickly recover and get back to business as usual in case of disruption.
Consolidation of Resources
Redundant platforms and systems can hinder operational efficiency and organizations are now moving to consolidate resources to improve cyber risk management. For example, consolidating platforms for managed detection and response (MDR) services can provide a unified view of the environment and reduce the need for different teams to access different systems.
Organizations are also consolidating data for advanced analytics and AI. This helps to reduce storage costs, eliminates unnecessary data retention, which can also in turn reduce the possibility of sensitive data breaches. For example, a company may have stored volumes of visitor records. This may include sensitive data like driver’s licenses, which in the wrong hands can lead to significant problems. The company does not require to store this data for its own operations and can easily delete it to free up storage and make data analytics processes more efficient.
The modern evolving role of the CISO also encompasses resource consolidation as they are not just responsible for cyber security but also operational efficiency which in turn is linked with business outcomes.
A rapidly evolving cyber risk landscape has driven some changes in the way cyber risks are managed and security postures maintained. Emerging cyber risk management trends call for greater focus on resilience, third party risk management and linking business outcomes with cyber risk management and security. Organizations cannot ensure effective cyber risk management or cyber security without a robust technology platform that can automate key processes.
MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers enterprises to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.
With MetricStream CyberGRC, you can:
Request a demo now.
The role of the Chief Information Security Officer (CISO) is quickly becoming one of the fastest-evolving roles in the modern enterprise. Today’s CISOs and CSOs (Chief Security Officers) are responsible for formulating robust cybersecurity and critical cyber risk management strategies that are closely aligned with overall business objectives. Their responsibilities have extended beyond the technical realm and include a strategic presence at the C-level table. So, what is driving this change, and how can CISOs best prepare as they transition into their expanded role?
The role of the CISO is currently being influenced by various regulatory, technological, and market dynamics. Key factors driving this change include:
As CISOs and CSOs adapt to the changing landscape and embrace new responsibilities, they have now taken on several roles. The next-gen CISO of today wears many hats.
MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers CISOs to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.
With MetricStream CyberGRC, you can:
Being a CISO is hectic and stressful – but it’s also incredibly important, and I for one look forward to watching the continued evolution of the role, as CISOs grow to become more and more business as well as IT and security champions. Cyber is one of the biggest existential risks enterprises face today. The next-gen CISOs are here to lead us through – even as they dodge the many arrows. We’re rooting for you!
Want to learn more about how MetricStream CyberGRC can help build cyber resilience? Try our customized demo to see how our product works.
Cybersecurity threats are multi-faceted, often connected, and accelerating fast. Ransomware, nation-state attacks, employee errors, and third parties – all pose risks for enterprises seeking to safeguard their organizations and customers from cyber attacks and the resulting consequences.
One particularly insidious threat is the supply chain attack. Particularly in today’s interconnected, digital world that favors diverse sourcing, supply chains are increasingly vulnerable to cyber breaches. Even a seemingly small entry point – say, an outdated password on a legacy system – can open the door to massive havoc that can impact and even shut down an entire business.
A supply chain attack is an orchestrated strike by cybercriminals to find and take advantage of vulnerabilities in the connected network of suppliers, vendors, and contractors that support an organization’s operations – sometimes called the extended enterprise, or the 3rd/nth parties.
Bad actors use a “back door” approach by targeting these downstream suppliers or third parties with the goal of getting to the ultimate organization. Usually, the ultimate target is larger or more desirable and theoretically harder to breach. By using the smaller or less protected supplier, hackers can gain access through malware or other malicious code, such as viruses, ransomware, or other programs designed to steal data or disable systems.
SolarWinds, for example, was hit via a devastating attack on a software supplier impacted numerous organizations, including government agencies. Another would be the attack Log4j was dealt due to a vulnerability in a widely used open-source logging library that exposed many organizations to potential attacks. There are countless other examples over the years, and hackers have only become smarter especially as supplier networks have continued to multiply exponentially due to the many benefits they bring to an organization.
Vulnerabilities are on the rise, too: up 180% from 2022 to 2023, according to Verizon’s 2024 Data Breach Investigations Report. The same report shows vulnerability exploitation of web applications specifically represented roughly 20% of data breaches, with VPN vector exploitations expected to take up an increasing share by 2025.
A supply chain data breach has obvious immediate implications: compromised data, the potential need to shut down systems, the cost of remediation and recovery, and the likely decline of customer trust.
Longer-term implications include financial losses, reputational damage, regulatory penalties, and operational disruptions. In industries such as healthcare or critical infrastructure, where safety is paramount, the consequences can even become life-threatening.
Supply chain attacks also have a “ripple effect”: rarely is just one supplier impacted. Think of the chip shortage in 2023. While not the result of a data breach, Tesla was severely impacted in 2023.
To stay ahead of cyber attacks, including supply chain attacks, organizations must carefully manage their cyber and IT risk as part of coordinated risk strategy that includes:
Cyber risk management is essential because cyber threats are accelerating along with vulnerabilities, and organizations can’t afford to be complacent.
Consequences of lackadaisical risk management include immediate impacts of a breach – lost data, downtime, and costs of remediation – as well as longer-term consequences.
Brand reputation and competitiveness are at stake, as are relationships with other suppliers. Regulatory repercussions are real, especially with the advent of resilience legislation like the EU’s Digital Operational Resilience Act (DORA) and the SEC’s Cybersecurity Rule, both of which come with stringent consequences for not managing and reporting cyber attacks.
Finally, risk leaders can even be held personally accountable for the consequences of attacks. CISOs are the most obvious candidate, but Chief Compliance Officers also may be liable. And even non C-level leaders may not be exempt.
With interconnected risks growing fast and technologies like AI making bad actors even smarter, the stakes in cyber risk have never been higher. Proactive, collaborative cyber risk management can’t completely prevent cyber and supply chain attacks, but it can empower organizations with agility and resilience to lessen their inevitability – and rebound with confidence.
This blog was initially featured as an article on ET CISO. Read the original version here.
Find out more about MetricStream CyberGRC. Request a personalized demo now.
Healthcare is one of the most strictly regulated sectors in the world. This is understandable and necessary considering that the sector deals with factors as crucial and sensitive as health and life itself. As a result, this sector has witnessed increasing regulatory complexity with different regulatory bodies focusing on various aspects of the industry. The healthcare business is also rapidly evolving and expanding with many providers offering ancillary services such as health insurance and insuretech. This makes the sector susceptible to various new and emerging risks. Healthcare providers also work with third parties who handle sensitive patient information, making it vital for them to effectively manage third-party risks. As regulatory complexity increases amidst a fraught risk landscape, ensuring compliance can be challenging.
In April 2024, records of 13.4 million patients were left exposed thanks to nine incidents of unauthorized access or disclosure of protected health information. 44 hacking incidents in the same month affected 1,919,637 records. The consequences of such breaches through penalties and impact on reputation and image are significant. This blog explores the top five risk and compliance challenges for the healthcare sector and how to address them.
Healthcare Compliance Issues refer to instances where healthcare organizations fail to adhere to relevant laws, regulations, and industry standards. Non-compliance can lead to severe consequences, including fines, penalties, legal actions, and reputational damage.
The healthcare sector is governed by regulations and frameworks such as Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act that complements HIPAA by increasing the penalties for data breaches, the 21st Century Cures Act, General Data Protection Regulation (GDPR), PCI DSS, California Consumer Privacy Act (CCPA), Health Information Trust Alliance Common Security Framework (HITRUST CSF), Information Blocking Rule (2021) and Interoperability and Patient Access Final Rule (2021). Most of these focus on patient data privacy, data security, access to information, and cyber security.
Each of these is constantly being updated to keep pace with a rapidly changing risk landscape. For example, this year HIPAA saw some significant updates to its patient privacy provisions and outlined stricter cyber security requirements. It gives patients greater control over their data and mandated risk assessments, incident response plans, data encryption requirements, and updated breach notification requirements. Keeping pace with these updates, assessing their impact on various processes and functions, and adapting internal controls and policies is a significant challenge.
Furthermore, there are federal, state, and local regulations and rules that apply to healthcare providers. Each state has specific reporting requirements regarding public health emergencies, infectious disease outbreaks, and specifying how long medical records can be retained. Some states may even have their own laws regarding patient data. For example, California has laws pertaining to data breach notifications that have to be complied with in addition to HIPAA. Healthcare providers must report relevant situations to their state or local agencies in the prescribed format in addition to complying with federal regulations.
Additionally, healthcare providers must be accredited by industry organizations such as The Joint Commission (TJC) that evaluates organizations on parameters such as patient care safety and healthcare management, Accreditation Association for Ambulatory Health Care (AAAHC), and Urgent Care Association (UCA). This shows that the provider meets quality and safety benchmarks set by the governing bodies. Meeting accreditation requirements, and complying with standards set by each of these bodies is a complex and challenging task.
Healthcare providers have to efficiently manage risks unique to the sector, in compliance with the relevant regulations. In addition to compliance risks, healthcare providers have to be prepared to deal with risks related to patient care and safety as any lapses can have severe legal and financial impacts in addition to damaging reputation and trust. They must be cognizant of risks pertaining to medical instruments and devices in the form of potential malfunctions that impact patient care. There are also risks pertaining to insurance claims, frauds, phantom billing, and upcoding. They have to conduct risk assessments periodically to identify and mitigate potential compliance issues and threats. They also must have comprehensive incident management processes in place to report and respond to crises quickly and effectively. Risks ranging from business operations, third parties, cybersecurity, ESG, and health hazards must be managed effectively along with appropriate business continuity plans. The healthcare industry must move from compliance check-in-the-box activity to proactive risk management to thrive in the complex risk landscape.
Patient healthcare data and records are sensitive and subject to strict security, privacy, and protection laws. Healthcare providers have to ensure that their technology systems meet HIPAA standards, which may prove to be a daunting exercise, particularly for smaller organizations.
Regulations like the 21st Century Cures Act emphasize the need for seamless and secure data sharing. And so, organizations must ensure their electronic health record systems are updated, secured, compliant with regulatory standards, and capable of securely executing data exchanges. It is equally important to ensure that different healthcare systems are interoperable while maintaining data security and privacy. Organizations must also ensure that their technology systems are updated and compliant with the latest security and regulatory standards to protect patient information and ensure foolproof compliance.
Adding to the challenge is the fact that the threat landscape is continually evolving with bad actors increasingly leveraging advanced technology to launch sophisticated attacks. Protecting health care data under these conditions can be a Herculean task. In February 2024 alone there were 24 data breaches, the biggest of which was the breach at Medical Management Resource Group that compromised 2.35 million records. Hacking and ransomware continue to plague the sector and only four breaches affecting 10,000 or more records in February were not hacking incidents. Data encryption is important to protect healthcare records. But ensuring encryption both in transit and at rest to prevent unauthorised access is a challenge.
The rapid evolution of Artificial Intelligence technologies has the potential to transform healthcare. From early detection, faster diagnoses, and better treatment to improved monitoring, decision-making, research, and training, AI is already being leveraged to drive better healthcare outcomes. But, AI comes with a significant risk of data breaches. AI platforms process huge volumes of sensitive data and any vulnerabilities can be exploited by bad actors. Healthcare providers leveraging AI must be cognizant of the security risks associated with it and implement stringent data protection strategies.
Healthcare organizations rely on numerous external vendors ranging from cloud service providers to billing companies, medical device manufacturers and suppliers, and more. Many of these have access to sensitive healthcare data and are subject to the standards set by HIPAA. This is also a vulnerability that can be targeted by hackers. Additionally, healthcare providers must monitor third parties for operational and ethical risks as well as such unavailability or disruptions to medical services, AML, bribery, and other malpractices. Third-party organizations are subject to data protection and privacy regulations such as GDPR and PCI DSS. Healthcare providers must monitor their partners’ compliance with all relevant regulations, as well as their overall risk management and mitigation strategies.
Managing third-party risk must be a crucial part of a healthcare organization’s risk management strategy. They must conduct regular due diligence with vendor risk assessments and security assessments. Compliance with all relevant regulations and standards, and risk evaluation must be a contractual obligation for all third-party vendors working with healthcare organizations. In fact, the HITECH ACT extends HIPAA’s regulations to vendors and includes penalties for vendors for non-compliance. Healthcare organizations must regularly monitor their partners and conduct comprehensive and periodic audits to ensure ongoing compliance. Establishing BAAs with vendors to ensure compliance with a wide range of regulations is advisable, but managing third-party risks adds to the significant compliance challenges of healthcare organizations.
Healthcare providers are operating within a regulatory landscape that is continuously evolving and they must ensure error-free compliance. They have to monitor the regulatory landscape on an ongoing basis to keep pace with emerging regulations and have the capability to adapt and map new regulations and updates to existing practices and controls. Continuous and automated monitoring of risks and controls is crucial for enabling real-time risk assessments, quick decision making, and faster, more effective mitigation efforts. They must have rationalized internal controls to mitigate risks and ensure compliance. They must have automated processes to onboard new third parties and carry out due diligence to ensure there are no gaps in compliance. They must also conduct regular digitized audits and continuous monitoring of compliance processes to ensure there are no gaps. Maintaining compliance reports, logs of security events and communicating with regulatory authorities is another key task for organizations.
MetricStream’s Healthcare solution is purpose-built to help organizations in this highly regulated industry adopt and implement a streamlined, automated, and integrated approach to GRC. Healthcare providers can leverage advanced capabilities for managing regulatory compliance, enterprise risks, including cyber and third-party risk, and internal audit, to improve their overall risk and compliance posture and drive better-informed decision-making.
With MetricStream, your organizations can effectively:
Interested to find out more? Request a demo now.
At the 2023 GRC Summit, MetricStream’s annual flagship event, Jonathan Ruf, First Vice President - Head of Cyber and Information Risk, Apple Bank, discussed how the organization leveled up its cyber risk management program with MetricStream. Apple Bank is the largest state-chartered savings bank in New York.
Here are the key takeaways from Jonathan’s session at the summit.
Jonathan: We started the Journey with MetricStream about four years ago, and the use case was more so around the operational risk. It wasn't necessarily a decision that we were going to use it in cyber and information security. But we realized that there were a lot of synergies, so we took this on.
So, at the beginning, we relied on a GRC process. But what does that really mean if you don't have a framework or a tool? Great value was given, but we needed something to scale, and early on, the selection was made that MetricStream was going to be the tool for Apple Bank. It fit our needs, and it had a roadmap that definitely appealed to us.
Jonathan: As we began this journey, my cyber and information risk management team found a lot of opportunities for improvement.
What did we have? Manual processes, spreadsheets all over the place, disparate data sources. There was no central inventory of applications, or even a well-populated CMDB. It was very difficult to understand what was available and what was being done ad hoc.
We had control validations. For each of the risk assessments, the controls needed to be validated, and they were stored in file shares -- again, decentralized.
Issues and exceptions were PDF documents. You can't report on them.
And the assessments. If you aren't centrally managing your assessments, then how are you reporting them? At the end of the day, it’s about reporting, it’s about system integration, and it's about moving to the next level to reduce the manual efforts and to increase the automation of your security monitoring tools for the organization.
Jonathan: We standardized and automated the process for initiating the risk assessment of application services and infrastructure services.
Let’s look at the risk assessment lifecycle. We're also going to see in this lifecycle how we have integrated systems through APIs.
A GRC isn't an inventory. It's not where you should be holding your assets or your infrastructure components, it's not a CMDB, it's none of those things. You need a source of truth for everything. So, your vendors, your applications, your CMDB, those are in-source systems. But we want to ingest this information. Ingesting this information is difficult because it was manual, and manual processes are prone to errors. But now, we have the ability to pull directly from our inventory sources and schedule assessments.
Considering we're a bank, we are highly regulated. We're also a New York State Bank, so we're even more scrutinized with DFS. We have the GLBA and we have DFS risk assessments that need to be done on in-scope applications on an annual basis. But this information is stored in our application inventory, not in our GRC. So, what we need to do is we need a push-pull mechanism we can schedule those assessments based on the date the last assessment was completed, and it will automatically send out those notifications -- never touching the integrity of the source system data within a GRC.
So, why are we not using this information to validate these controls? We have it. Let's use it. I had just one source here, which was Qualys. So, I could say, okay, an infrastructure comes in and it could scan it for vulnerabilities. That's pretty simple.
But we also want to look at -- Is it integrated with SSO? Does it have MFA? Is data encrypted? Is the database connection pool secure? We can bring all of this information in through our APIs, and this is all living in MetricStream. So, we got our source systems and we got our security monitoring tools feeding assessment. It's reducing the burden on the lines of business and providing a more accurate and realistic depiction of risk to the organization.
We just finished with a wonderful, smooth upgrade from Arno to Danube. Now, in every release moving forward, we'll have a low-code/no-code API framework. That's a game changer because if you don't put that in place, creating one-off integrations is going to be a nightmare. Now, you have a low-code/no-code methodology to integrate these systems.
Jonathan: We have made such tremendous progress in our cyber risk management portfolio. It just really is truly inspirational and light years from where we first started.
MetricStream solution currently supports 500+ employees. This extends all the way to our 86 branches, to our multiple headquarters. It provides us with qualitative and quantitative cyber risk information. This is stuff that we can really use, and that drives decisions because ultimately, at the end of the day, we want to provide enriched information to our C-level and our board.
Business Value and Realized Benefits
You can watch the complete session here:
Also Read: