“Risk managers and internal auditors play an important role of coordination and cooperation to build an effective and resilient cyber security system within an organisation,” ECIIA President Henrik Stein says. ”We hope to convince organisations and regulators about the importance of a strong governance model to mitigate cyber risks.”
The guidance outlines a comprehensive risk management approach to cybersecurity, a cyber awareness program covering everyone in the organisation from top to bottom and, most important, the interactions between the three lines of defense to facilitate the communication to the board that is ultimately responsible for the oversight of the cyber governance framework.
A major conference on emerging cyber issues held under the Slovak Presidency of the Council of the European Union has highlighted the need for businesses to work harder in areas such as cyber security, cyber research and development, crime, defence and diplomacy.
Over 180 delegates attended the gathering in Brussels in December to discuss a range of issues that need urgent attention. Those included how the Network and Information Security Directive (NIS) and the EU’s €1.8bn public-private partnership will help in the fight against cybercrime.
“This is an important initiative in an area of rapid change,” ECIIA President Henrik Stein, says. “Internal auditors will need to pay close attention to the outcome of such discussions if they are to continue to provide sound assurance over their organisations’ cyber responsibilities.”
Meanwhile, ECIIA and the Federation of European Risk Management Associations (FERMA) have already launched a joint initiative aimed at helping organisations strengthen their cyber defences. Its key objective is to help businesses define the best governance model when managing cyber risk.
Europe’s current legislation on cybersecurity does not include robust corporate governance processes to help businesses manage cyber risks across their operations, ECIIA says.
ECIIA calls on the European Commission (EC) to develop legislation and guidance frameworks to promote integrated, cross-departmental approaches to manage cyber risks, in its response to the body’s recent consultation exercise. It says a wide range of partners within organisations need to co-ordinate their efforts in this area including compliance, finance, human resources, internal audit, IT and legal functions.
“There is a real gap in this area that needs to be plugged,” Henrik Stein, ECIIA President, says. “Without joined up thinking and action on cyber security, businesses are at greater risk than they should be.”
He says that senior management should track and report on the business impact of cyber threats and all risk management activity. “For its part, internal audit evaluates the effectiveness of cyber threat risk management and reports to the audit committee and board on these issues,” he adds.
ECIIA recognises that organisations that operate in multiple jurisdictions face additional problems because reporting requirements remain unharmonised. It says there is a case for developing global best practice and standards to help corporations monitor their global reporting on cyber security and risk effectively.
The ECIIA’s response also comments on the most pressing current cybersecurity risks and those that it believes will become more prominent over the coming five years. Read the full response here.