The board should take cybersecurity seriously: 3 points from our webcast

The regulatory landscape is in constant flux. This can make it a continual challenge for time-poor compliance officers in multi-jurisdictional financial institutions to stay on top of the latest trends: from recent enforcements to new legislation.

Yet gaps in their knowledge could have serious repercussions. That’s where our series of bite-sized 10-minute webcasts comes in. Each time we’ll be discussing the most important breaking news for compliance professionals, with experts from CUBE and the wider industry.

Our latest RegTech in 10… webcast featured some fascinating insights from Alexander Duisberg, Partner at international law firm Bird & Bird, and CUBE’s own EMEA Business Manager, David Noble.

Managing change better

This edition focused on the highly topical area of managing regulatory change for cybersecurity. With threats on the rise and an ever-growing patchwork of legislative requirements to manage, it’s never been more challenging for multi-national firms to manage cyber-related risk. In fact, the average cost of cybercrime for financial institutions has jumped by $1.4 million over the past year to reach $13m, according to an Accenture report from earlier this year.

The GDPR has been the focus of attention for so long that it’s easy to forget there are plenty of other regulations that firms need to stay on top of. As we discussed in the webcast, a proposed law in Germany, in particular, could add extra complexity if it is approved later this year.

Here are the top three takeaways from the discussion:

1. It’s time for boards to step up The time when cybersecurity issues could be delegated to the CISO is long gone, according to Duisberg. In some countries, like Germany, board members can be held personally liable for serious security breaches. But more broadly, any major incident can have a huge impact on corporate reputation, which makes cyber very much a board-level issue today, he said. The advent of huge fines for serious infractions of the GDPR and NIS Directive only serves to reinforce the fact that senior leaders should assume a high degree of responsibility when it comes to mitigating cyber risk.
2. Germany offers a snapshot into the future The forthcoming IT Security Act (IT-Sicherheitsgesetz) promises a major revision to Germany’s cybersecurity laws, mandating new best practice requirements on IT providers in any layer of the critical infrastructure supply chain, plus organizations of “public interest” like media firms. Although Duisberg was at pains to point out that the law has yet to be approved, he claimed the GDPR-like fines proposed as part of the legislation mark a major step change in national cyber laws. Although the IT Security Act may cost firms in the short-term, anything that tries to improve baseline security standards should be welcomed as a sign of a maturing industry, he said.
3. Regulatory change management needs to be automated We’re rapidly approaching the third decade of the 21st century but many compliance programs are still stuck in the past, according to CUBE’s David Noble. He argued that tracking and understanding the impact of regulatory changes is still too ad hoc and inefficient – often managed in spreadsheets and email. This makes it difficult to map the relationship between external regulations and internal policies and controls.

Any regulatory content needs to be well categorized, understood at a granular level and properly attributed to specific areas of the business. But this is hard with ad hoc approaches. The good news is that much of the work leading up to an impact assessment can be automated by compliance teams, freeing up valuable resources to focus on higher value tasks, he argued.

Watch the 10-minute webcast