WannaCry and Petya attacks: businesses must plug the cyber governance gap

Organisations require a greater focus on cyber risk governance if they are to tackle the growing threat of cyber attacks, according to FERMA, the Federation of European Risk Management Associations. In a joint report with the European Confederation of Institutes of Internal Auditing (ECIIA), the groups have called on businesses to create enterprise-wide cyber risk governance groups, chaired by the risk manager.

The recent WannaCry and Petya ransomware attacks are further evidence that cyber risk is an enterprise-wide threat, affecting strategic issues including valuation, reputation and trust, according to FERMA president Jo Willaert. "The management of cyber risk has, therefore, become a corporate issue that should be reflected in the governance of the company," he explained.

The new report echoes Airmic's own call for risk managers to play a leading role in the battle against cyber risk. In a report published in June, the association said that implementation of cyber risk management is often patchy and lacks an enterprise-wide approach, and called on business leaders to view cyber risk as a strategic issue.

Airmic has been closely involved in the joint project with FERMA and ECIIA, with its deputy CEO and technical director Julia Graham moderating a presentation of the report at the European Parliament. Ms Graham said that business leaders must recognise that cyber risk is not just an information or technology risk, but rather it requires a top-down, enterprise-wide view of risk. 

She added that with boards facing ever-increasing demands on their time, creating an efficient governance structure has become more important. "It has become vital to have a team with a relevant band-width of expertise to exercise focussed oversight and provide comfort to the board. This can only be achieved within a strong governance framework, and through a highly coordinated approach across all departments of an organisation."

Ms Graham added that this is not about creating a new bureaucracy, but about defining the elements of an efficient cyber risk governance across functions. "By leveraging existing functions and relationships, a cyber risk governance model avoids risk management in silos and make an organisation more agile. The risk manager is well positioned to bring their knowledge and skills to the governance process," she said.

The cyber governance framework as presented by FERMA and ECIIA, is based on the three lines of defense model - see diagram below - and is composed of all key functions involved in digital risk, notably IT, human resources, communications, finance, legal, the data protection officer (DPO) and chief information security officer (CISO). Internal audit should, it says, provide the necessary assurance to the board that the cyber risk controls are operating effectively.

Cyber governance framework - click to enlarge

Mr Willaert added: "Our cyber risk governance model is an innovative way for organisations to approach cyber security. It will allow the board of directors to demonstrate that cyber risks are managed on a rational and documented analysis of the risks across the organisation."

FERMA president Jo Willaert

The full report "At the Junction of Corporate Governance & Cybersecurity" is available for download on the FERMA website here.

Airmic's guide Cyber risk - Understanding your risk and purchasing insurance, can be downloaded on the Airmic website.