Chapter 2. The Cyber Risk Management Program
In the last chapter, we discussed many of the factors—social, political, economic, and especially technological—that are driving constant and accelerating change in the risk environment. In this chapter, we’re going to describe in detail the cyber risk management program (CRMP). A formal approach, represented by a clearly defined and established program, is the only way enterprises can hope to address the speed and criticality of the risks they face, and do it with the consistent and trusted outputs they need.
Regulatory bodies worldwide are making it increasingly clear that they will no longer accept a lax or nonexistent cyber risk management program.
The SEC Speaks—and the World Listens
One regulatory announcement in particular sent shock waves through the business world on July 26, 2023: the Securities and Exchange Commission (SEC) introduced a new set of rules concerning disclosures related to reporting major cyber incidents, cybersecurity risk management, strategy, and governance. The new rules, which are designed to standardize and improve companies’ disclosure practices, apply to all public companies operating in the US, and to many smaller and foreign companies. The SEC is highly influential in the development and adoption of regulatory standards worldwide, because regulators in other countries and jurisdictions often follow its lead, meaning enterprise risk stakeholders everywhere should be aware of its new rules and their ...
Get Building a Cyber Risk Management Program now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
