Cyber security risk continues to intensify. The acceleration of AI, the increasing sophistication of hacking and ransomware attacks, the wars in Ukraine and the Middle East, and ill-defined lines of responsibility – among users, companies, vendors, and government agencies – have elevated cyber security risk and its place on board and committee agendas.
The growing sophistication of the cyber threat points to the continued cyber security challenge – and the need for management teams and boards to continue to focus on resilience. Breaches and cyber incidents are going to happen, and organizations must be prepared to respond appropriately when they do. In other words, it’s not a matter of if, but when.
Regulators and investors are demanding transparency into how companies are assessing and managing cyber risk and building and maintaining resilience. For example, the Digital Operational Resilience Act (DORA) and NIS2[i] require in-scope companies to disclose material “cyber security incidents”.
While data governance overlaps with cyber security, it’s broader and includes compliance with industry-specific laws and regulations, as well as privacy laws and regulations that govern how personal data – from customers, employees, or vendors – is processed, stored, collected, and used. Data governance also includes policies and protocols regarding data ethics – in particular, managing the tension between how the company may use customer data in a legally permissible way and customer expectations as to how their data will be used.
Managing this tension poses significant reputation and trust risks for companies and represents a critical challenge for leadership. How robust and up to date is management’s data governance framework? Does it address third-party cyber security and data governance risks?