Work by World Economic Forum (WEF) on cyber resilience demonstrates the value of the work now underway by Federation and European Risk Management Associations (FERMA) on governance for cyber risks in European organisations, according to the President of FERMA, Jo Willaert.
FERMA in association with the European Confederation of Institutes of Internal Auditing (ECIIA) is preparing a set of specific, concrete recommendations on cyber risk governance so they can support their boards and risk committees in meeting the requirements of the two latest European Union cyber laws, the Network Information Security Directive and the Data Protection Regulation.
The WEF report Advancing Cyber Resilience, Principles and Tools for Boards stresses the responsibility of boards as a whole “to take ultimate responsibility for oversight of cyber risk and resilience.” It sets out 10 principles for boards including the appointment of an independent accountable officer, risk appetite and risk assessment and reporting.
At the junction of corporate governance and cyber security, the FERMA-ECIIA report, is due to be published in June. It will include such questions as communication between reporting lines and collaboration between internal audit and risk management. FERMA is in touch with WEF cyber resilience experts to discuss possible collaboration.
Said Jo: “These new governance methodologies that we are drafting will help risk professionals advise their boards and top management on how they can respond to the risks and opportunities of digitisation in the most efficient way while complying with the new EU measures. We are delighted, therefore, that the World Economic Forum report stresses the importance of governance in the creation of cyber resilience. WEF also highlights the need for tools to help boards exercise their role, and our work will be part of that toolkit.”
Pascale Vandenbussche, Secretary General of ECIIA, commented: “FERMA and ECIIA created the joint working group because we saw a lack of focus on the risk governance aspect of cyber security in the EU initiatives. The group is looking to develop a general cyber risk management framework and governance model in the digital context with the collaboration of both professions.”