Cyber regulation readiness - Preparing for global cyber rules

In the last decade, enterprises worldwide have undergone intense digital transformations. This has led to innovations in service delivery, operations, and customer engagement, opening new markets and opportunities for growth.

However, the increase in the digital landscape also led to a corresponding rise in cyber threats as bad actors found more opportunities to exploit enterprises. Navigating the complexity of the threat environment and a patchwork of regulatory compliance requirements worldwide can be a thorny proposition.

In response to this new array of challenges, some governments are adopting new regulatory frameworks to bolster enterprise security. The enactment of DORA and NIS2 will have the most prominence and potentially the most significant impact through 2024 and into 2025 for many organisations and countries. Australia, for example, is implementing APRA’s CPS230 based on the DORA framework. While there are various frameworks globally, they focus on six main themes.

1. Increased Resilience to enable faster recovery from adverse
2. Third parties become critical and are governed by regulations/frameworks.
3. Enhanced incident reporting with aggressive reporting timelines and level of information
4. Increased accountability to management boards with substantial fines for noncompliance
5. Improved cyber hygiene with requirements for reasonable controls to anticipate, protect against, and withstand cyber threats
6. Strict enforcement with routine stress tests alongside On-Site inspections which go deeper and involve companies’ leadership and new functions

The first step toward embracing a cyber-resilient strategy and alignment with new regulatory frameworks is for enterprises to define what they must protect clearly. That means scanning the overall business and considering the impact and implications across operational, financial, reputational, and regulatory areas.

We must ask the following questions when an incident occurs.

Operational: How does the absence of this service outage impact other services? Could this effect other critical organisations? How could this impact B2B customers and partners?

Financial: What financial losses are accrued through certain services being down?

Reputational: How will this impact customer loyalty? Will this impact the share price? How harmful is the downtime of these services to the customer experience?

Regulatory: What level of scrutiny and potential fines will this outage bring from regulators?

Understanding the parts of the business that underpin critical assets is critical to identifying threats and hazards and implementing mitigations.

Coming into compliance with new cyber regulations can be aided by powerful technological tools and solutions, including advances in secular trends that include automation and artificial intelligence. AI can continuously monitor and update standards and controls when deployed in an advanced delivery setting, assessing risk, cost-effectiveness, and capabilities.

As countries worldwide adopt and implement cyber regulations, enterprises of all stripes must prepare to bring their operations into compliance and become more resilient. Preparing for new cyber regulations is not only a regulatory necessity but also a strategic move that will yield numerous benefits and opportunities for enterprises.