Strategic Insights into Enterprise Risk Management and Cyber risk across Canada, the UK, and the USA

It's not surprising that ERM ranked among the top three most significant issues in 2022. According to the CGP/WATSON/GPC's key trends in governance report, "the top three most critical risks to an organization were cyber risk, with 58% of respondents, followed by people risk at 53%, and operating risk at 48%."

The prevailing enterprise risk is cybersecurity. As technology advances, all kinds of organizations are experiencing hacking and data breaches, with some losing private consumer data in the process. Individuals, corporations, and critical infrastructures (such as health and energy sectors) all face increased threats from hackers.

Recently, personal data belonging to nearly 1.5 million Albertans was exposed in a dental data breach, and earlier this year, a ransomware attack targeted Suncor, causing numerous issues for the organization and prompting a series of damage control measures to be put in place. Also, organizations need to take security background checks seriously. This is to avoid the possibility of hiring a hacker, as seen in the case of Sebastien Vachon-Desjardins, who was employed as an IT specialist for Public Services and Procurement Canada but was later arrested and pleaded guilty to ransomware-related crimes.

After that, all readers are encouraged to check the Canadian Centre for Cyber Security Assessment 2023-2024 to better understand the current Canadian cybersecurity threats and trends.

At this year's international cybersecurity summit in Washington,?D.C., Canadian Cyber Centre chief calls for increased collaboration between Canada and the U.S. to counter threats. Sami Khoury said?"The two countries have become essential partners in fortifying the continent's cyber defences, a collaboration that he expects will only continue to grow. But in a world of ransomware, foreign interference, and hostile nation-states, he said he worries that citizens and businesses alike aren't taking the danger seriously." I have confidence that the UK will not pose a hostile nation-state to Canada, given their history of sharing intelligence and top security data with each other. The same level of collaboration with the US should certainly be maintained with the UK.

In March 2022, the US SEC introduced new cybersecurity regulations that focus on risk management, governance, and incident disclosure. These rules necessitate current and periodic reporting of material cybersecurity incidents, as well as reports on policies, board oversight, and management's expertise in handling cybersecurity risks. Additionally, there would be an annual requirement for reporting or proxy disclosure related to the board of directors' cybersecurity expertise, if applicable. On July 26, 2023, the SEC's final rules on cybersecurity disclosure were released. The final rules are narrower, but the requirements streamlined what was the March 2022 proposal while still imposing significant new requirements on registrants.

Furthermore, as reported by the CGI UK & Ireland/FTSE 350 Boardroom Bellwether, 59% of respondents considered cyber risk a primary risk factor, while 37% regarded it as moderately significant. Moreover, a significant 75% of respondents noted that cyber risk is on the rise.

In conclusion, with regard to managing enterprise risk, cyber risk stands out as a significant concern for boards. To address this challenge, organizations are taking proactive measures. Notably, over 90% of them have increased their investments in IT, reflecting a 10% rise from 2022, and IT investments are anticipated to increase in 2024. Additionally, responsibility for mitigating cyber risk is shared among various organizational units, including IT teams, risk and audit committees, and the executive team. To sum up, these actions demonstrate a heightened commitment to addressing cyber risk within organizations.