What Rules the Board?
Kyan Frith
Business Enabler | Risk Specialist | Turning Chaos into Cashflow & Dreams into Tangible Results | Christ-follower
The World Economic Forum’s Global Risk Report 2021 lists cybersecurity failure as a top “clear and present danger” and critical global threat. Interestingly, the recent cyber-attack on JBS, the world’s largest meat processing company, illustrates that perfectly. Recognising this threat, the GFSC Cyber Security Rules and Guidance (the Rules) set out the risk-based requirements that Boards of Directors and organisations should consider and implement to mitigate against this significant risk.
These Rules indicate that the Board of Directors is responsible for ensuring that the Rules are followed. By "followed" the GFSC means that your organisation must have in place appropriate policies, procedures and controls to mitigate the risk posed by cybersecurity events. The regulator also requires that your organisation must be able to evidence that the Rules have been considered and implemented.
If the Rules seem daunting and overwhelming and you do not know where to start, we recommend that an organisation begins with a gap analysis against the Rules. This should be followed by a cyber risk assessment to identify and document their current risk profile, so that the Board can clearly see what the organisation's exposure to cyber risk is.
With this information in hand, a Board can help prioritise the work to reduce the gaps and/or to mitigate the risks. Getting to this point is critical, as it gives the Board an overview of the resources required to comply with the Rules by the deadline of 9th August 2021. With just more than two months remaining before the deadline, we recommend you assess where your organisation is on its journey to comply with the Rules.
Fortunately the Rules do state that the work involved is determined by the size, nature and complexity of your organisation. The journey to compliance is therefore different for each organisation, but the underlying principles remain the same.
If you need assistance to comply with the Rules or to simply assess where you are on the compliance journey, it’s not too late. Or if you just need to validate your position and then decide what to do for the best before the 9th August, we are independent cyber risk specialists and are here to help.
Please get in touch with us at [email protected] or via our website at www.centricalcyber.com.