Menu

Third-Party Risk Management

false assurance and cybersecurity

False Assurance in Risk Management and Cybersecurity: Unmasking the Illusion

, , , , , , , , , , , , , , , , , , , , , , ,

In today’s interconnected digital landscape, risk management and cybersecurity are of paramount importance for organizations and individuals alike. With the constant evolution of cyber threats, it is crucial to remain vigilant and proactive in implementing robust security measures.

However, a dangerous phenomenon known as false assurance can undermine even the most well-intentioned efforts. In a previous article, I mentioned the reports of recent unconnected breaches that affected Microsoft Azure and PwC, highlighting the potentially severe impacts that come with third-party security incidents. A more recent report indicates that the number of organizations impacted by the breach incident at Microsoft Azure may have even widened in the last few days.

In this article, we’ll delve into the captivating realm of risk management and cybersecurity, uncovering the deceptive notion of false assurance; exploring its causes, implications, and strategies to mitigate its detrimental effects.

Understanding False Assurance

False assurance in risk management and cybersecurity refers to situations where organizations or individuals mistakenly believe that they are adequately protected against risks and threats, when; in reality; their security measures are ineffective or inadequate.

False assurance occurs when there is a false sense of security, leading to complacency, overconfidence, negligence, and the assumption that all necessary precautions have been taken. It can also stem from a lack of awareness, understanding, or communication of actual risks and vulnerabilities that exist in the operating environment. Unfortunately, this perception gap can expose entities (i.e., organizations and individuals) to severe consequences, including data breaches, financial loss, reputational damage, and regulatory non-compliance.

Causes of False Assurance

False assurance can arise due to several reasons including:

  1. Inadequate risk assessment: Organizations may fail to conduct comprehensive risk assessments, leading to an incomplete understanding of potential vulnerabilities. Overlooking critical risks can create a false sense of security.

  2. Overreliance on technology: While technological solutions play a crucial role in cybersecurity, relying solely on them without considering the human factor or other potential attack vectors can be dangerous. Organizations must adopt a holistic approach to security.

  3. Lack of continuous monitoring: Cyber threats are constantly evolving, necessitating ongoing monitoring and adaptation of security measures. Failure to regularly assess and update security practices can result in false assurance.

  4. Insufficient training and awareness: Human error remains a leading cause of cybersecurity breaches. If employees are not adequately trained on security best practices or are unaware of potential risks, they may engage in risky behaviour, leading to a false sense of security.

  5. Compliance-driven approach: While compliance with regulations and standards is crucial, a compliance-focused mindset can create false assurance. Organizations must recognize that compliance does not automatically ensure security and should go beyond the minimum requirements.

  6. Human factors: People may have cognitive biases, such as confirmation bias, optimism bias, or availability bias, which may influence their perception and judgment of risks. They may also have emotional factors, such as fear, pride, or loyalty, which affect their willingness and ability to report or address risks. Also, they may have behavioural factors, such as inertia, fatigue, or habituation, which may reduce their vigilance and responsiveness to risks.

  7. Organizational factors: Organizations may have cultural factors, such as norms, values, or incentives, that shape their attitude and approach to risk management. They may also have structural factors, such as hierarchy, silos, or bureaucracy, that hinder their coordination and collaboration on risk management. Also, they may have procedural factors, such as policies, standards, or audits, that create a false sense of security or compliance without ensuring actual effectiveness or improvement.

  8. Technical factors: Technologies may have inherent limitations, flaws, or vulnerabilities that expose them to risks. They may also have complex interactions or dependencies that create unforeseen risks. They may also have dynamic changes or updates that introduce new risks or invalidate existing controls.

Implications of False Assurance

The ramifications of false assurance in risk management and cybersecurity can be significant; these may include:

  1. Increased vulnerability: False assurance blinds organizations to potential risks, leaving them exposed to sophisticated cyberattacks that can bypass inadequate security measures. Cyberattacks can cause various damages, such as data theft, encryption, deletion, or manipulation; system infection, corruption, or disruption; or network slowdown, overload, or outage.

  2. Financial losses: Data breaches and security incidents can result in substantial financial losses due to legal liabilities, remediation costs, regulatory fines, and reputational damage.

  3. Damage to reputation: A security breach can erode customer trust and confidence, leading to reputational damage that is difficult to recover from. Customers may choose to take their business elsewhere, impacting an organization’s long-term viability.

  4. Legal and regulatory consequences: Organizations failing to meet their legal and regulatory obligations may face severe penalties, legal action, and loss of business licenses. Compliance failures can result from several factors, such as ignorance, misinterpretation, misalignment, or non-conformance.

These risks and threats can have severe and lasting impacts on the performance, reputation, and sustainability of any organization.

Investors see data breaches as a threat to a company’s material value and feel discouraged in investing in a business that has had its sensitive information compromised.

— Malcolm Marshall, Global Head of Cyber Security, KPMG

Mitigating False Assurance

To mitigate the risks associated with false assurance, organizations must adopt a proactive and comprehensive approach to risk management and cybersecurity. This approach may include the following:

  1. Thorough risk assessment: Conduct comprehensive risk assessments, considering internal and external factors. This step entails identifying potential vulnerabilities, assessing potential impacts, and prioritizing security measures accordingly. Regular reviews and updates are essential to adapt to the ever-changing threat landscape.

  2. Multi-layered security strategy: Recognize that no single solution can provide foolproof protection. Implement a multi-layered security approach that includes a combination of technological solutions, employee training, incident response plans, and regular security audits.

  3. Continuous monitoring and adaptation: Regularly monitor systems and network traffic for suspicious activity. Stay informed about emerging threats and update security measures accordingly.

  4. Embrace Innovation: Stagnation is the enemy of cybersecurity. By embracing innovation, organizations can stay one step ahead of malicious actors. Regularly evaluate emerging technologies, implement robust patch management processes, and foster a culture of continuous learning to promote resilience.

  5. Employee training and awareness: Educate employees about security best practices, potential risks, and their roles and responsibilities in maintaining a secure environment. Foster a culture of cybersecurity awareness.

  6. Independent validation: Seek external validation through independent audits, penetration testing, or cybersecurity assessments to ensure that security measures are effective and up to date.

  7. Cybersecurity governance framework: A framework is a set of standards, guidelines, or best practices that can help organizations design, implement, and manage their respective cybersecurity program. A cybersecurity governance framework can help an organization align its cybersecurity objectives with its business goals, identify and prioritize risks, and measure and improve performance.

Key stakeholders often underestimate how complex and overwhelming it can be to manage all the ancillary people and groups who must play a role in mitigating a major breach incident, including internal and external attorneys, internal and external investigators, law enforcement, regulators, and many others.

— Bryan Sartin, Managing Director, Verizon

Closing thoughts

False assurance is a dangerous and treacherous illusion that can undermine an organization’s risk management and cybersecurity capabilities and resilience, leading to complacency and a failure to adequately protect against evolving cyber threats. It can stem from various human, organizational, or technical factors that create a gap between perception and reality of risks and vulnerabilities.

Organizations must recognize the causes and implications of false assurance and take proactive steps to mitigate its risks. By embracing a comprehensive and dynamic approach to security, organizations can strengthen their defences, protect sensitive information, and preserve their reputation in an increasingly challenging digital landscape.

Remember, true cybersecurity requires constant vigilance and adaptability.

If you need help establishing effective cybersecurity capabilities with your organization, or you’re simply interested in learning more about effective cybersecurity and risk management best practices, then please feel free to contact me today.

Au revoir; take care, until we meet again.

effective cybersecurity governance

Bridging the Gap: Leadership Strategies for Effective Cybersecurity Governance – Part 2

, , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Within the last week or so, we’ve seen reports of a couple of serious breaches that put the reputation of the target organizations in jeopardy but, more importantly, these breaches also constituted significant third-party risks to businesses and organizations that rely on the affected organizations. The first reported breach hit Microsoft Azure and impacted some users of its email services. The second reported breach targeted PwC and impacted some of its clients.

Sadly, cyber-attacks and cyber-incidents are nearly almost inevitable, it’s the nature of the beast.

However, whilst likelihood is almost nearly certain, severity and impact can be reduced, significantly. The adverse impacts of any such events on the operations of your organization can be mitigated and contained. And as a cybersecurity leader, one of the effective tools that can help you build resilience in the defence of your organization is effective cybersecurity governance.

To establish and maintain effective cybersecurity governance, leaders must develop a comprehensive cybersecurity strategy. This entails identifying critical assets and vulnerabilities, implementing risk management frameworks, and ensuring robust governance structures to guide their decision-making, planning, implementation, and evaluation of cybersecurity initiatives.

In the previous article, we looked at the crucial role of leadership in establishing and maintaining robust cybersecurity governance. We explored the qualities and skills required for cybersecurity leaders to navigate the complexities of the evolving threat landscape, address the challenges posed by these emerging threats, satisfy regulatory compliance, foster a culture of security awareness, and drive organizational change.

This article is the second and final part in the series. In this article, we’ll delve into some practical hands-on strategies that can help cybersecurity leaders establish and maintain effective cybersecurity governance within their organizations. Some of these strategies include:

Define your vision and strategy for cybersecurity

As a cybersecurity leader, you should define your vision and strategy for cybersecurity that aligns with your organization’s mission, vision, and values. Your vision should describe what you want to achieve in terms of cybersecurity outcomes, such as security posture, resilience, compliance, reputation, etc.

Your strategy should outline how you plan to achieve your vision by setting Specific, Measurable, Achievable, Relevant, and Time-bound (SMART) goals and objectives. You should also identify the key building blocks for your strategy i.e., drivers, enablers, and barriers.

Here are some examples of outlined key building blocks:

  • Vision: To be recognized as a leader in cybersecurity excellence by our customers, partners, regulators, and peers.

  • Strategy: To implement a comprehensive cybersecurity program that covers all aspects of our business operations, from strategy to execution.

  • Goal #1: To achieve ISO/IEC 27001 certification by Q4 2024.

  • Goal #2: To reduce the number of security incidents by 50% by Q2 2024.

  • Goal #3: To increase the level of security awareness among our employees by 80% by Q1 2025.

  • Driver: To protect our brand reputation; to comply with regulatory requirements.

  • Enabler #1: To allocate sufficient resources and budget for cybersecurity.

  • Enabler #2: To develop policies and standards for cybersecurity.

  • Enabler #3: To establish clear roles and responsibilities for cybersecurity.

  • Enabler #4: To monitor performance and compliance for cybersecurity.

  • Enabler #5: To engage stakeholders and partners for cybersecurity.

This bit is rather particularly important; you should align your vision and strategy with the overall vision and strategy of your organization, as well as ensure that they are consistent and coherent.

Once you have defined your vision and strategy for cybersecurity, you should communicate it to your team, your peers, and other relevant stakeholders. Also, you should review and update your vision and strategy regularly, based on the feedback, results, and changes in the environment.

Build your team and empower them

As a cybersecurity leader, you’d build a strong and diverse team that can support you in implementing your vision and strategy for cybersecurity. You should recruit, train, develop, and retain the best talent for cybersecurity, based on their skills, experience, knowledge, attitude, and potential. You should also leverage the existing capabilities and resources within your organization, such as IT, legal, compliance, audit, risk, etc.

You should also empower your team by delegating authority and responsibility for cybersecurity tasks and activities. You should provide them with clear expectations, guidance, support, feedback, and recognition. You should also encourage them to collaborate with each other and with other teams and stakeholders. You should also foster a culture of learning and improvement within your team by promoting continuous education, training, certification, mentoring, coaching, etc.

Develop policies, standards, and procedures for cybersecurity

You should develop policies, standards, and procedures for cybersecurity that define the rules, requirements, and best practices for securing your organization’s systems and information. You should base your policies and standards on recognized frameworks, such as ISO/IEC 27001, NIST Cybersecurity Framework (CSF), NIST Risk Management Framework (RMF), or COBIT.

You should ensure that the policies, standards, and procedures you develop are aligned with the values, principles, and objectives of your organization. Also, you should ensure that the policies and standards are documented, communicated, and enforced across the organization. You should also monitor compliance with your policies and standards, as well as take corrective actions when needed.

Implement controls and measures for cybersecurity

As a cybersecurity leader, you should implement controls and measures for cybersecurity that protect your organization’s systems and information from cyber threats and attacks. You should base your controls and measures on recognized models, such as CIA (Confidentiality, Integrity, & Availability), AAA (Authentication, Authorization, & Accountability), or PDCA (Plan, Do, Check, Act).

You should ensure that the controls and measures you implement align with the risk appetite, business needs, and stakeholder expectations within your organization.

Also, you should ensure that your controls and measures are effective, efficient, and economical. You should also measure (and report on) the performance of your controls and measures using relevant metrics, such as Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), or Key Control Indicators (KCIs). You should also improve your controls and measures regularly, based on the feedback, results, and changes in the environment.

Companies that are leveraging technologies the best, leveraging the best practices in order to mitigate their risk, they should see that reflected in the terms and conditions that they are offered by the market…

— Noel Pearman, XL Catlin

Review risks and opportunities for cybersecurity

You should review risks and opportunities for cybersecurity to ensure that your organization is prepared for the current and future cyber threat landscape. You should use various tools and techniques to identify, analyse, evaluate, and treat risks and opportunities related to cybersecurity. Some of these tools and techniques include:

  • Risk identification: To recognize sources, events, or causes of potential or actual harm or loss related to cybersecurity.

  • Risk analysis: To estimate the likelihood and impact of potential or actual harm or loss related to cybersecurity.

  • Risk evaluation: To compare the level of risk with the organization’s risk appetite or tolerance related to cybersecurity.

  • Risk treatment: To select and implement options to avoid, reduce, transfer, or accept risk related to cybersecurity.

  • Opportunity identification: To recognize sources, events, or causes of potential or actual benefit or gain related to cybersecurity.

  • Opportunity analysis: To estimate the likelihood and impact of potential or actual benefit or gain related to cybersecurity.

  • Opportunity evaluation: To compare the level of opportunity with the organization’s opportunity appetite or criteria related to cybersecurity.

  • Opportunity treatment: To select and implement options to exploit, enhance, share, or ignore opportunities related to cybersecurity.

As always, you should ensure that your review activities are proactive, comprehensive, systematic, and consistent. Also, you should communicate your review results to relevant stakeholders using appropriate formats and channels. You should also act on your review results by taking preventive or corrective actions when needed.

Engage stakeholders and partners for cybersecurity

You should engage stakeholders and partners for cybersecurity to ensure that your organization has the support and collaboration it needs to achieve its security goals and objectives. You should identify who your stakeholders and partners are, what their interests and expectations are, and how you can communicate and interact with them effectively. Some of your stakeholders and partners may include:

  • Internal stakeholders: Such as senior executives, board members, managers, employees, etc., who have a direct or indirect interest in the organization’s security performance or compliance.

  • External stakeholders: Such as customers, suppliers, regulators, auditors, investors, media, etc., who have a direct or indirect influence on the organization’s security performance or compliance.

  • Partners: Such as peers, competitors, industry associations, professional bodies, academic institutions, research organizations, etc., who have a common interest or goal in enhancing security performance or compliance.

You’d expect to use various tools and techniques to engage stakeholders and partners including Stakeholder analysis, Stakeholder engagement plan, communication plan, etc. You’d communicate your engagement results to relevant stakeholders and partners using appropriate formats and channels.

Other elements that you would cover in your overarching cybersecurity governance include:

  1. Monitor performance and compliance for cybersecurity.

  2. Promote awareness and education for cybersecurity.

  3. Establish vendor and third-party risk management.

  4. Establish and monitor business continuity and disaster recovery plans.

  5. Establish asset inventory and management.

  6. Drive innovation and improvement for cybersecurity.

  7. Integrate with the enterprise architecture.

Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.

— Stéphane Nappo

Final thoughts

Cybersecurity governance is a strategic imperative that affects every aspect of an organization’s operations, performance, reputation, and resilience. It requires strong leadership from the top down and across all levels of the organization. Effective cybersecurity leaders possess a combination of qualities and skills that enable them to lead by example, inspire others, and deliver results. They also employ various strategies that can help them establish and maintain effective cybersecurity governance within their organizations. By following these strategies, cybersecurity leaders can bridge the gap between their vision and reality for cybersecurity and create a robust security culture within their organizations.

I hope that this set of articles has empowered you, as a cybersecurity leader, to champion cybersecurity initiatives and create a robust security culture within your organization. I also hope that these articles have inspired further research or practice on cybersecurity governance.

Au revoir; take care, until we meet again.

Further reading

If you’re interested in learning more about Cybersecurity governance, you can check out these resources:

supply chain and cybersecurity part 2

Safeguarding the Digital Fortress: Navigating Cybersecurity and Supply Chain Challenges – Part 2

, , , , , , , , , , , , , , , , , , , , , , , ,

This is the second part of a 2-part series wherein we explore cybersecurity and supply chain challenges. In the first post, we explored the challenges, risks, and threats that cybersecurity and the supply chain pose to organizations and how these could be effectively mitigated against. We also looked at how cybersecurity supply chain risks touch nearly all facets of business operations including sourcing, vendor management, supply chain continuity and quality, transportation security and many other functions across the enterprise.

The digital landscape is fraught with diverse cybersecurity threats, ranging from malware and phishing attacks to the ever-looming threat of ransomware. Such threats not only compromise data integrity but also disrupt operations and tarnish the reputation of businesses. In this second and final part of the series, we’ll delve even further into a few other factors that play into the complex yet critical fabric of the global interconnectedness of businesses and organizations. Let’s get started, shall we?

A holistic approach to C-SCRM

Cybersecurity and the supply chain are interdependent and mutually influential. C-SCRM is a vital process that helps organizations to ensure the security and integrity of their products and services and to mitigate the risks and threats that may affect their supply chain.

To be effective, C-SCRM must be seen and conducted as an enterprise-wide activity that involves all tiers of your organization i.e., people, business processes, and technology. C-SCRM requires a holistic and proactive approach that involves collaboration among all parties in the supply chain and incorporates other aspects of cybersecurity such as generative AI, data protection, leadership, cyber resilience, privacy, third-party risks, and cybersecurity governance.

Generative AI for C-SCRM

The emergence of Generative AI, a subset of Artificial Intelligence (AI), has brought new possibilities for enhancing cybersecurity. Generative AI can be a powerful tool for C-SCRM in several ways, such as:

  1. Enhancing the security and quality of products and services by using generative AI to test, verify, or validate their functionality, performance, or compliance.

  2. Improving the efficiency and agility of supply chain processes by using generative AI to automate, optimize, or streamline tasks such as design, development, distribution, deployment, maintenance, etc.

  3. Increasing the innovation and differentiation of products and services by using generative AI to generate new features, functionalities, or designs that meet customer needs or expectations.

  4. Enabling the personalization and customization of products and services by using generative AI to tailor them to specific preferences, contexts, or scenarios of customers or users.

However, there are some challenges and risks of integrating Generative AI into C-SCRM, such as:

  1. Introducing new vulnerabilities or threats to products and services by using generative AI to create malicious or harmful content or data that can compromise their security or integrity.

  2. Reducing the transparency or accountability of products and services by using generative AI to generate content or data that is difficult to explain, verify, or trace.

  3. Increasing the complexity or uncertainty of products and services by using generative AI to generate content or data that is dynamic, unpredictable, or probabilistic.

  4. Affecting the ethics or legality of products and services by using generative AI to generate content or data that is inappropriate, offensive, deceptive, or infringing.

Therefore, it is important to use generative AI responsibly and ethically for C-SCRM and ensure that it complies with the relevant standards, regulations, and best practices.

A reinforced and sturdy C-SCRM

C-SCRM is not a standalone activity but rather an integral part of the overall cybersecurity strategy and culture of an organization. Therefore, it’s essential to incorporate other key aspects of cybersecurity such as data protection, leadership, cyber resilience, privacy, third-party risks, and cybersecurity governance into C-SCRM. Some of the ways to do this include:

  1. Data protection: Ensure that the data that is collected, processed, stored, transmitted, or shared in the supply chain is protected from unauthorized access, use, disclosure, modification, or destruction. Implement data protection measures such as encryption, authentication, authorization, backup, recovery, etc. Comply with data protection laws and regulations such as GDPR, CCPA, etc.

  2. Leadership: Establish a clear vision and direction for C-SCRM that is communicated and supported by the top management and stakeholders. Empower and enable the C-SCRM team with the necessary resources, authority, and accountability. Foster a culture of trust, collaboration, and continuous improvement among all parties in the supply chain.

  3. Cyber resilience: Build the ability to anticipate, prepare for, respond to, and recover from cyberattacks in the supply chain. Develop a cyber resilience strategy that covers prevention, detection, response, recovery, and learning. Implement cyber resilience measures such as redundancy, diversity, modularity, adaptability, etc.

  4. Privacy: Privacy is a complex and evolving domain that requires balance and trade-offs. It’s subject to various interests and values that may conflict or compete with each other. Respect the rights and preferences of customers and users regarding their personal information in the supply chain. Implement privacy measures such as consent, notice, choice, access, rectification, erasure, etc. Comply with privacy laws and regulations such as GDPR, CCPA, etc.

    Your organization can implement privacy standards and frameworks (e.g., ISO/IEC 29100, NIST SP 800-53A, or CIS Privacy Controls) that provide guidance on how to embed privacy principles and practices into its data processing activities.

  5. Third-party risks: Third-party risk management is subject to various sources and types of risks that may change or evolve over time. Some examples of such sources and types of risks include performance risks, financial risks, operational risks, strategic risks, compliance risks, or reputational risks. Assess and manage the risks associated with the external parties that provide products or services in the supply chain. Implement third-party risk management measures such as due diligence, risk assessment, contract management, monitoring, auditing, etc.

    Your organization can comply with third-party risk management standards and frameworks such as ISO 27036 (parts 1 through 4), NIST SP 800-161, etc.

  6. Cybersecurity governance: Cybersecurity governance is a challenging and demanding domain that requires leadership, culture, and competence. Cybersecurity governance is subject to various stakeholders and expectations that may vary by sector, industry, or region. Some examples of such stakeholders and viewpoints include board members, senior managers, employees, customers, suppliers, regulators, and auditors. Establish and maintain the policies, processes, structures, roles, and responsibilities for C-SCRM. Implement cybersecurity governance measures such as planning, organizing, directing, controlling, reporting, etc.

    Your organization can implement cybersecurity governance standards and frameworks such as ISO 27001, ISO 38500, NIST SP 800-37, NIST CSF, COBIT, etc. Your organization can also invest in cybersecurity governance tools to help enhance its cybersecurity governance capabilities and performance. Such tools and training include cybersecurity governance dashboard, cybersecurity governance scorecard, cybersecurity governance maturity model, cybersecurity governance workshop, etc.

NIST has outlined some key practices for effective C-SCRM alignment including:

  1. Integrate C-SCRM across the organization.

  2. Establish a formal C-SCRM program.

  3. Know and manage critical suppliers.

  4. Understand the organization’s supply chain.

  5. Closely collaborate with key suppliers.

  6. Include key suppliers in resilience and improvement activities.

  7. Assess and monitor throughout the supplier relationship.

  8. Plan for the full lifecycle.

Experts on cybersecurity and supply chain management like to draw attention to the fact that operating systems are only as strong as their “weakest link“. The “weakest link” argument is evoked with good reason when discussing risk management.

— Xeneta

Conclusion

Okay, we’ve discussed the challenges and opportunities of cybersecurity and supply chain management. We’ve also discussed how Generative AI can be used to create and protect data in various domains. Finally, I’ve provided some best practices and recommendations for improving cybersecurity and supply chain management, drawing on relevant guidance and regulations such as the NCSC Supply Chain Security Guidance, the NIST CSCRM, and the EU Supply Chain Due Diligence Directive.

If you are interested in learning more about C-SCRM or need help with implementing it in your organization, please contact me today. I can help you to design, develop, and deploy a C-SCRM strategy that suits your business objectives, risk appetite, regulatory obligations, and cybersecurity posture. I can also help you to leverage generative AI for C-SCRM responsibly and ethically.

Hasta que nos encontremos de nuevo; take care, see you around soon.

cybersecurity and supply chain

Safeguarding the Digital Fortress: Navigating Cybersecurity and Supply Chain Challenges – Part 1

, , , , , , , , , , , , , , , , , , , , ,

In a previous post, I mentioned that supply chain attacks would be one of the possible cybersecurity trends to look out for in 2023. Given the ever-mounting of threats of cyberattacks to supply chains, Gartner reported that 44% of organizations indicated that they would substantially increase year-over-year spend on supply chain cybersecurity in 2023.

In the last week, there’ve been news reports of a ransomware attack on the Port of Nagoya in Tobishima, Japan’s largest port by total cargo throughput. Reports indicate that the attack had successfully prevented the port from receiving shipping containers for two days. The port is a significant hub for Toyota Motor Corporation, handling some of the company’s exports and imports.

Cybersecurity is not just about protecting your systems and data from cyberattacks. It is also about ensuring the security and integrity of the products and services you rely on from your suppliers, vendors, and partners. This is what cybersecurity supply chain risk management (C-SCRM) is all about.

This post is the first part of a 2-part series wherein we’ll explore the challenges, risks, and threats that cybersecurity and supply chain pose to organizations and how these could be effectively mitigated against. We’ll also discuss how data protection, cyber resilience, third-party risks, cybersecurity governance, and a few other factors play into this complex and critical relationship.

Finally, we’ll provide some best practices and recommendations for improving cybersecurity and supply chain management in this ever-evolving digital era, drawing on relevant guidance and regulations such as the NCSC Supply Chain Security Guidance, the NIST CSCRM Guidance, and the EU Supply Chain Due Diligence Directive.

What’s Cybersecurity Supply Chain Risk Management?

According to NIST, C-SCRM could be described as “the process of managing the cybersecurity risks that may affect the supply chain and its products and services. It involves identifying, assessing, monitoring, and responding to these risks (whether intentional or inadvertent) at all levels of an organization and its external partners. C-SCRM aims to ensure the integrity, security, quality, and resilience of the supply chain and its cybersecurity-related elements.”

C-SCRM covers the entire lifecycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) and the extended circle of vendors that may use services or products from other vendors. It also covers the physical and software security of the purchased devices and programs.

Some of the factors that make the supply chain vulnerable to cyberattacks include:

  1. The use of multiple components from various sources may have different levels of security or quality assurance.

  2. The reliance on third-party service providers for cloud services, web applications, online stores, management software, etc.

  3. The lack of visibility or control over the security practices of suppliers or subcontractors.

  4. The exposure to geopolitical or regulatory risks that may affect the availability or integrity of products or services.

  5. The possibility of insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software or hardware, or poor manufacturing or development practices in the supply chain.

These factors can result in risks such as:

  1. Compromise of confidential or sensitive data or intellectual property.

  2. Loss of functionality or availability of critical systems or services.

  3. Damage to your organization’s reputation or the trust of customers or stakeholders.

  4. Legal liability or regulatory non-compliance.

  5. Financial losses or operational disruptions.

How to Mitigate C-SCRM Risks?

Mitigating C-SCRM risks requires a holistic and proactive approach that involves collaboration among all parties in the supply chain. Some effective mitigating measures against cybersecurity supply chain risks include:

  1. Establishing a C-SCRM strategy that aligns with the organization’s business objectives, risk appetite, and cybersecurity posture.

  2. Developing a C-SCRM policy that defines roles and responsibilities, processes and procedures, standards and guidelines, metrics and reporting for managing C-SCRM risks.

  3. Conducting a C-SCRM assessment that identifies and prioritizes the critical assets, suppliers, processes, and dependencies in the supply chain and evaluates their cybersecurity risks.

  4. Implementing C-SCRM controls that address the identified risks through preventive, detective, corrective, or compensating measures. These may include contractual clauses, security requirements, audits, testing, monitoring, incident response, contingency planning, etc.

  5. Monitoring C-SCRM performance that tracks and measures the effectiveness of C-SCRM controls and provides feedback for improvement.

  6. Reviewing C-SCRM practices that periodically evaluate the relevance, adequacy, and efficiency of C-SCRM strategy, policy, assessment, controls, and performance and update them as needed.

While organizations say they are aware of the risks, most admit that they aren’t making supply chain security a priority.

Conclusion

As we conclude the first part of this exploration of cybersecurity and supply chain challenges, it’s clear that the digital fortress demands our utmost attention. Cybersecurity in the supply chain isn’t an IT problem only. Cybersecurity supply chain risks touch pretty much all facets of business operations including sourcing, vendor management, supply chain continuity and quality, transportation security and many other functions across the enterprise.

In the second part of the series, we’ll explore a few other factors that play into this complex yet critical relationship, including data protection, cyber resilience, third-party risks, cybersecurity governance, and leadership.

Hasta que nos encontremos de nuevo; take care, see you around soon.

ai revolutionising healthcare

Unleashing the Power of Artificial Intelligence in Healthcare: Revolutionising Patient Care – Part 2

, , , , , , , , , , , , , , , , , , , , , , , ,

This is the second part of a 2-part series where we delve into the realm of Artificial Intelligence (AI) in healthcare. In the first post, we discussed how AI is transforming healthcare and medicine, by providing new ways to diagnose, treat, or prevent diseases, as well as improving the delivery and quality of health services. We also discussed the applications and benefits of AI in the delivery of healthcare services, such as enhancing efficiency, accuracy, and personalisation.

However, whilst the promises of AI in healthcare are remarkable, AI for health also poses significant challenges and risks for health systems, such as ethical, social, and technical issues. So, in this second and final part of the series, join me as we discuss some of the challenges, risks, and issues that often accompany the implementation of AI, and then proffer possible solutions to ensure responsible AI adoption.

Challenges and Ethical Considerations

  1. Ethical dilemmas: AI can raise ethical questions or conflicts that may not have clear or universal answers, such as who is responsible or accountable for the outcomes or consequences of AI systems, how to ensure fairness or equity in the access or distribution of AI benefits, or how to balance the rights or interests of different parties involved in AI systems, such as patients, providers, developers, or regulators.

  2. Data privacy and security concerns: As healthcare systems rely heavily on sensitive patient data, safeguarding privacy and ensuring robust security measures become paramount. Proper data governance, encryption, and stringent access controls are crucial to protect patient information from breaches or misuse.

  3. Bias and fairness in AI algorithms: AI algorithms are only as unbiased as the data they are trained on. It is essential to ensure diverse and inclusive data sets to avoid perpetuating biases. Ongoing monitoring and auditing of AI systems can help detect and rectify any unintended biases in decision-making processes.

  4. Social implications: AI can have social impacts that may affect the values, norms, or behaviours of individuals or groups in society, such as how to preserve human dignity, autonomy, or agency in the face of AI systems, how to maintain human relationships, trust, or empathy in the context of AI systems, or how to address potential social disruptions, divisions, or inequalities that may result from AI systems.

  5. Transparency and interpretability of AI systems:The “black box” nature of AI systems can raise concerns regarding transparency and interpretability. Healthcare professionals and regulators must work together to ensure that AI algorithms are transparent, providing insights into how decisions are made, and fostering trust among stakeholders.

  6. Technical limitations: AI can have technical challenges that may limit its performance, reliability, or safety in real-world settings, such as how to ensure the quality, validity, or security of the data used to train or test AI systems, how to deal with uncertainty, complexity, or ambiguity in the data or environment that may affect AI systems, or how to handle errors, failures, or attacks that may compromise AI systems.

  7. Regulatory gaps: AI can have regulatory challenges that may hinder its development, adoption, or evaluation in health systems, such as how to define, measure, or monitor the standards, criteria, or indicators for assessing the effectiveness, efficiency, or impact of AI systems, how to establish, enforce, or update the rules, guidelines, or frameworks for governing the design, use, or oversight of AI systems or how to foster collaboration, cooperation, or coordination among different stakeholders sectors or jurisdictions involved in AI systems.

Overcoming Challenges and Ensuring Responsible AI Adoption

To ensure responsible AI adoption in healthcare, some measures to overcome and mitigate these challenges and risks may include:

  1. Develop ethical guidelines: Ethical guidelines can help provide a common vision principles or values for guiding the development use or evaluation of AI systems in healthcare. Ethical guidelines can also help address or resolve ethical dilemmas or conflicts that may arise from AI systems in healthcare. For example, the World Health Organization (WHO) issued a report on Ethics and governance of artificial intelligence for health, which provides six guiding principles for AI in health, namely:

    1. Protecting human autonomy.
    2. Promoting human well-being and safety and the public interest.
    3. Ensuring transparency, explainability, and intelligibility.
    4. Fostering responsibility and accountability.
    5. Ensuring inclusiveness and equity.
    6. Promoting AI that is responsive and sustainable.

  2. Establish governance frameworks: Governance frameworks can help provide a clear and consistent structure, process, or mechanism for regulating, monitoring, or evaluating AI systems in healthcare. Governance frameworks can also help ensure the compliance, quality, or safety of AI systems in healthcare. For example, the UK National Health Service (NHS) has developed an AI in Health and Care Award programme, which provides a pathway for accelerating the testing and adoption of AI systems in healthcare, as well as a set of standards and requirements for assessing the feasibility, clinical safety, efficacy, and cost-effectiveness of AI systems in healthcare.

  3. Establish robust data governance and protection measures: Healthcare organizations must establish robust data governance frameworks, ensuring compliance with privacy regulations and implementing stringent security protocols to protect patient data.

  4. Ensure diverse and inclusive data sets for AI training: By actively seeking diverse and representative data sets, we can mitigate biases and ensure that AI algorithms deliver fair and equitable outcomes for all patients, irrespective of their background or demographics.

  5. Establish regulatory frameworks and guidelines for AI deployment: Regulators play a crucial role in establishing guidelines and standards for AI deployment in healthcare. By working hand in hand with healthcare professionals and AI experts, regulators can ensure responsible AI adoption, promoting patient safety, and ethical practices.

  6. Ensure human oversight: Human oversight can help provide a check and balance for AI systems in healthcare, by ensuring that human values, judgments, or inputs are incorporated or respected in AI systems in healthcare. Human oversight can also help prevent or correct errors, failures, or harms that may result from AI systems in healthcare. For example, the European Commission has proposed a risk-based approach for regulating AI systems in various sectors, including healthcare, which requires high-risk AI systems to have adequate human oversight measures, such as human-in-the-loop (where humans can intervene or override AI decisions), human-on-the-loop (where humans can monitor or supervise AI decisions), or human-in-command (where humans can set or limit AI goals or parameters).

  7. Foster collaboration: Collaboration can help facilitate the sharing of knowledge, resources, or best practices among different stakeholders, sectors, or jurisdictions involved in AI systems in healthcare. Collaboration can also help promote innovation, diversity, or inclusion in AI systems in healthcare. For example, the Partnership on AI is a multi-stakeholder initiative that brings together academics, researchers, civil society organizations, companies, and governments to explore and address the opportunities and challenges of AI in various domains, including healthcare. The Partnership on AI aims to advance the understanding and application of AI in ways that are ethical, fair, transparent, accountable, and beneficial to humanity.

  8. Promote education: Education can help raise awareness and understanding of AI among various audiences, such as patients, providers, researchers, policymakers, or the public. Education can also help develop the skills Competencies or capacities needed to design use or evaluate AI systems in healthcare. For example, the Stanford Center for Health Education has launched an online course on Artificial Intelligence in Healthcare which introduces the concept, technologies, and applications of AI in healthcare, as well as the ethical social and regulatory issues related to AI in healthcare.

The Future of AI in Healthcare

As we gaze into the future, the potential of AI in healthcare seems boundless; I dare say that we’re yet to scratch the surface of the immense potential of AI in healthcare. Emerging trends and technologies such as natural language processing, robotic surgery, and AI-driven drug discovery hold promise for revolutionizing healthcare practices. However, we must remain mindful of ethical and societal considerations, actively shaping the future of AI in healthcare through collaboration, innovation, and responsible implementation.

Eventually, doctors will adopt AI and algorithms as their work partners. This levelling of the medical knowledge landscape will ultimately lead to a new premium: to find and train doctors who have the highest level of emotional intelligence.

Conclusion

AI is transforming healthcare and medicine in unprecedented ways, by providing new tools methods or solutions for improving health outcomes quality and access to care. AI has many benefits for various stakeholders in health systems, such as patients, providers, researchers, policymakers, and society at large.

However, AI also poses significant challenges and risks for health systems. Therefore, it is essential to adopt a balanced and responsible approach to developing, using, and evaluating AI systems in healthcare, by following ethical guidelines, establishing governance frameworks, ensuring more comprehensive and inclusive data sets, ensuring human oversight, fostering collaboration, and promoting education.

By doing so, we can harness the potential of AI for health to revolutionize healthcare and medicine in the future, while minimizing its pitfalls and maximizing its benefits for humanity.

Au revoir; take care, until we meet again.

If you are interested in learning more about AI in healthcare, you can check out these resources:

  • Artificial Intelligence: Healthcare’s New Nervous System: This report by Accenture provides an overview of the current state and future trends of AI in healthcare, as well as some recommendations for health organizations to leverage AI for growth and value.

  • Artificial Intelligence for Health: This website by the International Telecommunication Union (ITU) provides information on the global focus group on artificial intelligence for health (FG-AI4H), which aims to establish a standardized assessment framework for evaluating and benchmarking AI solutions for health.

  • AI4Healthcare: This website by the AI4Healthcare initiative provides a platform for connecting and collaborating with AI experts, healthcare professionals, and patients to co-create and co-evaluate AI solutions for health.

ai revolutionizing healthcare

Unleashing the Power of Artificial Intelligence in Healthcare: Revolutionising Patient Care – Part 1

, , , , , , , , , , , , , , , , , , , , , , , ,

In a previous post, we discussed possible cybersecurity trends and predictions for 2023. Today, I thought we’d embark on a journey into the realm of Artificial Intelligence (AI) in healthcare. So, join me, if you may, as we explore the applications, benefits, challenges, and ethical considerations surrounding this groundbreaking yet evolving technology, and what are the future directions of AI-augmented healthcare systems. We’ll uncover the potential of AI to revolutionize the delivery of healthcare services, transcending boundaries and ushering in a new era of improved patient outcomes and innovation.

AI is not a new concept, but it has gained a lot of momentum and attention in recent years. AI is the ability of machines to perform tasks that normally require human intelligence, such as reasoning, learning, decision-making, and problem-solving. It’s probably been contemplated in some quarters, that AI can also enhance or possibly surpass human capabilities in some domains, such as vision, speech, and natural language.

Understanding Artificial Intelligence in Healthcare

AI in healthcare is the use of machine-learning algorithms and software, or artificial intelligence, to mimic human cognition in the analysis, presentation, and comprehension of complex medical and healthcare data, or to exceed human capabilities by providing new ways to diagnose, treat, or prevent disease.

AI in healthcare can be classified into three main types:

Machine learning (ML): This is the process of training machines to learn from data and make predictions or decisions based on patterns or rules. ML can be further divided into supervised learning (where the machine learns from labelled data), unsupervised learning (where the machine learns from unlabelled data), and reinforced learning (where the machine learns from feedback or rewards).

Natural language processing (NLP): This is the process of enabling machines to understand and generate natural language, such as text or speech. NLP can be used for tasks such as information extraction, sentiment analysis, text summarization, question answering, and conversational agents.

Computer vision (CV): This is the process of enabling machines to perceive and interpret visual information, such as images or videos. CV can be used for tasks such as face recognition, object detection, scene understanding, medical imaging analysis, and gesture recognition.

AI in healthcare can also involve other technologies, such as robotics (the use of machines to perform physical tasks), the Internet of Things (the interconnection of devices and sensors that collect and exchange data), blockchain (the use of distributed ledgers to store and verify transactions), and cloud computing (the use of remote servers to store and process data).

Applications of AI in Healthcare

AI has many applications in various fields and industries, but one of the most promising and impactful areas is healthcare and medicine. AI can help improve the delivery and quality of health services, advance medical research and innovation, as well as empower patients and communities.

Let us delve into the remarkable applications of AI in the healthcare domain, where its potential knows no bounds.

  1. Diagnosis and medical imaging: AI can help improve the speed and accuracy of diagnosis and screening for diseases by analysing various types of data, such as symptoms, medical history, lab tests, genetic information, and imaging scans. For instance, AI can help detect skin cancer by comparing images of skin lesions with a database of known cases or diagnose diabetic retinopathy by analysing retinal photographs for signs of damage.

    By augmenting human expertise, AI can enhance diagnostic accuracy, leading to earlier detection of diseases such as cancer. Case studies have shown remarkable success in AI-assisted radiology, revolutionizing the way we identify early-stage cancers and potentially saving countless lives.

  2. Predictive analytics and personalised treatment: AI can assist with clinical care by providing recommendations or guidance for optimal treatment plans, dosages, or procedures based on patient characteristics, preferences, and outcomes. For example, AI can help optimize radiation therapy for cancer patients by generating personalized plans that minimize damage to healthy tissues or assist surgeons with robotic tools that enhance precision and control.

  3. Research: AI can help advance medical research and innovation by discovering new insights, hypotheses, or solutions from large and complex datasets, such as clinical trials, genomics, or population health. For example, AI can help design new drugs by screening millions of molecules for potential efficacy and safety or find new links between genetic codes and diseases by analysing patterns across genomes.

  4. Public health: AI can help improve public health interventions, such as disease surveillance, outbreak response, and health systems management by monitoring, predicting, and responding to health events or trends at local or global scales. For example, AI can help track the spread of infectious diseases by analysing data from social media, news sources, or mobile devices, or optimize the allocation of health resources by forecasting demand and supply based on historical data and real-time information.

  5. Administration and virtual assistants: AI can help improve the efficiency and performance of administrative and operational workflows, processes, and financial operations by automating or streamlining tasks that are repetitive, time-consuming, or susceptible to errors. For example, AI can help automate the processing of insurance claims or billing by extracting and validating information from documents or images as well as reduce fraud and waste by detecting anomalies or inconsistencies in health data or transactions.

Benefits of AI in Healthcare

AI for health has the potential to bring positive impacts to various stakeholders, such as patients, providers, researchers, policymakers, and society at large. Here are some benefits of AI in healthcare:

  1. Improve accuracy, speed, and scalability: AI can help improve the quality and reliability of health services by reducing errors, delays, and variability that may arise from human factors, such as fatigue, bias, or inconsistency. AI can also help scale up health services by reaching more people or places that may have limited access to human expertise or resources.

  2. Reduce costs and increase efficiency: AI can help reduce the costs and inefficiencies of health systems by optimizing the use of assets and resources, such as equipment, staff, or facilities. AI can also help prevent or minimize errors or adverse events that may result from human mistakes or malpractice, such as misdiagnosis, medication errors, or surgical complications.

  3. Enable personalised and preventive care: AI can help tailor health services to the individual needs and preferences of each patient by considering their respective characteristics, such as genetics, lifestyle, or environment. AI can also help prevent or delay the onset or progression of diseases by identifying risk factors or early signs of illness and providing timely interventions or recommendations.

  4. Empower patients and communities: AI can help empower patients to take greater control of their respective health care and better understand their evolving needs by providing them with access to information, education, or support. AI can also help engage and mobilize communities to participate in health promotion or protection activities by providing them with feedback, incentives, or social networks.

The greatest opportunity offered by AI is not reducing errors or workloads, or even curing cancer: it is the opportunity to restore the precious and time-honoured connection and trust.

Conclusion:

Without any doubt, the fusion of AI and healthcare offers unparalleled potential for improved patient outcomes, operational efficiency, and personalized care. However, whilst the promises of AI in healthcare are immense, AI for health also poses significant challenges and risks for health systems, such as ethical, social, and technical issues.

In the next article in the series, we’ll delve into some of these challenges and proffer possible solutions to these challenges to ensure responsible AI adoption in healthcare.

Arrivederci; take care, see you around soon.

In the meantime, if you’re interested in learning more about AI in healthcare, you can check out these resources:

  • IBM: This website provides an overview of AI in healthcare, its benefits, use cases, solutions, and resources.
  • Wikipedia: This article provides a comprehensive introduction to AI in healthcare, its history, applications, challenges, ethics, and future.
top cybersecurity risks trends and predictions for 2023

Top Cybersecurity Trends and Predictions for 2023

, , , , , , , , , , , , , ,

Without a doubt, 2022 has been such an eventful year in the world of cybersecurity. There were over 2.8 billion reported cases of malware attacks worldwide and over 236 million reported cases of ransomware attacks just in the first half of the year.

In 2022, the government of Costa Rica declared a state of emergency and Toyota was forced to shut its 14 factories in Japan, following different and several cyberattacks.

As we enter the last few hours of 2022 and look forward to 2023, cybersecurity remains top of the agenda for the leaders of several businesses and organizations worldwide.

It is, therefore, natural to start thinking about what the next year might bring in terms of cybersecurity trends and predictions, and help inform decisions on information security strategies and budgets.

Here are my top 10 cybersecurity trends and predictions for 2023:

Ransomware Attacks

Ransomware attacks, in which hackers encrypt a victim’s data and demand payment to decrypt it, have been a major problem in recent years. These attacks are likely to continue in 2023, as hackers find new ways to target businesses, organizations and individuals across different spectrums in different societies and cultures.

Remote Work Security

The shift towards remote work, accelerated by the COVID-19 pandemic, has created an increased need for secure remote access solutions. The nature of remote work is changing and more organizations are adopting policies and environments that allow their employees to carry out their respective tasks remotely more effectively.

In 2023, we can expect to see a continued focus on this area, as organizations look for ways to protect their networks and data while employees are working remotely.

Further developments in this area include the adoption of virtual private networks (VPNs) and other secure remote access technologies, as well as the implementation of strong authentication protocols and the use of multi-factor authentication.

Another major trend in this space is something known as Decentralized Security; a comprehensive network of proactive and reactive defenses with built-in machine learning features that monitor endpoints, identities, and access regardless of who the users are, what they do, or wherever they may be connected from.

Supply Chain Attacks

Supply chain attacks involve compromising the security of a third-party vendor or supplier to gain access to an organization’s systems or data. These attacks can be difficult to detect and prevent because they usually do not involve any direct interaction with the target organization.

Organizations can establish steps to mitigate against such attacks including implementing secure supply chain practices, conducting thorough random checks on their suppliers, and implementing incident response plans.

A recent policy statement published by the Bank of England outlines regulations that affect financial institutions regarding outsourcing and third-party risk management.

New Technologies & More Attack Vectors

As new technologies emerge, they will also bring new attack vectors for hackers to exploit. In 2023, we may see an increase in attacks targeting the internet of things (IoT), as well as attacks targeting emerging technologies such as 5G networks and quantum computers.

Artificial Intelligence and Machine Learning

Artificial intelligence (AI) and Machine Learning (ML) have already started to play a significant role in cybersecurity, and this is likely to continue in 2023. These technologies can be used to analyze large amounts of data and identify patterns and anomalies that might indicate a security threat.

One example of this is the use of AI and machine learning to analyze log data and identify unusual activity that might indicate a cyberattack. This can help organizations respond more quickly to threats and minimize the damage caused by an attack.

Regulation and Compliance Requirements

As cybersecurity threats continue to evolve and become more sophisticated, we are likely to see increased regulation and compliance requirements in the coming year. This may include new laws and regulations that require organizations to implement certain security measures, as well as increased penalties for organizations that fail to meet these requirements.

Last year, I wrote an article about the Digital Operational Resilience Act (DORA) regulation proposed by
the European Union (EU).

With DORA, the EU aims to harmonize and improve risk management and operational resilience within the financial sector across the region by addressing many of the issues that concern leadership, governance, and continued operations through a severe operations disruption as well as establishing an oversight framework for managing ICT critical third-party providers (CTPPs).

The Council of the European Union (i.e., EU Council) recently adopted DORA as policy across the region.

Evolution of Cyber Threats

Cyber threats are constantly evolving, and we can expect to see new types of attacks and tactics in 2023. As hackers become more sophisticated, they will continue to find new ways to target organizations and individuals.

To protect against these evolving threats, it will be important for organizations to stay informed about the latest developments in cybersecurity and to implement effective security measures. This may involve investing in new technologies and training employees to recognize and respond to potential threats.

Cloud Security Solutions

The use of cloud-based security solutions is likely to increase in 2023, as organizations look for ways to protect their data and systems in the cloud. This may include the use of Cloud Access Security Broker (CASB) services and other cloud security technologies.

Zero-Trust Security Models

Zero-trust security models, which assume that all users and devices are untrusted until proven otherwise, are likely to become more popular in 2023. These models can help organizations protect against insider threats and ensure that their networks and systems are secure.

We can expect more security products and services to be compliant with zero-trust models, satisfying all seven tents of the NIST 800-207 model on zero-trust, as an example.

Data Privacy and Protection

As more data is collected and stored online, the protection of personal and sensitive information will continue to be a major concern in 2023. Organizations will need to implement strong data privacy measures to ensure that they comply with applicable laws and regulations as well as protect against data breaches.

“How do we effectively protect our consumers’ information from unauthorized access, use, and abuse?” This is just one of many pertinent questions that information security and risk leaders must anticipate for the future and plan accordingly.

Cybersecurity Insurance

According to a recent report, the global cybersecurity insurance market size is expected to reach US$32.6 billion by 2028.

As the risks of cyberattacks continue to grow, we can expect to see an increase in the use of cybersecurity insurance in 2023. This type of insurance can helps organizations protect against the financial impacts of a cyberattack and ensure that they have the resources to recover from an incident.

We’re falling into this old habit of trying to treat everything the same as we did in the past… This simply cannot continue. We need to make sure that we are evolving our thinking, our philosophy, our program, and our architecture.

— Sam Olyaei, Gartner Analyst

In conclusion, 2023 is likely to see an increase in supply chain attacks, state-sponsored cyberattacks, a continued focus on the security of remote work, the emergence of new technologies and attack vectors, and the growth of ransomware attacks. However, it will also be a year for some organizations to derive benefits from their investments, preparedness, and innovations in information security and regulatory compliance best practices.

digital operational resilience act

How the Proposed Digital Operational Resilience Act (DORA) Could Impact Your Organization

, , , , , , , , , , , , , , , , , ,

In the autumn of 2020, the European Commission (EU) published the proposed Digital Operational Resilience Act (“DORA”) new regulation.

With the rise of blockchain and digital banking, the nature of finance requires some adjustments.

Unfortunately, as supply chain compromises and cyberattacks affecting several organisations; including Target, Tesla, SolarWind, FireEye, and Microsoft Office 365; indicate, all aspects of digital commerce and ever-increasing dependency on Information and Communication Technologies (ICT) pose significant real and present risks, particularly regarding ICT third-party suppliers.

In the Threat Landscape 2020 report; published by the European Union Agency for Cybersecurity (“ENISA”); phishing, identity theft, and ransomware continue to be top cyber threats faced by businesses and organisations in the EU.

With DORA, the EU aims to harmonise and improve risk management and operational resilience within the financial sector across the region by addressing many of the issues that concern leadership, governance, and continued operations through a severe operations disruption as well as establish an oversight framework for managing ICT critical third-party providers (CTPPs).

It is envisaged that the EU parliament, European Council, and the European Systemic Risk Board (ESRB) will engage in several negotiations and debates over DORA with institutions in the coming months, with appropriate laws established very quickly thereafter.

What is Digital Operational Resilience?

Operational resilience is the ability to develop and maintain capabilities, processes, systems, and cultures within an organisation to help ensure the continued provision of services at the expected minimum quality level in the face of operational disruptions.

Operational resilience has always been a key strategic objective in several business sectors including the financial, utility, transport, and ICT service providers. Operational resilience has become an increasingly key subject in countries such as United Kingdom, Australia, United States, and Canada.

Digital operational resilience focuses specifically on the operational disruptions that affect ICT capabilities, services, and processes.

What is DORA?

DORA is the proposed regulation to expand and improve digital banking within the EU system while managing and avoiding the potential risks that are inherent to relying on ICT.

Objectives of the proposed regulation include:

  1. Ensuring that all financial entities have proper risk management protocols in place to track and monitor all ICT functions and asset transfers. This risk management protocol will also feature an assessment of any weak points or vulnerabilities within the system and improve regulatory reporting.

  2. Financial institutions will have a well-structured incident reporting system to report, track and address all ICT related incidents that affect their respective networks.

  3. Institutions will be responsible for constantly testing and assessing the competency and resiliency of their respective ICT system to identify any vulnerabilities.

  4. All third-party activity will be assessed, tracked, and monitored regarding any risk and mitigated by any contractual acknowledgement and agreement relative to network risks and vulnerabilities.

  5. Information exchange between institutions will be monitored and guided relative to minimizing the threats due to cyber-criminal activity.

What is the scope of DORA?

The proposed DORA regulation is expected to cover organisations within the financial sector including retail and commercial banks, electronic money transfer organisations, credit and lending agencies, insurance and reinsurance firms, and investment firms.

Also, it is envisaged that DORA will require that CTPPs, including cloud service providers, managed service providers, data analytics service providers, and audit service providers come under the supervision and oversight of the European Supervisory Authorities (ESA).

Established and confirmed non-compliance with obligations and commitments outlined in DORA regulation will be expected to carry significant penalties.

A [financial institution’s] use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws [and regulations, just as if the institution were to perform the activities in-house].

What are the key elements of the proposed DORA regulation?

Much of the concerns relative to DORA are regarding third-party risk management and mitigating infringements against financial institution security measures.

Third-party management is often sought as a more cost-effective measure for monitoring network systems and performing system checks. Unfortunately, when there are abundant vendors, suppliers and other components regularly participating and contributing to an organisation’s ICT capabilities, processes, and functions it is reasonable to expect that monitoring and identifying security breaches can become a costly and complicated process.

DORA provides a much greater incentive and structure for properly monitoring and tracking third-party involvement. Institutions will be encouraged to automate vendor onboarding where possible while tracking all vendor activity to ensure that any disruptive activity is immediately identified and addressed. Such activity will be recorded in business continuity plans, providing regulators and any security providers consistent access to ICT service usage.

DORA will also institute and regulate the various ESA who will be responsible for reporting any major ICT threats to the respective national regulator. The ESA would also be responsible for evaluating whether respective third parties have respective and effective monitoring systems to track and record any malicious network activity.

This system, in addition to instituting early-warning threats for any cyber encroachment activity and regulating which providers are reputable, will allow financial organisations to better monitor their ICT dependencies more closely.

How will the proposed regulation affect financial organisations?

As the proposal passes through the European parliament for review and revision, various organisations are considering the potential impacts and implementation strategies relative to DORA.

  1. European Union

    Given the interconnectedness of member nations, the EU is playing a critical role in the implementation of risk management measures such as DORA. Given the increasing risk of crypto assets and the advent of digital ledger, having a secure network that provides clear regulatory guidelines for financial institutions and third-party vendors across member nations will help to create a more stable financial ecosystem.

  2. Bank of England (BoE)

    Despite having left the European System of Central Banks (ESCB) since the start of Brexit, the Bank of England has been trying to mitigate its security breaches relative to third-party service providers. Creating an integrated financial network that ensures safety for all institutions within and outside of the EU is beneficial for all parties, including the Bank of England.

  3. Financial Sector

    As financial institutions, lending agencies and all digital vendors become more dependent on ICT for conducting transactions and managing accounts, ensuring a more fluid and streamlined operation that cannot be compromised will facilitate greater compatibility for vendors, suppliers, and users.

  4. Third-Party Risk Management (TPRM)

    As already noted, one of the main priorities that DORA seeks to address is the lack of regulatory power over third-party security concerns. Greater regulation will allow more streamlined interaction between financial institutions and third-party vendors and network security suppliers to ensure that the confidentiality, integrity, and availability of dependent ICT capabilities, processes, and functions are constantly maintained, monitored, and assessed.

Are there potential obstacles to DORA implementation?

Yes, it is expected that some organisations would experience some challenges to effectively implementing DORA.

Some of these obstacles would include the organisation’s existing risk culture, inconsistent risk management policies and standards, ineffective risk management framework and practices, poor or non-existent TPRM policies and strategies, and the possible underestimation of efforts and commitments required to achieve operational resilience maturity.

eu proposed dora regulation

Is DORA the future?

The proposed DORA regulation is considered a vital step in creating a standardised regulatory framework for the digital operational resilience for financial services in the EU.

In a previous article, I had looked at how GDPR would “evolve” and continue to have expected impacts in the UK as it would across the EU region.

Given the significant penalties that would be imposed for non-compliance with DORA directives, it is perhaps reasonable to envisage that DORA could eventually have similar, if not greater, impacts in both the UK and the EU region as did GDPR, albeit with very different objectives.

As the economy shifts to the digital sphere and ICT capabilities and services become more inherent to financial and commercial activities, ensuring operational resilience becomes even more paramount. As the world waits for the outcome and implementation of the directives put forth through DORA, the power of digital finance will wait to be unleashed.

 

Back To Top
Management Wire

ManagementWire © 2015-2023. All rights reserved.

Terms of Use

Privacy Policy

Cookie Policy

Contact