By Kris Lovejoy, Global Cybersecurity and Resiliency Leader at Kyndryl
As critical infrastructure industries embrace digitization, ensuring the resilience of their digital systems and infrastructure becomes crucial to maintain the continuity of operations and protect against cybersecurity breaches or disruptions.
The European Union and the U.S. have taken the lead in seeking to normalize and codify safer practices for managing cyber threats facing entities across sectors and industries. Other governments and multilateral organizations are taking similar steps and adopting new cybersecurity regulations, strategies and policies to address and mitigate such risks. The collective goal is to put in place data management and risk mitigation protocols that enable the world to function, while limiting opportunities for (and planning for cyber recovery from) disruption by bad actors.
Examples of these regulations include the EU’s Digital Operational Resilience Act, known as DORA, effective Jan. 17, 2025, the EU’s Network Information Security Directive (NIS 2), which goes into effect in Member States Oct. 17, 2024, and the newly implemented rules from the U.S. Securities and Exchange Commission (SEC), effective Dec. 18, 2023.
Headlines around the SEC’s rules have focused on new reporting timelines around “material” cybersecurity breaches. But far less attention has been paid to the requirement that will impact companies even in the absence of a major cyber incident. Effective December, public companies' annual reports must disclose their cybersecurity risk strategy and governance, including their board of directors’ role in managing material cyber risks.
Similarly, DORA makes the boards of directors of almost all financial services firms regulated in the EU ultimately responsible for risk management and operational resilience strategy for information communications technology. In practice, this will require boards to take on more ownership overseeing cybersecurity risks, including ensuring compliance with DORA's technical and policy requirements.
Canada, the UK and Australia also are advancing efforts to implement similar regulatory frameworks.
Emerging Cyber Resiliency Regulations for Businesses
While companies continue their efforts to contend with cyber threats, businesses now face the added burden of complying with these and other new cyber resiliency regulations. Here are five ways companies can anticipate cyber threats, protect against them, withstand their impact and quickly recover critical IT environments:
1. Build awareness at the board level and engage the business from the start
Emerging cybersecurity regulations demand board-level engagement. Accordingly, this is not the time for silos in any business. Cybersecurity is not a “niche” issue. It is the concern of everyone across the enterprise, including the board, corporate leadership and employees.
2. Establish a “minimum viable company”
An enterprise’s “minimum viable company” is the entity within the entity that is critical to sustaining operations and advancing business objectives. Cyber defense and resiliency efforts should begin with this group.
3. Take inventory and determine risk
Organizations with large and complex IT estates need to know what assets they have, what steps they need to protect them and the likelihood of attempted disruption based on function. In other words, identify and protect your organization’s Achilles’ heel.
4. Develop a crisis management plan and practice for disruption
This is the time for anticipation and preparedness to manage the inevitable. When it comes to cyberattacks, it’s not a question of “if,” but when.
5. Move to a “zero trust” framework and update your cyber resilience strategy regularly
Bad actors — whether state sponsored, or small groups — are innovative and smart. Be ready, and don’t take them for granted.
The bottom line is that cybersecurity and resiliency are everybody’s business — especially in the face of new EU and U.S. regulations that could add penalties on top of business disruption, loss of revenue and damage to a company’s reputation. It’s essential for governments and enterprises to take a proactive approach to anticipate, protect against and recover from adverse cyber events.