New IBA Report provides Global Perspective on Cybersecurity Risk Governance

The International Bar Association (“IBA”) Presidential Task Force on Cybersecurity and the IBA Legal Policy & Research Unit (“LPRU”) have issued a new report which is set to be a first of its kind offering a global perspective on cybersecurity risk governance. Building upon the 2018 IBA Cybersecurity Guidelines, one of the purposes of this report is to guide senior executives in safeguarding their organisations from cyber risk, while harmonising efforts globally for effective and holistic  protection against cyberattacks.

Despite that the scope of this report being on a global level, it nevertheless sheds light on sources from Task Force members spread across ten jurisdiction which include Denmark, Germany, India, and the United Kingdom.

Cybersecurity is fast becoming a primary concern for society at large and this has been aided by the rise of 5G networks, quantum computing and devices linked to the Internet of Things. Consequently, regulatory bodies are currently developing legal guidelines and standards to counteract the increase in cyber-attacks. Nonetheless, company leaders have to go beyond simply abiding with such regulations and have to strive to proactively establish security frameworks and strategies.

The report is divided into case studies by a country-level approach. This difference in regulatory capabilities enables the report to highlight the distinctive cybersecurity practices across different regions. It also emphasises the importance of large-scale leadership and of setting guidelines and standards which can fill out any lacuna in existing national legislation. While acknowledging that senior management and boards of directors, share accountability when it comes to cybersecurity risks, the new IBA report puts forwards the following seventeen recommendations:

  1. Understanding the cyber risk profile of the organisation;
  2. Understanding the key information assets to protect;
  3. Understanding the significant regulatory requirements;
  4. Determining the appropriate risk tolerance of the organisation;
  5. Understanding what cybersecurity standards the organisation is using;
  6. Ensuring appropriate risk decisions on protecting key information assets;
  7. Ensuring periodic risk assessments are conducted;
  8. Establishing clear lines of control over cybersecurity and cyber risk management;
  9. Ensuring the board has sufficient cybersecurity expertise;
  10. Ensuring management has sufficient cybersecurity expertise;
  11. Investing sufficient funds to meet cybersecurity goals;
  12. Understanding the cybersecurity testing, training program and review results;
  13. Ensuring that senior management and board receive regular updates;
  14. Ensuring the appropriate reporting lines so that cyber risks are raised to leadership;
  15. Assessing changes in cyber risk posture caused by business developments;
  16. Reviewing, understanding, and testing the organisation’s cyber incident response plans; and
  17. Overseeing the response to significant incidents.

Due to the day-to-day role of the senior management, they are able to accurately track internal knowledge, external support and expertise, and cross-functional collaboration. This allows them to choose the best-fitting policy for their organisation. Senior management is responsible for ensuring internal compliance and due to their role of primary reporters to the board, they can also suggest timely analysis/assessments and updates.

At present, it is optimal for organisations that the Board of Directors, are well-versed in financial and legal risks linked with poor cybersecurity practices.  It would be beneficial to also have supervisory boards allowing for a top-down approach to cybersecurity prioritisation.

For more information on the above, contact us here.