‘Widely varying’ practices
Drawing on sources across ten jurisdictions, it highlights the “widely varying” cyber-security practices across regions due to differences in regulatory capabilities.
The IBA calls for “large-scale leadership” on the issue, and urges firms to set their own guidelines and standards apart from national legislation.
The report acknowledges the shared accountability between senior management and boards of directors to tackle cyber-security risks, and provides a number of recommendations to both parties:
- Understand the cyber-risk profile of the organisation,
- Ensure that the board and management have sufficient cyber-security expertise,
- Ensure appropriate reporting lines, so that cyber-risks are raised to leadership,
- Invest sufficient funds to meet cyber-security goals, and
- Review, understand and test the organisation’s cyber-incident response plans.
Board’s role ‘critical’
The report states that the role of senior management in day-to-day operations positions them well to map cyber-security risks and identify high-priority concerns. It says that senior managers are best-placed to select the ideal policy for their organisation, and are also responsible for ensuring internal compliance.
The report adds, however, that having a “well-advised and attentive” board with a thorough understanding of the financial and legal risks associated with poor cyber-security practices is “critical” for organisations.
It points out that recently enacted legislation in Australia, Germany, the UK and the US holds boards directly accountable for cyber-security oversight.
The ten jurisdictions covered in the report are: Australia, Brazil, Denmark, Germany, India, Israel, Singapore, Uganda, the UK and the US.
In Ireland, an EU directive transposed into Irish law in 2018 places a number of obligations on the State and businesses in relation to cyber-security.