De toenemende complexiteit van technologische regelgeving stelt investeerders en toezichthouders voor aanzienlijke uitdagingen. Dit Engelstalige artikel van professor en CEO van Anove International, Yuri Bobbert, bespreekt drie strategieën om de druk op bedrijven en toezichthouders te verlichten: verbetering van governance, implementatie van een digitale due diligence-strategie en het creëren van proactieve in-control statements via een top-down benadering. Deze maatregelen zijn cruciaal voor effectieve cybersecurity en compliance in een steeds complexer digitaal landschap.
Introduction
The growing complexity of tech regulations heightened cybersecurity demands, and due diligence in mergers and acquisitions (M&A) presents significant challenges for investors and supervisory bodies. The surge in regulatory requirements, such as the EU General Data Protection Regulation (GDPR), Security of Network and Information Systems (NIS) directives, and the EU Digital Operational Resilience Act (DORA), has exponentially increased the burden on enterprises and regulatory bodies. This paper discusses three key strategies to alleviate these burdens: improving governance, implementing a digital due diligence strategy, and creating proactive in-control statements through a top-down approach.
The Problem and Its Scope
Regulatory and industry requirements related to cybersecurity have increased significantly. These regulations include DORA, ISO 27001, and the Payment Card Industry Data Security Standards (PCI DSS). Enterprises often struggle to manage these regulations effectively, which has led to numerous violations, particularly regarding technical and organizational measures necessary for information security under GDPR. The primary issue is that enterprises must demonstrate compliance on paper and through robust technological and procedural implementations. The increasing complexity of these regulations necessitates enhanced due diligence and proactive measures, such as in-control statements, to ensure compliance and reduce the burden on both enterprises and regulatory bodies.
Good Governance
Effective governance is crucial for managing cybersecurity and compliance. Adopting established frameworks, such as NIST SP 800-053 and NIST 800-207 in the United States, provides a structured approach to digital security. The top-down governance model, akin to the Sarbanes-Oxley Act (SOX) for financial reporting, ensures comprehensive monitoring and good stewardship. Such frameworks facilitate the detection of deviations and encourage owners to adhere to security standards. Implementing good governance practices simplifies compliance and fosters a culture of accountability and transparency within the organization.
Challenges in the Acquisition Market
In the context of M&A, cybersecurity due diligence has become critical. Buyers impose stringent conditions on sellers regarding data and privacy, making thorough digital due diligence indispensable. Failure to conduct adequate due diligence can lead to significant financial losses and reputational damage, as exemplified by the Yahoo-Verizon deal, where inadequate security measures led to a substantial reduction in the acquisition price. Digital due diligence involves assessing the target company’s technology stack, including hardening, access management, intellectual property protection, and code security. Identifying and mitigating security risks before acquisition ensures seamless integration and minimizes disruptions, thereby protecting the investment.
Conducting Digital Due Diligence
Both sellers and buyers can streamline the acquisition process by revealing their security status based on frameworks like CIS 8, ISO 27001, or ISO 27701. Sellers should provide periodic statements indicating their control over digital security, risk, and privacy. Buyers, on the other hand, need to assess the enterprise’s in-control statements and evaluate the security of valuable assets. This process involves identifying highly valuable assets, assessing risk factors, and evaluating implemented controls based on established frameworks. Financiers may also require thorough assessments to determine the enterprise’s value and potential technology debt.
In-Control Statements as a Solution
In-control statements provide a concise overview of the status of controls in a privacy and security management system. These statements are already common in highly regulated environments like finance and can be adapted for broader use. They save supervisory authorities time and resources by providing a quick and reliable means of verifying compliance. The principle of “test once, comply many” can be employed by mapping overlapping controls across different frameworks. This allows enterprises to submit a single in-control statement attesting to their adherence to multiple frameworks, thereby simplifying compliance processes.
Conclusion
Digital due diligence and implementing in-control statements are essential for effective cybersecurity management and compliance. These measures are crucial for maintaining investor confidence and regulatory compliance in an increasingly complex digital landscape. Adopting a proactive approach to cybersecurity and compliance will prevent enterprises and regulatory bodies from being overwhelmed by regulations and ensure a stable economic environment.
Auteursprofiel:
Prof. dr. Yuri Bobbert
Academic Director & Professor of Information Systems Management
Antwerp Management School (AMS)
University of Antwerp (UAntwerp)