CYBER REPORTING – STRIKING THE RIGHT BALANCE
Cyber attacks continue to be one of the most dynamic risks faced by any organisation. The increasing scale and scope of incidents, the growing sophistication of threat actors, and the marked shifts in the attack surface stemming from changes in IT and cloud strategies are all creating an exposure landscape in a constant state of flux.
The priority risk status of digital-related threats was clearly demonstrated by our ‘2024 Global Risk Manager Survey Report’, with both cyber attack and data breach being listed in the top five risks over the next 12 months. In fact, these risks have maintained top five status for the last six years.
In the race to stay one step ahead of the threat actors, up to date and detailed intelligence on cyber attacks is a valuable asset for organisations and governments alike. It makes sense, therefore, that required reporting of cyber incidents forms an integral part of the European Union’s (EU’s) Cybersecurity Strategy.
The implementation of a series of new cyber security policies by the EU over the past decade has helped bolster the bloc’s capabilities in mitigating and responding to cyber risk. However, with each new layer of cyber regulation have come extra requirements for organisations to report on cyber incidents, adding to reporting requirements from other jurisdictions, including the UK and the US.
We appreciate the need for cyber incidents to be reported and the value of information gleaned in helping EU authorities, businesses and citizens to better understand the cyber threat. However, it is evident that with the growing volume of reporting requirements, there are areas where the burden on impacted organisations is becoming unnecessarily onerous, with potential for overlap and duplication.
Apr-Jun 2025 Issue
Federation of European Risk Management Associations (FERMA)