TMC's Advisor

The Advisor is published by TMC

Enforced Resilience

We are moving towards an age of enforced resilience – where governments around the world will mandate resilience as a way to protect services and systems that are vital to national security, public safety, economic priorities, international agreements, etc. So far, it’s cybersecurity and telecommunications centered, but the requirements may evolve to all areas of business resilience.

By Johnnie Denton

Johnnie Denton is the editor of The Advisor, a researcher, and oversees TMC benchmarking studies.

The Bandwagon

Australia, the US, Europe, Canada and other countries realize that some services and systems should be more closely regulated as being critical to national security and public safety, as well as other factors such as a thriving economy.

CIO Magazine recently ran the headline “The NIS2 Directive: why cyber-resilience is the new normal for European organisations”. In 2022, The Harvard Business Review ran the headline “New Cybersecurity Regulations Are Coming. Here’s How to Prepare.“ Two months ago, the government of Australia released their 2023-2030 Australian Cyber Security Strategy. They are also proposing amendments to the Security of Critical Infrastructure Act 2018 to strengthen protections for critical infrastructure.

Canada’s Version

In Canada, it’s Bill C-26 “which would establish a regulatory framework to strengthen baseline cyber security for services and systems that are vital to national security and public safety and gives the Government a new tool to respond to emerging cyber threats. It would also introduce a regulatory regime requiring designated operators in the finance, telecommunications, energy and transportation sectors to protect their critical cyber systems. This is in addition to proposed amendments to the Telecommunications Act, and consequential amendments to other Acts which are also part of the Bill.” The bill passed in March 2023 and cover the sectors of finance, energy, telecommunications, and transport.

The government of Canada website says “The Act increases cyber threat information sharing and provides the Governor in Council (GIC) with the power to issue Cyber Security Directions (CSDs). A CSD could be issued to direct a designated operator or classes of operators to comply with any measure set out in the direction to protect a critical cyber system.”

They go on to say that “Decision-making by the Governor in Council ensures that a broad range of relevant factors – including national security, economic priorities, trade, competitiveness, international agreements and commitments – are considered when making decisions that have an impact across sectors.”

Looking to the Future

Insurance companies are starting to demand declarations from businesses, who are applying for insurance, that they have developed plans for cybersecurity resilience (business continuity plans that include a strong focus on cybersecurity risk mitigation and recovery).

Cyber resilience is becoming ever more important. A good business continuity plan with a strong focus on cybersecurity makes good business sense as it can protect you from a cyber-attack based business failure. In the future it may also become a requirement before you can buy insurance or renew an operating licence.

If you’d like to discuss how to improve your business continuity plan or to comment on this article, please email me at .

This article was published in the January 2024 edition of The TMC Advisor
- ISSN 2369-663X Volume:11 Issue:1

©2024 TMC Consulting