CR2 pledge addresses cybersecurity concerns by advancing a risk-based approach that goes beyond compliance

The Coalition to Reduce Cyber Risk (CR2) announced a pledge that implements risk-based approaches to cybersecurity to enhance cyber resiliency and counter evolving cross-border cyber threats. The CR2 pledge taken by a group of 37 companies and organizations from across eight countries commits to internationally recognizing cyber risk management approaches and frameworks that are relevant across sectors and focus greater attention on cybersecurity. It also helps governments achieve their policy goals, bolster collective security, and enhance cyber resiliency across the ecosystem. 

Among the signatory companies to the alliance are AT&T, Cisco, Cybereason, Exiger, IBM, Microsoft, NTT, Palo Alto Networks, Rakuten, SAP, Schneider Electric, Tenable, Trellix, and Verizon. The signatory associations to the CR2 pledge include the Coalition of Service Industries (CSI), Cyber Risk Institute, CyberPeace Institute, Cybersecurity Coalition, Health-ISAC, Information and Communications Technology Council (ICTC), Information Technology Industry (ITI), Telecommunications Industry Association (TIA), U.S. Chamber of Commerce, United States Council for International Business (USCIB), and the US-India Strategic Policy Forum (USISPF).

The CR2 pledge acknowledges that internationally recognized cybersecurity frameworks and standards are based upon the principles of risk management. These are relevant across sectors to provide consistency and continuity among interconnected sectors and throughout global supply chains. 

To further advance the adoption of international approaches to cybersecurity risk management, the CR2 pledge commits to encouraging the development, evolution, and implementation of risk-based approaches based on consensus-based frameworks, standards, and risk management best practices, such as ISO/IEC 27110 and 27103, or the NIST Cybersecurity Framework. It also supports the efforts of vendors and supply chain contributors to adopt risk-based cybersecurity approaches that help small businesses flourish while improving the resiliency of the cyber ecosystem. 

The pledge also works on incorporating ISO/IEC 27110 and 27103, the NIST Cybersecurity Framework, or other widely accepted international cybersecurity standards as a foundation of cybersecurity policies and controls wherever applicable and feasible. It also periodically reassesses cybersecurity policies and controls against revisions to such cybersecurity standards and actively participates in industry-driven initiatives to improve those standards.

“CR2 is committed to driving a globally-aligned approach for managing cyber risk. Thirty-Seven organizations from eight countries have signed the Cyber Risk Management Pledge, demonstrating the breadth of usage of international standards such as ISO/IEC 27110 and 27103, as well as the NIST Cybersecurity Framework and associated sector profiles.” Benjamin Flatgard, president of CR2 and executive director of technology and cybersecurity policy and partnerships at J.P. Morgan Chase, said in a media statement. 

“Governments should embed widely used international standards at the core of their national cyber policies to facilitate a seamless approach to shared cyber risk,” Flatgard added.

Launched in 2018, the CR2 is a member-led non-profit syndicate that focuses on promoting ideal approaches to cybersecurity risk management globally. The composition of its member provides CR2 with visibility into the interdependencies that drive the need for a common baseline, and critical insight into effective approaches to cybersecurity risk management. Members come from various sectors, including financial services, health, IT, energy, and telecommunications. 

The CR2 coalition identifies that the fragmentation of cybersecurity requirements or a large volume of nation-specific requirements can be highly problematic, both for nations and enterprises. More specifically, if global regulations, including those related to cybersecurity risk management, fragment or conflict, cross-border flows of resources will be disrupted, negatively impacting economic growth and potentially curtailing the progress that has been made. 

Despite often useful objectives, the number of and lack of cohesion across these efforts is generating a significant risk of conflicting or competing for security requirements. Conflicting and competing requirements not only increase costs for companies, diverting security resources toward compliance but could also hinder the economic growth enabled by open markets and the security of essential cyber capabilities.

The CR2 pledge is the latest initiative to ramp up cybersecurity across organizations. Last week, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced its highly-selective education program called the Operational Technology (OT) Defender Fellowship. The program has been designed to give middle- and senior-level OT security managers in the energy sector an opportunity to learn about the strategies used to target U.S. energy infrastructure, and the cybersecurity tools and tactics that the federal government is using to counter them.

Around the same time, the Operational Technology Cybersecurity Coalition (OT Cyber Coalition) also added four new members, including 1898 & Co., ABS Group, Network Perception, and Waterfall Security Solutions, who will join the Coalition in its first membership expansion.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.