Cyber-risk: what audit committees and boards need to know now

Over the past few years, many companies have seen a dramatic change in the cyber-risk landscape. The change is driven by a rise in the importance of digital assets, growing sophistication of cyber-attacks (sometimes called Advanced Persistent Threats), and the extension of the corporate network to include the networks of customers, suppliers, and others.

Cyber-criminals frequently seek to extort money, cause business interruption, steal Personal Identifiable Information (e.g., Social Security Numbers, patient and client data) and gain access to intellectual property (e.g., business plans, trading algorithms, product designs, and source code).

High-profile breaches and their monetary impact have caused boards and audit committees to take notice. Target’s now infamous cybersecurity breach has cost the company $162 million to date in breach discovery, response and notification, litigation and fines. Other well-known data breaches—including Anthem, Vodaphone, Adobe, Sony, Home Depot, and JP Morgan Chase—have cost shareholders additional millions.[1]

According to a recent Ponemon Institute/IBM study, an average breach can cost as much as one to two hundred dollars per record.  In such cases, companies typically incur both direct costs (forensics experts, lawyers, victim identity protection services) and indirect costs (time, effort, and resources to resolve a breach).  In addition, there is increased scrutiny by federal and state agencies among them the SEC’s Office of Compliance Inspections and Examinations (SEC OCIE), Health and Human Services’ Office for Civil Rights (HHS OCR), Office of Comptroller of the Currency (OCC), state attorneys general, and state insurance regulators.

Because the board and audit committee has oversight for cyber-risk, they need to communicate the importance of cybersecurity to management and staff. They must ensure that management is allocating the necessary resources to implement an effective, enterprise-wide cybersecurity risk-management program.

Cyber-risk oversight leading practices

The National Association of Corporate Directors (NACD)[2] recommends that audit committees and corporate boards follow these five key principles to help their organizations manage cyber-risk:

1. Understand and approach cybersecurity as an enterprise-wide risk-management issue, not just an IT issue.

Historically, organizations have characterized cybersecurity as an information technology issue to be handled by the IT department. Yet, many decisions are made on a day-to-day basis throughout the organization which can significantly raise a company’s cyber-risk profile. For instance, contracting with third-party service providers, such as cloud vendors may elevate cyber-risk as can acquiring a company with poor cybersecurity controls or introducing a new service or product that handles sensitive customer information.  

Business operations must ensure that the company’s Information Security Officer is involved in the deliberative process for initiatives that may increase cyber-risk exposure.   

2. Directors should understand the legal implications of cyber-risks as they relate to their company’s specific circumstances.

The legal risks of cybersecurity can affect both the organization and the individual directors or audit committee members. For instance, contracts with customers and third-party suppliers may be executed without the involvement of the general counsel or may contain language that does not effectively protect the organization from lawsuits.

Ensuring that contracts are reviewed by counsel before being approved can help to protect the organization against lawsuits. Also, contracts should be reviewed periodically to ensure that they adequately address changes to cybersecurity and privacy laws and regulations.  

3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.

According to a recent NACD survey, 87 percent of corporate boards need to improve their understanding of IT risk.

In response, some boards are considering adding directors with cybersecurity/IT risk expertise, while others seek out regular briefings from third-parties, external auditors, outside counsel, and others with the requisite expertise and industry knowledge. The Chief Information Officer and/or Information Security Officer should provide the board with regular briefings on the company’s cyber-risk management activities.

4. Directors should set an expectation for management to establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.

Oversight begins with setting priorities. Management should allocate adequate resources and incentives to implement a comprehensive, integrated, enterprise-wide risk management program. That program should be supported by a robust cybersecurity framework, such as those established by the National Institute of Standards and Technology (NIST), the International Organization of Standardization (ISO), and other organizations.  

5. Board-management discussions about cyber-risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

Total absence of cyber-risk is virtually impossible in a connected world, but boards and audit committees need to consider cyber-risk mitigation investments and how they should be allocated, options available to transfer certain cyber-risks, how the impacted cyber events should be assessed, and how the organization should respond in the event of a breach. 

Elements of an oversight plan

Board and audit committee members should ensure that management includes these tactics when devising and implementing a cybersecurity risk-management plan:

• Due diligence. Perform ongoing monitoring of internal activities and outside vendors
• Contracts. Specify data protection and usage and shared data breach response plans
• Risk assessment. Perform a risk assessment before introducing any new product or service, and before outsourcing any function
• Training. Develop and train on cybersecurity awareness and policies for staff at all levels
• Cyber insurance. Ensure the board or audit committee fully understands current insurance coverage

When to use outside resources

If the board or audit committee lacks the expertise or resources to evaluate cyber-risk, or wants to validate the company’s program, an outside party can provide a valuable perspective.

Outside experts should have the resources and expertise to:

• Assess the organization’s security governance framework
• Help companies understand relevant data protection requirements
• Provide leading practices from other industries and from similar companies
• Provide guidance on vendor management cybersecurity practices

For more information on this topic, or to learn how Baker Tilly technology risk specialists can help, contact our team.

[1] SecurityWeek, Target Data Breach Tally Hits $162 Million in Net Costs, Feb. 26, 2015.

[2] Source includes the Cyber-Risk Oversight Director’s Handbook Series 2014 by the National Association of Corporate Directors.