Cybersecurity a Top Priority for Audit Committees
Audit committees consider cybersecurity to be their primary focus in oversight as the SEC begins enforcing tougher regulations regarding cyberattack disclosures.
According to a report from the Center for Audit Quality and Deloitte, nearly seven in 10 (69%) of audit committee members regard cybersecurity as a primary concern, and 30% ranked it as their highest risk priority.
The report also found just under half (48%) of committee members see enterprise risk management as a significant concern, with 16% considering it their top priority.
Overall, cybersecurity oversight in financial services companies is typically divided between the audit committee (38%) and risk committee (26%).
In contrast, non-financial organizations mostly rely on the audit committee (64%), with minimal involvement from the risk committee (3%), likely due to regulatory requirements mandating risk committees for financial firms.
A minority of respondents (24%) reported that their audit committee possessed sufficient expertise, while the majority highlighted cybersecurity (44%) as the skill most needed to enhance committee effectiveness.
Gareth Lindahl-Wise, CISO at Ontinue, says the reality is that the first job of the audit committee is to try and properly understand the risk factors.
“In no way read into this that I am suggesting it is their task alone,” he says. “What they need to do is be adamant about having their questions answered so that they can attempt to assess the risk.”
He adds if a “translation” between the CISO or equivalent and the audit cannot be reached, the audit committee should consider an intermediary to help with the alignment and understanding.
From Lindahl-Wise’s perspective, defined, budgeted, and managed activities to address cyber risks are, in reality, the new norm.
“The level of reporting to regulatory bodies will vary, but there must be a tangible line of sight between risk and action,” he says.
Should the entity be unfortunate enough to suffer a breach, these established documents and the governance processes around them will be front and center for inspection.
“I would argue the reporting of breaches is becoming a more normalized process, articulating your security program at the time much less so,” he explains.
While threats will continue to evolve, the fundamentals of security are proven time and again, focused on issues of importance, access, and control.
“What is changing is the speed and ease that weaknesses in those controls can be found and exploited,” Lindahl-Wise says.
He says it is not the job of the audit committee to understand all the threats–it is their job to ask for a comprehensive threat model, risk assessment and mitigation plan to be presented to them in a consumable manner.
Piyush Pandey, CEO at Pathlock, says audit committees should view cybersecurity concerns as one of the most critical risk factors facing an organization due to the potential for severe consequences of successful cyberattacks.
“In addition to financial losses, business disruption and reputational harm can have long-lasting consequences,” he says. “Cyber risks are now prevalent across the entire organization and aren’t just limited to Finance or IT as they were in the past.”
Companies are likely to face several challenges in complying with the SEC requirements, with cybersecurity risk assessment consisting of a complex technical process that can be difficult to translate into clear and concise disclosures.
“Not all companies have the in-house expertise or cybersecurity tools properly implemented to assess risk and document disclosures,” Pandey says.
The new SEC requirements will force security leaders to adjust their incident response plans to include disclosure, as governed by federal mandates, not only security best practices.
“IT and security leaders today are dealing with a dynamic threat landscape that will continue evolving,” says Patrick Tiquet, vice president of security and architecture at Keeper Security.
A comprehensive cybersecurity strategy will look different for individual businesses but should always cover a few key areas.
The strategy should account for regular threat assessments to identify potential security risks and vulnerabilities, security policies for the organization, monitoring and detection, incident response and training, and awareness programs to educate employees on security best practices.
“Another key component of any comprehensive security strategy is access control to ensure that only authorized users have access to highly sensitive systems and data,” Tiquet says.