Given the proliferation of cybercrime, cyberrisk oversight is an ongoing concern for audit committees. Challenges are specific to industries, companies, technologies and processes, but in general an organization’s rate of technology adoption can easily outpace its ability to manage the associated risks. These include risks to intellectual property, customer data and sensitive internal data, including data on senior executives and board members. The near inevitability of a breach also demands a clear and practical cyberincident response plan.
One very useful oversight activity would be for the audit committee or board to ask management to develop a plan to assess all digital assets and the risks to those assets and then, based on those assessments, to prepare plans for monitoring, mitigating and addressing cyberrisks.
Once those steps have been taken, an audit committee would consider engaging internal audit (or a third-party resource) to conduct an objective review of the cyberrisk management program. If internal audit lacks the requisite skills, they can be acquired though co-sourcing or bringing in specialists.
Companies that depend on business models enabled by technology or on cybercapabilities for core processes would do well to recruit a (preferably external) board or audit committee member with experience and knowledge of IT and/or cyberrisk management. That person can lend an objective view to reports from the CTO, CIO or CISO — and help other board or audit committee members understand the impact and likelihood of cyberrisk events.
Again, depending on the role of IT in the organization, having security, mitigation and response plans in place may represent table stakes. Having internal audit review those plans — preferably against peer benchmarks or leading practices — and provide objective assurance regarding those plans to the audit committee and board would be steps worth considering.
Taking aim at cyber risk