Audit Committee Bulletin: July 2013
Growing cyber threat demands board-level response
Companies now face a range of threats from cyberspace. The confidentiality, integrity and availability of sensitive information are all at risk.
Need for a new approach
The attackers are now so effective at penetrating security that companies need to rethink their defensive strategies.
Efforts to keep adversaries out of their IT systems — such as firewalls — remain important, but they are just a starting point.
Companies should assume that some attacks will breach these barricades and ensure that cybersecurity runs deep through the organization. They need to establish comprehensive, in-depth defenses; prioritize the organization’s efforts, so that truly critical information is more likely to be safe; and implement real-time monitoring to detect and respond to attacks.
This might require the board or audit committee to develop a much better understanding of:
- Which information assets are critical
- Who might want to launch an attack
- What business risks a security breach could lead to
- What defensive capabilities and options are available
Security in context
Actions taken to deal with this threat need to be balanced against the company’s other objectives. For many directors, this level of involvement in cybersecurity would represent a significant change.
For many directors, this level of involvement in cybersecurity would represent a significant change. This is particularly true in Europe; boards in the US tend to be more engaged with the cyber threat.
Need for action
Board directors without specialist IT knowledge can sometimes be reluctant to debate risks related to cybersecurity. But, as this area of threat continues to grow, the need for their high-level involvement has never been greater.
Audit committee members have an important role here. They should treat cybersecurity just as they would any other area of significant, growing threat.
They should treat cybersecurity just as they would any other area of significant, growing threat. Technical knowledge — or perceived lack of it — should not be a barrier. As with other complex and fast-changing areas of risk, they should seek input from internal and external experts.
Questions for the audit committee:
How well does your company ...
- Define risk appetite and relate it to strategy?
- Communicate to management and staff the levels of risk the board wants it to take?
- Review and discuss changes to its risk appetite?
- Communicate risk appetite to shareholders?