BoardMatters Quarterly, April 2013
Concerns about cybersecurity
Forward View by Tapestry Networks
Audit committee chairs are focusing on cybersecurity as the risk of data breaches rises and high-profile cyber attacks dominate headlines. The New York Times and The Wall Street Journal recently reported attacks on their systems from China in response to their news coverage of that country,1 and in a speech in January 2013, Janet Napolitano, Secretary of the Department of Homeland Security, said a cyber attack on the level of 9/11 “could happen imminently.”
A few weeks later, President Obama signed an executive order designed to improve the security of the country’s cyber infrastructure by inducing companies that own “critical assets” to voluntarily improve their own security by sharing information about cyber threats with the government.
James Holley, Executive Director in EY’s Advanced Security Center, told a network of audit committee chairs that “every company in the Fortune 1000 has been or will be a target, whether they know it or not.”
These are the most sophisticated attackers:
- State-sponsored attackers. Dozens of countries have the capability to launch cyber attacks. Their motives may be obtaining military secrets from other governments or intellectual property from foreign companies.
- Criminal attackers. Organized crime groups meet online to coordinate attacks. Their objective is to extort cash, so they primarily target financial services companies, retailers and other companies that hold customer information and other valuable data.
- Hacker activists (hacktivists). Hacktivists pursue agendas related to the environment, human rights, economic justice and other causes. They may try to disrupt company operations, deface websites or steal and expose sensitive information.
Audit committees taking the lead
In recent Tapestry Networks meetings, audit committee chairs met with cybersecurity experts to discuss the audit committee’s role in overseeing risks. Everyone agrees that the audit committee should take the lead in elevating cybersecurity as a key enterprise risk priority. Doing so is a critical first step in enhancing a company’s cyber defenses, according to Shawn Henry, President of security firm CrowdStrike. Mr. Henry told a group of audit committee chairs, “The leadership sets the pace … Every board should sit down with the leadership in the organization. There isn’t one person who can do it. It has to be coordinated across the organization.”
Many cybersecurity experts and audit committee chairs believe that the audit committee can help the company enhance cyber defenses by improving the company’s own systems, controls, people and processes. Recommendations include the following:
- Clarify cybersecurity roles and responsibilities within the executive team. CrowdStrike’s Mr. Henry recommends that the audit committee challenge management to agree explicitly on executives’ roles and responsibilities: “Get your executives in a room together and discuss accountability at the executive level. Understand your authority and your capabilities.”
- Establish metrics to adequately assess cybersecurity. Audit committees struggle to understand which metrics are right for assessing the effectiveness of their companies’ cybersecurity programs. Marios Damianides, Security Practice Leader for EY’s Northeast Region, said, “Simple statistics [alone] will not do. Don’t focus on whether you were attacked, or how many times. Focus on patterns.”
- Meet regularly with the IT expert on the external audit team. As one audit committee chair explained, “The external auditors have people who are cybersecurity experts. That can be a great resource to get an honest perspective on your company in regards to the knowledge of the management team and how the company is benchmarked.”
Make sure internal audit has the appropriate skills. More companies are hiring internal auditors with cybersecurity experience and expertise. One audit chair said, “Traditional internal audit groups didn’t have cybersecurity expertise, but you need it now. We outsource part of our internal audit so we can get that cybersecurity capability.”
- Confirm that due diligence processes incorporate cyber risk assessments. Audit chairs said it is important to emphasize cybersecurity in the due diligence of acquisition targets and in integration activity after closing.
- Recruit technology experts to join the board. Several audit chairs said it is beneficial to have a board member with both significant technology expertise and executive experience, although it is important for that person to have knowledge beyond the technology dimension.
- Engage “ethical hackers.” Several audit chairs reported engaging third parties to hack into the company’s system as a way to test its cyber defenses. One explained, “We do annual penetration audits, where we engage a third party to look at who is on the network that is not authorized to be on there.”
1 Nicole Perlroth, The Wall Street Journal Announces That It, Too, Was Hacked by the Chinese, The New York Times, 31 January 2013.
Forward View is prepared by Tapestry Networks. Tapestry Networks organizes and leads nine audit committee networks with the active support and engagement of EY that collectively consist of 150 individuals, who chair more than 200 audit committees and sit on more than 380 boards at some of the world’s leading companies. EY refers to the global organization of member firms of EY Global Ltd., each of which is a separate legal entity. Ernst & Young LLP is a client-serving member firm in the US.
Used by permission of Tapestry Networks. This article may not be reproduced, distributed, displayed or published without the express written consent of Ernst & Young LLP and Tapestry Networks.