Considerations for the audit committee
Questions for the audit committee to consider:
- Has the company experienced an increase in the number of information security breaches?
- What has the company done to bolster its information security program?
- Is information security an IT function within the company? If so, to whom does it report?
- Is there anyone on the audit committee or on the board with an IT background?
- Is the audit committee involved in planning for better management of information security risks?
- How often does the committee discuss cybersecurity? Who presents that information to the board?
- Does the audit committee seek or receive routine updates on risks and advancements in information security?
As technology continues to evolve, the benefits increase — and so do the risks.
Virtualization, mobilization and cloud technology have created new points of entry into businesses, leaving them vulnerable to covert cyber attacks. Executives at many organizations say it’s a struggle to contain the threats, and nearly impossible to thwart them.
Gap between where security is and where it needs to be
We interviewed more than 1,800 information security executives for the 2012 Global Information Security Survey, and 77% of them indicated an increase in external threats. Despite the enhancements companies have made, there is a gap between where security is and where it needs to be. Boards of directors are starting to take note, particularly members of the audit committee, who list cybersecurity among their top concerns.
High-profile cases, such as the alleged Iranian attack against US banks and a resurgence of attacks on US companies from Chinese hackers have shifted the IT conversation to cybersecurity.
Cybersecurity is not just a technology issue; it’s a business risk that requires an enterprise-wide response. Yet only 38% of the executives who responded to the recent survey said they align their information security strategy to the organization’s risk appetite and risk tolerance.
Like the technology itself, the financial consequences of a cyber attack are often not well understood. Theft of funds and intellectual property is not the only risk. There are costs associated with losses of profits and business as well as the expenses associated with remediation.
A breach eventually could affect financial performance, ultimately reducing earnings per share and the company’s overall market value.
What we found
Most audit committee members are financially savvy, but they may lack a deep knowledge of technological issues. They may rely heavily on technology officers within the company to provide them with perspectives on IT risk management, but only 54% discuss information security in the boardroom quarterly or more frequently.
Companies want to increase operational flexibility, and 59% of those who responded to our survey said they have moved to the cloud or plan to do so. However, 38% of those moving to the cloud indicated that they haven’t done anything to mitigate the potential risks inherent in the cloud, such as legal, regulatory and compliance risks around data privacy.
Organizations must go beyond protecting the perimeter, focusing on protecting the data itself. It will take money and resources to train employees to keep information safe. However, only 22% of respondents said they plan to spend more on cybersecurity in the next 12 months.
What role should the audit committee play?
The company’s board should set the tone for enhancing security and determine whether the full board or a committee should have oversight responsibility. In some cases, a risk committee, executive/operating committee or the audit committee will be given the oversight charge.
Some audit committees may need better information about the company’s processes, and they should leverage that information to understand what oversight is necessary. They should understand whether management has the right people and processes in place.
The audit committee’s action plan will depend on the company’s level of maturity in managing security risks. It may require more attention and time in sectors where these risks and the potential for damages are highest, such as financial services institutions.
Depending on the circumstances, some boards of directors may want to consider bringing someone with a deep understanding of IT issues onto the board or audit committee.
Audit committees should inquire about the state of specific security programs and then ask for benchmarks. They should also ask for an explanation of the measures that are in place to prevent or detect attacks.
of respondents said they discuss information security in the boardroom quarterly or more frequently.
of respondents say they have moved to the cloud or plan to do so.
of respondents said they plan to spend more on security in the next 12 months.