Article

Cyber-risk: what audit committees and boards need to know now

April 15, 2015

Over the past few years, many companies have seen a dramatic change in the cyber-risk landscape. The change is driven by a rise in the importance of digital assets, growing sophistication of cyber-attacks (sometimes called Advanced Persistent Threats), and the extension of the corporate network to include the networks of customers, suppliers, and others.

Cyber-criminals frequently seek to extort money, cause business interruption, steal Personal Identifiable Information (e.g., Social Security Numbers, patient and client data) and gain access to intellectual property (e.g., business plans, trading algorithms, product designs, and source code).

High-profile breaches and their monetary impact have caused boards and audit committees to take notice. Target’s now infamous cybersecurity breach has cost the company $162 million to date in breach discovery, response and notification, litigation and fines. Other well-known data breaches—including Anthem, Vodaphone, Adobe, Sony, Home Depot, and JP Morgan Chase—have cost shareholders additional millions.[1]

According to a recent Ponemon Institute/IBM study, an average breach can cost as much as one to two hundred dollars per record.  In such cases, companies typically incur both direct costs (forensics experts, lawyers, victim identity protection services) and indirect costs (time, effort, and resources to resolve a breach).  In addition, there is increased scrutiny by federal and state agencies among them the SEC’s Office of Compliance Inspections and Examinations (SEC OCIE), Health and Human Services’ Office for Civil Rights (HHS OCR), Office of Comptroller of the Currency (OCC), state attorneys general, and state insurance regulators.

Because the board and audit committee has oversight for cyber-risk, they need to communicate the importance of cybersecurity to management and staff. They must ensure that management is allocating the necessary resources to implement an effective, enterprise-wide cybersecurity risk-management program.

Cyber-risk oversight leading practices

The National Association of Corporate Directors (NACD)[2] recommends that audit committees and corporate boards follow these five key principles to help their organizations manage cyber-risk:

1. Understand and approach cybersecurity as an enterprise-wide risk-management issue, not just an IT issue.

Historically, organizations have characterized cybersecurity as an information technology issue to be handled by the IT department. Yet, many decisions are made on a day-to-day basis throughout the organization which can significantly raise a company’s cyber-risk profile. For instance, contracting with third-party service providers, such as cloud vendors may elevate cyber-risk as can acquiring a company with poor cybersecurity controls or introducing a new service or product that handles sensitive customer information.