Are audit committees doing enough to prevent cyber attacks?
Alex Sanderson CA, head of audit with KPMG in Scotland, shares his thoughts on the processes and controls behind cyber security.
Despite an increased focus on cyber security issues as a critical business priority, many audit committee members are worried not enough attention is being given to improving their board’s oversight of cyber risks.
This was the topic of much conversation at our last Audit Committee Institute meeting held in Edinburgh at the end of 2015. Around a third of those questioned believed their board should be devoting more agenda time to cyber risk, with about a quarter stating a greater use of third-party expertise in this area would be beneficial at board level.
These results echo many of the findings of a global survey we conducted of audit committee members featuring 1,000 senior executives across 28 countries, which found that significant challenges remain in terms of addressing growing cyber security issues.
Ultimately, cyber security may require deeper expertise, more attention from the full board, and potentially a new committee.
The subject can no longer be consigned to IT departments as it has wide-reaching consequences for the whole of a business.
Audit committee agendas are not getting any lighter.
However, a number of high-profile cyber attacks in recent months clearly show that the subject can no longer be consigned to IT departments as it has wide-reaching consequences for the whole of a business.
Boards and non-executives are gradually recognising the need for this issue to become embedded within a company’s risk management process and business culture.
It is also important to consider the ways in which key strategic and operational risks are communicated to a board in light of a need for a considered approach to cyber security.
When we spoke to audit committee members in Edinburgh, the majority claimed to be satisfied with the communication and co-ordination of information around key strategic and operational risks. In our global survey, however, just half of those questioned agreed. Any gaps in knowledge can result in critical risks like cyber security falling through the cracks, particularly given the scope and complexity of risks facing companies today.
Although we are making some headway, there is still a long road to travel in ensuring cyber security issues are given adequate attention at board and management level.
It’s important that board members ask the right questions regarding cyber security policies and ascertain whether management has robust processes and controls in place.
Everyone needs to understand what constitutes the company’s biggest vulnerabilities and its most critical data sets. A good place to start would be to ask what cyber-incident response plan already exists and whether it has been tested recently.
Some of the wider findings from our global survey also found that while many boards are deepening their involvement in strategy and oversight of the risk environment, there is much work to be done in terms of linking strategy and risk.
A third of those questioned believed there should be a greater focus on the “upside” of risk-taking to create a competitive yet considered approach. Additionally, around a quarter suggested more effective promotion and assessment of the company’s risk culture and a closer link between strategy and risk to be determining factors in making better-informed risk-related decisions. Yet less than a third stated that the flow of risk-related information to the board had, in fact, improved in recent years.
There are positives to be taken from our findings, however. When looking to address the increasing complexity of the business and risk environment, including issues around cyber security, nearly half of those questioned said they had discussed or taken steps to refresh the board and to recruit directors with specific expertise.
This article is from the February 2016 edition of The CA magazine.