As a board member in today’s digital economy, what should you be thinking about? Cyber security, for sure.
Cyber risks are evolving and can affect every area of your operations. These risks change almost daily and can relate to complicated technology issues. When it comes to managing risk, the rapid rate at which technology is changing and the growing cyber risks leave board members in a difficult position.
Here are a few suggestions to help you mitigate cyber risk and achieve greater transparency into your cyber operations:
Seek Assurance of Cyber Controls
In the past, organizations relied on various consultants, internal resources, and sometimes just plain luck to identify and mitigate cyber risks. To guide you, the AICPA just recently issued its much awaited standard on cyber security. The “Cyber SOC” allows CPA’s to audit a company’s cyber security. This fundamentally changes how cyber threats are evaluated and managed, enabling an independent, objective look at an organization’s processes, policies and controls around cyber risks.
The Cyber SOC also provides an opportunity for you to assure to your customers that you are providing a secure cyber environment—providing comfort to customers in any business. This is a huge win because customers are increasingly wary of cyber attacks and are looking for companies that take the growing threat seriously.
The Cyber SOC is even instrumental in ensuring the robustness of internal controls and processes related to cyber risks. You can use the framework to perform a benchmark readiness assessment, which compares your organization’s current cyber control framework against the established Cyber SOC control objectives. This benchmarking allows you to confidently identify gaps in your cyber control environment that can then be remediated. It’s easy to imagine a Board requesting a Cyber SOC readiness assessment and then monitoring progress against the gap analysis on a quarterly basis. You can read more about the new Cyber SOC here.
Ask the Right Questions
Astute board members are asking questions about cyber risks, in part driven by their own learning and in part by their external auditor’s questions. For public companies, the PCAOB has started asking questions to audit firms regarding their evaluation of the company’s cyber position. Right now, these are just questions. In the near future, it’s entirely possible that cyber risks will be included as part of the 10-K. In fact, there is legislation in the House now that would require cyber to be included in SOX certifications and testing. Once the trigger has been pulled, the PCAOB will require auditors to perform detailed testing around cyber risks and controls.
In the current environment, boards need to continue to ask questions around cyber. Here are some questions you should consider asking:
What kind of information do you have that is private?
How often do you conduct penetration testing and what type of penetration testing do you conduct?
Have you been hacked or had any security issues?
When was the last time your security policies and controls were reviewed?
Have there been significant changes in the business or IT, or are changes anticipated in the near future?
Asking the right questions is vital because they can lead to the effective actions necessary to secure your organization. Understanding your policies and procedures around cybersecurity is a must. It’s important to not only understand what policies you have, but Independently evaluate those policies and controls to ensure your approach appropriately mitigates your cyber risks.
As a board member in today’s world, cyber risk should be top of mind. By anticipating the growing concerns and growing cyber threats, board members should start taking steps to manage cyber risks and help your business jump ahead of the competition by being first to the market with cyber resilience that makes your company more distinctive as a trusted partner.
» Ann Cleland is a partner at HORNE Cyber where she oversees all aspects of cyber assurance services. Cleland’s depth of knowledge in assurance covers service to a variety of clients in both external and internal audit capacities including governmental A-133 audits; and in industries as diverse as real estate, healthcare, nonprofit, retail and manufacturing.