Cyber-security risk oversight is the area with the greatest increase in audit committee disclosures in proxy statements, according to the 2020 Audit Committee Transparency Barometer issued by the Center for Audit Quality and Audit Analytics. Companies of all sizes are dealing with increasing cyber-threats and new regulations over cyber-security and data management and reporting.
Disclosures related to the audit committee’s responsibility for cyber-security risk oversight have increased significantly over the past five years. Thirty-nine percent of S&P 500 companies made such disclosures in 2020, up from 19 percent in 2018 and 11 percent in 2016. Further, 28 percent of S&P 500 companies disclosed whether their board has a cyber-security expert in 2020, up from 14 percent in 2018 and 7 percent in 2016. There were also significant increases in these disclosures over the same timeframe for S&P mid- and small-cap companies.
“Traditionally, corporate cyber-security programs were primarily the responsibility of the chief information security officer (CISO), and boards only had a fundamental understanding because it was somewhat a ‘black box.’ But the need for visibility into the cyber-security spectrum by the executive team and board is increasing as boards are facing questions from investors, customers, and regulators, and they have to educate themselves.”
David Kessler, VP and Associate General Counsel, IT and Cyber-Security, BAE Systems
The barometer includes specific examples of best practice cyber-security disclosures, which provide discussions of the board and audit committee’s roles in risk and cyber-security oversight.
What are the risks?
“In the past five years, there has been an increase in media reporting of companies that have had security breaches, and customers, investors, and regulators are demanding greater oversight of cyber-security and associated disclosures,” said David Kessler, vice president and associate general counsel, IT and cyber-security at BAE Systems. As a result, boards of directors face the increasingly significant challenge of overseeing how their companies manage cyber-security risk. At some companies, this responsibility is delegated to the audit committee.
“One of the key requirements I see for a modern day member of an audit committee is a fundamental understanding of cyber-security and the cyber-security profile of the company on which they are serving,” Kessler said. “Traditionally, corporate cyber-security programs were primarily the responsibility of the chief information security officer (CISO), and boards only had a fundamental understanding because it was somewhat a ‘black box.’ But the need for visibility into the cyber-security spectrum by the executive team and board is increasing as boards are facing questions from investors, customers, and regulators, and they have to educate themselves. Boards are paying more attention, along with general counsel, and they are proactively asking for additional briefings and education, with the CIO (chief information officer) and CISO at the table.”
Even pre-pandemic, there was a notable increase being seen in cyber-incidents, Kessler said, including “phishing, malware, ransomware, industrial espionage, lost or stolen IT assets, and insider threats to intellectual property.” During the pandemic, attention on the space has grown even further.
“There were new challenges because of changes in work protocols as companies moved to remote work and video meetings and the shift to online sales,” he said. “Also, some loosening of lockdowns resulted in strict return-to-work protocols that include new types of sensitive personal health information as a result of questionnaires, temperature checks, COVID-19 test results, and contract tracing. There is also an increase in sensitive data as companies are struggling and some are going out of business.”
Another stress for companies is that regulatory scrutiny of cyber-security comes in many forms—the Securities and Exchange Commission, Public Company Accounting Oversight Board, Federal Trade Commission, Department of Justice, and Department of Defense, among others. There are new and changing laws and regulations all the time at the federal, state, local, and international level. “Regulators have been focused on cyber-security for many years, but many of them have changed their requirements in the past five years,” Kessler said.
“It is not a matter of if you will experience a cyber-security incident, but rather only a matter of when and how you respond to it. Cyber-security resilience is absolutely critical,” Kessler said.
He shared these best practices for companies and their boards and audit committees to address cyber-security risks.
- Set a tone from the top. “Company leaders and the board must demonstrate that cyber-security and risk mitigation are critical business risk areas they are addressing. To be effective, there also must be the ‘mood in the middle’ through communicating the focus on cyber-security to line managers and individual contributors, because it only takes one person to have a cyber-incident.”
- Talk more about cyber-security. “Have regular unfiltered discussions at the board and audit committee level with the CISO to understand the problems being faced and to help them gather requisite resources and attention to the issues.”
- Understand cyber-risks. “The board must fundamentally understand what is at stake, including not only dollars but also reputational risks, and measure it against their risk tolerance.” Insurance may help mitigate certain risks, including ransom attacks or damages from denial of service attacks, but reputational risk may go beyond what insurance can cover.
- Embrace cyber-security by design. “When a company is building a new IT system or a new product or service, a representative of the cyber-team should be involved to design and incorporate cybersecurity from the ground up rather than have it be a ‘bolt on.’ Risks and threat vectors can be reduced because they have already been considered. As a company adds IT services and networks, changes locations, or opens new offices, it can improve its cyber-security posture and revamp its incident response protocols.”
- Get an independent assessment of cyber-risks. “Outside experts can provide certifications and issue reports about a company’s cyber-security maturity and compliance programs. A company’s external auditors can provide an objective assessment of internal controls over cyber-security and the company’s ability to respond to regulatory inquiries.” Third parties can identify compliance gaps the board can review to determine the actions and resources needed.
- Have incident response protocols. There should be documentation, and a communication plan, for how a company would respond to a cyber-attack and notify the appropriate people. “Companies can perform exercises or use an outside firm to improve their understanding of the company’s response.”