Frameworks and Leadership on Cyber-Risks

With cyber-security attacks becoming everyday news, companies are waking up to the need to identify and mitigate their risks of becoming the next Target. Or Home Depot. Or J.P. Morgan. The list is endless.

Target has said its 2013 security breach led to direct costs of $148 million. An attack on TJX Cos. in 2007 led to an even bigger $1.24 billion price tag for indirect costs, such as internal investigations, public relations, and other related costs, according to Jodie Kelley, general counsel of the Business Software Alliance—“and all of this is typically followed by possibly lawsuits,” she adds. From malware associated with pirated software alone, companies can expect to spend a total of $491 billion in 2014 to address fallout from hacking, Kelley said at last month’s Compliance Week West conference.

Just identifying and defining the risks is a daunting enough task. Stuart Levi, a partner with law firm Skadden, Arps, Slate, Meagher & Flom who focuses on cyber-security, warns that any company with even a single computer connected to the internet is vulnerable. “Every public company—regardless of their industry, what they do, what data and information they have —needs to be focused on this issue,” he says.

In Levi’s view, companies need to focus on the risks specific to their business, approaching the issue in two broad but inter-connected ways. “There are two specific kinds of battles,” he says. “One is what to do purely on the technology side to reinforce your networks and minimize or prevent attacks. The other piece is to make sure you are doing enough from a management and process perspective, so that the right decisions are being made from an organizational perspective and so that you can defend your actions against a plaintiff or regulator if an issue arises.”

“Compliance is not security. Hackers read the same frameworks you do. Compliance is a minimum bar. Even if you are compliant with everything, that’s not going to make your organization secure.”
Aaron Weller, Managing Director – Data Protection, PwC

Aaron Weller, a managing director in data protection and privacy with PwC, said at Compliance Week West that companies need to think beyond compliance to make their data and their systems secure. “Compliance is not security,” he said. “Hackers read the same frameworks you do. Compliance is a minimum bar. Even if you are compliant with everything, that’s not going to make your organization secure.”

Companies can begin their effort to get their arms around their security risk by focusing on four major questions, Weller said: “What data is important? Where is it? How is it controlled? And how do you know?” For example, companies need to explore how to classify key data across the whole enterprise, whether that data resides in systems the company controls, or with third parties; what controls are protecting that data; and what independent assurance the company has that the controls are appropriate and effective.

AUDIT PROCEDURES

Below, the CAQ explains what types of audit procedures related to cyber-security are performed in the audit of financial statements and, where applicable, internal controls over financial reporting (ICFR).
Auditing standards require the auditor to obtain an understanding of how the company uses IT and the impact of IT on the financial statements. Auditors are also required to obtain an understanding of the extent of the company’s automated controls as those controls relate to financial reporting, including the IT general controls that are important to the effective operation of automated controls, and the reliability of data and reports used in the audit that were produced by the company.
The auditor’s understanding of the IT systems and controls should be taken into account in assessing the risks of material misstatement to the financial statements, including IT risks resulting from unauthorized access.
Systems and data in scope for most audits usually are a sub-set of the totality of systems and data used by companies to support their overall business operations, and the audit’s focus is on access and changes to systems and data that could impact the financial statements and the effectiveness of ICFR. In contrast, a company’s overall IT platform includes systems (and related data) that address the operational, compliance and financial reporting needs of the entire organization.
From an operational risk or privacy perspective, companies implement processes and controls to restrict access to their systems, applications and data, including third-party records and other sensitive information. Accordingly, given the focus on a narrower slice of a company’s overall IT platform, the execution of an audit of the financial statements and ICFR in accordance with professional standards likely would not include areas that would address such a cyber-security breach. However, if information about a material breach is identified, the auditor would need to consider the impact on financial reporting, including disclosures, and the impact on ICFR.
On the other hand, cyber-incidents usually first occur through the perimeter and internal network layers, which tend to be somewhat removed from the application, database and operating systems that are typically included in access control testing of systems that affect the financial statements. Audit procedures might include testing access controls at the application layer, and at the database and operating system layers, in that order of focus and priority. Other broader elements of security around the perimeter and network layers generally tend not to be within the scope of the financial statement and ICFR audits.
The likely sources of potential financial statement mis-statement are more normally associated with transaction level access through the application. Depending on the company’s business and environment, other elements of security around the internal and perimeter network layers may not pose risks to financial data, and are therefore of less importance to the achievement of audit objectives. Consequently, audit procedures performed around the internal network and perimeter network layers could vary significantly. As audit procedures are developed to address each company’s IT environment, the auditor should appropriately tailor the discussion with audit committees (in accordance with PCAOB Auditing Standard No.16) and management.
Source: The Center for Audit Quality.

A recent survey by Protiviti and ISACA found that cyber-security, data privacy, and IT security were the biggest technology challenges facing the typical IT audit executive in today’s business environment, with 1,300 survey participants ranking them the No. 1 worry. “Not a day goes by that we don’t read or see something about a cyber-threat or a security breach or something to do with that,” ISACA President Robert Stroud said in recent podcast discussing the results. Given the “connectivity of everything,” companies need to explore how to protect data properly, how to put assurances around that effort, and how to have an appropriate business continuity strategy in place, he said.

Stay in Control

For companies still trying to define a strategy, Eddie Schwartz, chair of ISACA’s cyber-security task force, says a control framework is a good starting point—ISACA’s COBIT being one such example. “Organizations need to use a standard underlying framework to go at this,” he says. “The good news today is that you don’t have to shoot in the dark at a target you can’t see.” The information security profession has made great strides, he says, in developing the capability and guidance to help organizations identify and mitigate the most serious risks.

The key for a skilled internal audit shop, Schwartz says, is to understand emerging technologies and identify not just threats based on historical experience, but also future possibilities. “Audit has a role in technology planning and delivery to provide assurance around the processes that are supposed to be protecting that technology,” he said. “But audit also has a role in looking forward a bit.” That includes understanding the risks of Big Data, cyber-security, cloud and mobile connectivity, and other trends as they arise.

Also crucial, Schwartz says, is having oversight at the highest levels in the organization. “The CEO as the most senior leader has ultimate responsibility,” he says. “There’s no question that the board of directors and the audit committee should be briefed on this subject. If the management team is not informing the board about what’s going on transparently, they’re not going to have the support and the resources they need to address it.”

Levi sees companies approaching cyber-security risks in different ways, often assigning responsibility for it in various areas of the organizational chart. “Companies have generally caught up in recognizing this is an issue, but for the most part are very much behind in actually acting and knowing they need to do this,” he says.

Many companies have a C-level technology or security officer responsible for cyber-security, but that person needs to be responsible to report up through the chain of command to be successful, he says. “It needs to be someone who is not a figurehead on this issue, but will act on it,” he says. “Someone with the seniority and the gravitas within the organization to actually make things happen.”

Weller says he sees more audit committees getting more engaged on cyber-security. “We’re certainly being asked to present at more audit committee meetings,” he says. In some board rooms that’s driven not only by the risks to the organization, but even risks to individual board members. “In recent breaches we’ve seen where there have been claims against directors and officers, not just the company,” he says. “If I were a board member I would be worried about my personal liability.”