Cybersecurity is not just a technical consideration, but an enterprise-wide risk that needs to be addressed at board level.
The increasing digitisation of corporate assets, the proliferation of network connectivity, the disappearance of distinct corporate borders, and the increasing motivation and capabilities of cyber-criminals has made cyber-security a significant business risk.
The impact of data breaches or cyber-attacks on firms can be at least costly and at worst existential – for firms, customers and supply chains. The average cost of a US data breach in 2016 was $7 million. And it’s not just large firms that are under threat, with smaller businesses also likely to suffer. Recent research for UK Government’s Department for Business put the cost of a severe breach for small firms at a not inconsiderable £65,000–£115,000.
South Africa’s online technology news website IT-Online recently drew insights and advice from Praxity firm Mazars Cybersecurity Practice principal in the US and IT audit manager Bill Vallee in South Africa, to find out how companies might better guard against these rampaging risks.
‘In 93 per cent of data breaches, the targeted systems were compromised within minutes’, explained Browne, ‘83 per cent of the time, those breaches were not discovered for weeks, leaving the attackers with plenty of time to do their damage’. What’s clear is that there’s a role to be played not just by IT specialists and internal auditors but also business owners and their colleagues on the board.
A recent publication by the non-profit National Association of Corporate Directors (NACD) offers guidelines to help companies manage their cyber risks effectively at board level.
Browne explains how the NACD’s Director’s Handbook on Cyber-Risk Oversight outlines five key principles that boards should consider, to enhance the oversight of cyber risks.
‘The first of these is that directors need to approach cybersecurity as an enterprise risk, as opposed to an IT issue. Secondly, the board and the individual directors need to understand the legal and regulatory implications of cyber risks that are applicable to their organisation.’
The third principle is that boards need adequate access to expertise. ‘In lieu of adding directors with cyber-security expertise, boards can close this gap through deep-dive briefings or examinations, leveraging existing independent advisors, such as external auditors and outside counsel, or participating in director education programmes.’
The final two principles require directors to expect their management team to establish an enterprise-wide cyber risk management framework, and that boards discuss which risks to avoid, which to accept and which to mitigate through insurance.
While other technology sectors are driven by efficiency and productivity, cybersecurity spending is driven by cybercrime. And although unprecedented cybercriminal activity is generating so much spending that it’s near impossible for analysts to track, it remains less obviously a high-profile concern for business leaders than you might expect.
Browne reveals that ‘although the NACD Blue Ribbon Commission on Risk Governance recommended that risk should be a function of the full board, research indicates that over 50% of boards assign cyber risk oversight to the audit committee’.
Bilal Vallee points out, of course, that the role of internal audit to provide an independent and objective assurance of cyber risk management is critical.
‘The internal auditor can independently assess cyber-security risks and controls to ensure alignment with the organisation’s risk. This involves evaluating the effectiveness of cyber-security controls in the first line of defence and reviewing the adequacy of cyber-security frameworks, standards, risk assessments, and governance of the second line of defence,” Vallee says.
But he echoes that the need for companies to take control of cyber risks at board level is vital, not least in light of South Africa’s King IV Report on Corporate Governance.
Although compliance with King IV’s guidelines is still voluntary for smaller firms, for JSE-listed companies it has been made compulsory.
‘The King IV Report on Corporate Governance places numerous obligations on the board regarding the management, protection and oversight of technology and information. The board is required to carry out adequacy and effectiveness reviews of the organisation’s technology and information function, and to comply with certain disclosure requirements with respect to technology and information’, Vallee explains. And these obligations and guidelines are of widespread relevance, wherever organisations operate.
He notes that King IV has broadened the traditional three lines of defence to five lines of assurance, further incorporating assurance role players. These five lines include: governing bodies and committees; oversight bodies that own and manage risk and opportunity; specialist bodies that facilitate and oversee risk and opportunity; internal assurance providers, and external assurance providers.
This emphasises that assurance is about adequate and effective controls that strengthen the quality of reports, all aiding better decision-making. And the audit and risk committee must ensure that implementing the assurance model results in combining, co-ordinating and aligning the required assurance activities across these various lines of assurance.
‘Partnering with an auditor that has extensive cyber-security experience, not only provides companies with an independent perspective on compliance, potentially identifying gaps that can be addressed prior to any regulatory body audit, but can also help a business improve its cyber resilience in future,’ Vallee concludes.
You can read more about Mazars work in this area here, and you can expect further coverage about the implications of cyber-crime for accounting in future communications from Praxity.
If you would like to share your views or contribute to discussions, please contact our copywriter Simon Tyrrell on firstname.lastname@example.org.