In KPMG International’s 2015 Global Audit Committee Survey, the four key concerns carried over from last year are:
economic and political uncertainty and volatility
regulation and the impact of public policy initiatives
and cyber security.
It was great to see cyber security featuring among the top concerns of audit committee members as major cyber breaches have intensified in the recent past. High profile breaches include the Sony Pictures, the Us retailers Target and Home Depot. In the year ahead, audit committees say cyber security and oversight of risk will require even more attention.
KPMG conducted another online survey in 2015 and found that ensuring good security enables companies to retain customer trust even as next-generation cybersecurity solutions emerge to deal with this challenge. Because of recent cyber attacks, tech companies of all sizes want to keep investing in developing and implementing information security and IT risk-management technologies. Three-fourths of 111 U.S. tech executives who participated in the survey said they expect their companies to spend 1 to 5 percent of their revenue on IT security over the next year.
Directors should approach cyber security as a broader business risk issue and not as a problem for internal IT teams.This approach is supported by the increasing threat and the rising impact of online security breaches. Therefore, cyber security ideally should be on the board’s agenda, with oversight by audit committees.
How can audit committees respond to cyber risk areas;
▶️ Have a training session for the audit committee members to understand cyber impact on the company and also educate the workforce about cyber risks and responsibilities.
▶️ Understand the company’s cyber security strategy and governance structure and ensure it fits into the company’s ERM program.
▶️ Understand the systems in place to protect information transferred through mobile
technologies, internet, etc.
▶️ Ensure that the company has a cyber security risk assessment process in place and there is a periodical review of management’s cyber security risk assessment. If the skills are not available internally, the audit committee should direct the company to obtain such specialist skills, to prevent future breaches.
▶️ Similar to a BCP/ DRP establish an incident response plan and test it periodically, including it’s ability to act quickly if there is a security issue.
▶️ Establish guidance on what kinds of incidents need to be reported to the audit committee
▶️ Ensure the company has the required specialist skills and expertise to prevent cyber breaches and also has enlisted a third-party specialist to be on-site for emergencies.
This may not be a comprehensive list of ‘to do’ items but should be a good starting point.