The loss of intellectual property, customer data, and other sensitive information can cause severe financial and reputational damage and disrupt business operations. Few recent incidents listed below, may give some idea of impact:
▶️ Most recently, leaked documents from the Massack Fonseca a law firm in Panama identified international politicians, business leaders and celebrities involved in webs of suspicious financial transactions. The revelations have raised questions about secrecy and corruption in the global financial system.
▶️ During February 2016, hackers stole more than $100 million from Bangladesh’s Central Bank account at the Federal Reserve Bank of New York by potentially breaching as many as 32 computers at the bank, a report from private investigators said.
▶️ In November 2015, a statement, by the UK arm of the Vodafone mobile network operator said that customer details were accessed from “an unknown source” and criminals gained access to the customers names and some bank details of 1,827 customers.
▶️ In June 2015, Personal details of hundreds of thousands of JD Wetherspoon -a UK pub chain, customers have been accessed and leaked following a hack of its database. The cyber attack affects more than 650,000 customers, the UK pub chain announced
▶️ In early 2015, 30,000 leaked Swiss HSBC bank account details highlighted the practices of the organization and its customers to avoid tax.
The increasing volatility in commodity prices and currencies, interest rate uncertainty, and complexity of the business environment raises many new challenges to the audit committees. In addition the digital revolution is causing new challenges like the ones listed above to the audit committee. These challenges are reshaping the committee’s agenda and making them reassess their expertise and availability of time to address them.
The digitally connected world in which companies operate requires the audit committee to know more about IT systems and cyber security risks to address these risks and reduce security incidents to enable companies operate in this business environment and make profits.
“Security is like the brakes on your car. Their function is to slow you down. But their purpose is to let you go fast.”
Adoption of mobile or cloud technology, big-data analytics and adoption of social media give rise to cyber security risk. After the Panama papers incident, few would question the importance of making sure data is secure. At the same time everyone understands that no secret is safe in the digital age. However, having only a technology-focused solution to cyber threats is inadequate. The people involved in the process need to be continuously trained and be conscious of security incidents and risks. It should not be like only having a high wall and CCTV cameras to protect your house without any people to monitor or having another layer of security. Allowing uninterrupted access to data, business continuity and recovery are all important for business. Therefore, focus on protection alone—is missing the bigger picture and may put your organization at greater risk. It’s not easy as just getting an insurance policy.
Audit committee members have the difficulty of balancing demands for high-level security protocols with the need for return-on-investment for the business. Their anxiety increases when they don’t understand the subject of IT. Using the CIO of the company in the decision making process and independent consultants may be one way to overcome such challenges. Cyber security should be treated as a business problem and not just a technology problem.
A starting point for audit committees could be to do some of the following:
* Use an expert, to raise awareness and understanding among the board and executive team about the risks of cyber security that affect their overall risk governance for the company.
* Perform a holistic risk assessment of the technology, business and vendors.
* Analyze and perform extensive threat modeling of the process and data flows and list exposures.
* Discuss with IT and Business teams to lay out a plan for reducing the exposure both immediate and long term.
* If training is required, initiate awareness training for all staff.
* Decide on an appropriate cyber security risk decision-making process and IT governance.
A holistic approach to cyber security is more effective and more realistic than simply building digital walls!