Skip to Content

A Cyber Wake-up Call

Articles Matt Kelly Jun 06, 2022

The SEC’s proposed rules on cybersecurity risk pose important questions.

Far too many boards still struggle to impose good cyber governance. Using the SEC’s proposals to guide much-needed conversations couldn’t hurt.

Find your local chapter.

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer? Sign in or become a member to gain access to the latest internal audit news and information today.

Login

 

How Internal Audit Can Help

At first glance, cyber governance might seem like a strategic issue where internal audit teams can provide only limited help. That’s not so; internal audit can help the board in several important ways to assure that cybersecurity gets the oversight it needs.

Audit IT risk. This audit should not simply be an audit of firewalls or other traditional security measures. Rather, examine the organization’s processes for vetting cloud-service providers, performing data backup procedures, configuring hardware, and so forth. Cast a wide net to understand the risks that exist in how technology is used.

Review management’s oversight of IT and cybersecurity. Does the company allow a decentralized approach to sourcing IT equipment and vendors? Does a single, competent executive fulfill CISO duties? If not, dissect the operational risks that could arise (say, haphazard response to a data breach) and whether roles should be restructured.

Audit business continuity and disaster recovery. Although these issues are not directly related to cybersecurity, they are critical to how the organization makes sure that it can keep operating even during IT malfunctions —- which are often caused by cybersecurity attacks.

Consider the board’s own expertise. The SEC proposals include disclosure of any cybersecurity expertise among the organization’s board members. Assess whether the board has sufficient expertise for the cyber governance challenges it faces.

 


 

Matt Kelly

Editor and CEO, RadicalCompliance.com, an independent blog about audit, compliance, and risk management issues

Access the Digital Edition

Read Now