On the Frontlines: When to Involve the Board in Cybersecurity Risk

There's no question as to whether cybersecurity is an important risk for today's organizations to consider. Imagine if a cyberattack against your organization's main automated processes renders your computer systems inoperable and disrupts critical infrastructure and vital services? What if cybercriminals capture data relating to employees, intellectual property, product quality and safety, strategic planning, or financial data, and ask for a huge amount money to prevent the data being published or destroyed? There are lots of ways cyberattacks can happen and destroy organizations.

Naturally, not all organizations are the same, nor do they face or tolerate the same risk. Organizations must establish their objectives, identify the internal and external risks they face in achieving these objectives, and establish plans — based on risk assessment — to guide efforts in achieving them.

Effective governance requires the board of directors to identify and manage all risks when setting goals and strategies. Therefore, the board of directors should understand and be aware of the major risks related to cyberattacks. It is the board of directors and senior management who are ultimately responsible for effective cybersecurity risk management and taking measure to mitigate the same risks. Further, to be effective, risk management should enable cybersecurity risks to be captured and communicated timely across the organization.

The board, senior management, and stakeholders all need the independent, objective, and competent assurance services of the internal audit activity to verify whether cybersecurity operations controls are well-designed and efficiently carried out. Although the function has a very important role in managing risks, internal audit, like risk, is often misunderstood. The profession has at times been viewed in a negative light, often seen as a policing body that would rather catch someone doing something wrong than proactively work to help. Internal audit can help the organization by alerting management to new cybersecurity risks, as well as cybersecurity risks that have not been adequately mitigated, and provide recommendations for an appropriate risk response. To be able to help organizations deal with cybersecurity, internal audit needs to ensure that there are sufficient resources, knowledge, skills, and competency related to trends in information technology and cybersecurity.

Where management has captured and timely communicated the significant risks related to cybersecurity across the organization and has employed policies, processes, tools, and personnel for ensuring an organization's information resources are adequately protected from many types of attacks, then internal audit should evaluate the adequacy and timeliness of the risk response. Internal audit also should determine if the acceptance of cybersecurity risks is in accordance with the organization's risk appetite/tolerance and communicated throughout the organization.

Risks from attacks such as ransomware, phishing, hacking, insider threat, and data leakage — depending on the importance and sensitivity of data — can be very dangerous and have a huge impact on organizations. When audit engagement observations show no control or weak controls against these risks, and where the risk can seriously damage the organization, the CAE should act immediately and orally communicate the observation or information to senior management and the board. The function can then prepare an interim report for the case. However, before communicating the "dangerous" observation to senior management and the board, the audit function should first communicate with the party that knows and is responsible for the activity under review.

Depending on the magnitude of risks, some examples of weak cybersecurity controls include a lack of anti-virus and malware protection software; an inability to recover data; a lack of network firewalls and data access security; and no encryption software with the use of portable storage devices.

In the case where managers responsible for the implementation of corrective action related to an audit observation are not taking measures for the risk — and it is one that is unacceptable according to the organization's risk appetite — the case must be escalated to the board of directors.