On the Frontlines: Gauging the Board’s Cyber Expertise
Blogs Brian Tremblay, CIA, CISA Jan 11, 2023
The U.S Securities and Exchange Commission has a proposed cybersecurity disclosure rule on deck for public companies, and if you haven't read it (and you should) there's a great fact sheet on the SEC website.
While there is certainly a lot to cover, I want to narrowly focus on this requirement: "Board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk."
But why start here? Simply put, if the board (and senior management) don't have the capabilities, or access to the capabilities, needed in this environment, the rest may be destined to fail. And looking at the other requirements (disclosing material cyber incidents, management's role in proper policies and procedures, etc.), I'm not sure how internal audit can feel comfortable if the board isn't properly equipped on this topic.
More complexly, this rule will likely (or should) put internal audit in the position of providing assurance over this disclosure and, by default, the board's expertise requirement. This spawns more questions to consider.
Question 1: How will internal audit provide assurance over these topics if it also lacks the appropriate cybersecurity expertise?
Let's just acknowledge that cybersecurity is a complex topic. While I certainly would never ask or expect an internal auditor to be an expert on cybersecurity, I think that understanding technology risk is a mandate for every internal auditor these days. At its core, technology risk is pretty consistent across any device or system. Whether it's your iPhone, Nest thermostat, Ring doorbell, or any of the dozens (or hundreds) of technologies at your company, they are all subject to a consistent set of risks. Learning and understanding these risks will allow you to apply them against virtually any technology. While a topic for another day, a snapshot of these risks includes configurations, code, interfaces and more. Each risk, ultimately, has the same outcome: inappropriate access and/or unauthorized changes to the technology.
The IIA has a lot of resources and training to help, and of course there are plenty of other resources and consultants as well. One very simple place to start is the U.S. Department of Homeland Security, which has a whole host of information and resources available.
Question 2: How will internal audit, in particular the CAE, challenge the board to ensure that they have the proper expertise or access to it?
While being able to answer the first question is a great starting point, it's not all that a CAE and their team need. As the CAE engages with the board on this topic, they will inevitably (hopefully) get a lot of answers and information to process. Don't just take the board's word for it. Validate it. Question it. Don't be afraid to ask for more information if it's unclear.
I'd also suggest being ready for some level of deferral to the CISO, CIO, or maybe even a third party with whom the board liaises on this topic. While one interpretation of the proposed SEC rule is that the board must have a certain level of expertise themselves, part of the expertise they disclose could be that they engage with actual cybersecurity experts to ensure that any deficits in expertise are addressed. Boards may not be able to properly address this in any other way unless a majority of the members come from the technology and security space.
Question 3: What happens if conflicts arise over the board's expertise?
There are times when internal auditors need to be courageous, and this may very well be one of those times. When I speak with the board members in my network, the ones I consider to be engaged often tell me about times when their CAEs aren't being courageous and aren't speaking up. And while it may make a CAE nervous to raise concerns over the qualifications of the board, the best boards may be expecting you to do so. The CAE must be tactful about how they do it. From my time as a CAE, one of my best practices is to bring suggested solutions to challenges like this, but an engaged board is also likely to expect the CAE to raise concerns. Why? Because they know the value of internal audit. If the board fights you, or doesn't seem to be engaged or even care, I'd think long and hard about not only your board's cyber expertise but whether they themselves are a risk to the success of your organization.
The board's cyber expertise is only a small part of the SEC's proposal. However, the "tone at the top" is critically important and sets the stage for how your organization is likely to be prepared for the bevy of other requirements in this proposal. It's an area where internal audit can and should play an important role. The implications of the SEC proposal also serve as a reminder of what we should be doing more of as internal auditors — building relationships, being objective, and most importantly, being courageous.