Pointing to recent cybersecurity disclosure requirements from the Securities and Exchange Commission, as well as growing numbers of cyber-incidents being reported at public companies, the report said audit committee members can no longer afford a "set it and forget it" approach to security and must instead take a more active role in protecting their organizations.
According to the report, board members must do things like investing in privacy and security solutions and services to oversee the use of internal and external data in a way that demonstrates to investors a commitment to risk mitigation. They were also urged to be proactive in addressing supply chain risk, particularly when it comes to things like vendors' cybersecurity protocols and regulatory compliance, and the report said that a dedicated assurance program can be of great use here. Finally, it said members also need to stay on top of the relevant rules and regulations, as they can often change.
Beyond this, the report said board members need to focus on cybersecurity threats and risk assessments when talking to management. They may also need to create a broader data governance framework that includes compliance with privacy laws and regulations, as well as the company’s policies and protocols regarding data ethics, data integrity, and other key areas. Board members should consider things like:
- Does the company have a data governance framework that makes clear how and what data is being collected, stored, managed and used?
- Which business leaders are responsible for cybersecurity and privacy across the enterprise?
- How does the board confirm assignment, coordination and accountability for the company’s cybersecurity and data privacy policies?
- Does the company have a plan for responding to a data breach, and what does it include? If a ransomware attack occurs, is the company willing to pay ransom? Does it know how to locate and prioritize data for recovery? Does it detail responsibilities for partner, customer, and regulator notification?
The report said these steps need not be seen as a chore; indeed, a robust cybersecurity program can lend competitive advantages to organizations willing to put in the work.
"This opportunity can start with building an auditable plan, with a goal of forming a strong assurance strategy with fulsome considerations and reliable metrics. Boards and audit committees can help translate this race towards cybersecurity readiness into a competitive advantage that facilitates growth, enables stakeholder trust, and fosters organizational resiliency," said the report.
