Cyber security questions ACs should ask | KPMG | BH

Cyber security is a critical audit committee issue

Cyber security questions ACs should ask

Audit committees with cyber security responsibility have a lot to think about


Also on

While it may taste like the flavour of the month to some, the consequences of getting cyber security wrong—as others have discovered—can be substantial. It’s one thing for audit committees (ACs) to accept responsibility for cyber risk oversight as part of the general uptick in their risk responsibilities. It’s another to start having substantive conversations around how the organization actually manages data, how secure its systems are, whether cyber security should be managed at the board level and, if so, whether the board is organized to address these issues effectively. No matter how you slice it or what industry you’re in, ACs are front and centre in the cyber security risk discussion and facing a number of critical issues and questions.

Allocating oversight responsibility

Some organizations are making cyber security a board issue rather than delegating it to the AC or a separate risk committee. One advantage to this approach is that the board will generally have IT knowledge in areas such as systems implementation, technology transformation and data management already in the knowledge mix, while a committee might have to source that knowledge. Nonetheless, many ACs will see cyber security fall under their oversight umbrella and they need to be prepared to handle it.

Engaging with management and IT: ask the right questions, get specific answers

Once the organization determines how oversight will be structured, the question of oversight execution arises. What level of engagement should the AC have with management and what questions should they ask? The AC needs to take the initiative to ensure management has put a comprehensive cyber security program—covering prevention, detection and response—in place.

Response planning is particularly critical. Organizations need to prepare in advance for different contingencies and run testing on multiple scenarios to see where response gaps may exist. ACs with cyber security responsibility need to stay on top of management activities and plans in these areas. They must also keep up-to-date regarding applicable jurisdictional and industry requirements, standards and best practices around security, data protection and privacy.

"For companies operating in Europe, even if North American-based, the EU’s imminent General Data Protection Regulation will have a significant impact. For a major security breach, the EU’s Data Protection Authority will be able to fine companies up to 5% of their global annual turnover—a potentially massive penalty."

Cyber security questions ACs should ask

To ensure cyber security is being appropriately addressed, ACs should ask some key questions going forward:

  • Should we be responsible for cyber security or should it be a board-level issue?
  • If we're responsible, do we have the right technical/IT experience to fulfill that mandate?
  • Is there a set schedule for discussing cyber security in-committee-quarterly, annually, as a standing agenda item?
  • Are independent reviews regularly scheduled and reviewed?
  • Do we have the right levels of communication and engagement with management?
  • Are management and IT adequately and appropriately staffed?
  • Are we receiving appropriate reporting and analysis around IT governance, data security, penetration testing, etc.?
  • Do we have the right information to understand where gaps may exist and to benchmark against key KPIs?
  • Do we have a plan if something does go wrong?
  • Have we addressed all regulatory and other requirements?

Another question board members may want to ask themselves is if they actually know whether their organization has ever been attacked. In our experience, many directors aren't sure of the answer and it happens more often than is commonly perceived. So even if you think your organization is immune to attack, it's worth looking deeper into your cyber security history.

Financial institutions under particular scrutiny

For financial institutions, whose operations are so intimately linked to our global economy and overall financial well-being, the consequences of cyber security laxity can be particularly severe. Indeed, regulators see cyber security as a top risk with continually emerging and evolving complexities. As such, they’re talking to financial institutions across the country about the systems and processes they have in place to manage cyber security.

"In the case of financial institutions, regulators are holding direct discussions with ACs and other risk stakeholders, raising the cyber security bar even further."

The financial services industry itself—facing a range of issues around information growth, technological acceleration and rising cyber crime—is also getting serious, with cyber security regularly showing up as a top-five agenda issue. Given the potential economic and regulatory stakes, it’s critical that financial institution ACs address these issues sooner than later. Those that do can do more than strengthen a potential compliance gap. They can also lay the groundwork for more effective risk mitigation in an increasingly tech-savvy business world.

For more information on audit committee best practices in the financial services sector, read our article Best practice makes perfect sense. Alternatively, listen to our FrontPage video series, which addresses today's most important AC agenda items.

© 2018 KPMG LLP, a Canada limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Connect with us


Request for proposal