How to stay ahead of evolving cyber threats and legislation
As global cybercrime continues to evolve on multiple fronts, cyber-targeted legislation is taking great strides to keep pace. A recent, particularly stringent, example of this is the UK’s new privacy law, under which organizations that experience privacy breaches or breaches of consent can be fined up to two percent of global revenues. This advanced approach to data and privacy protection has caused organizations with UK operations to re-examine their existing cyber security frameworks and may provide a window into the global legislative landscape of the future.
Most Canadian privacy measures remain either incomplete—the privacy breach measures of Canada’s recent Digital Privacy Act are not yet in force—or voluntary, as is the case with IIROC’s (the Investment Industry Regulatory Organization of Canada’s) recent guides for cyber security best practices and cyber incident management. With higher stakes on the horizon, however, Canadian audit committees would be well-served to broaden their cyber security oversight today to ensure their organizations are well-positioned to mitigate a new, and swiftly-changing, era of cyber risk.
Establish a defensible cyber security strategy
More and more, boards are making the audit committee accountable for cyber security oversight. This can vary significantly in degree, from providing a line item in the annual audit plan, to conducting a comprehensive but one-time assessment, to being tasked with cyber oversight as a continuing mandate.
In the latter case, the audit committee must not only effectively evaluate the organization’s existing security structure (which means knowing the right questions to ask), but it must also demonstrate proper security oversight on an ongoing basis. For example, new cyber threats—targeting data beyond credit card information such as user names, passwords, awards programs profiles and social media accounts—may not be adequately identified in your existing cyber security program. As such, audit committees must first make sure that the correct information has been identified and acceptable use and workflow policies have been established before further strategic measures can be taken.
To devise a more robust strategy that protects the right data, audit committees should ask three fundamental questions: What is our present state of cyber resiliency, where does it need to be and how do we get there? The answers will help you define your organization’s existing framework, as well as identify opportunities to make the framework more defensible by establishing a target operating state, determining a sufficient level of cyber security measures and pinpointing security controls that need to be strengthened.
Indeed, being defensible—ensuring your organization has established an appropriate target operating state to identify and safeguard sensitive data and can demonstrate due diligence to government regulators in the event of a breach—should be the primary goals of any audit committee. Since it’s impossible to prevent every potential act of cybercrime, audit committees must ensure the most effective controls are in place to mitigate the most relevant risks. This can be achieved by asking the right questions on an ongoing basis and managing the responses over time, so as to be able to prove—when a breach occurs—that it was not a result of undue negligence.
What should audit committees be doing?
Cyber security goes beyond IT and must be consistent across an organization. Audit committees should ensure critical cyber security measures are in effect across six key dimensions:
New threats, new responsibilities
In addition to adopting a cross-organizational view, audit committees can be more effective by better aligning their responsibilities with emerging threats. For example, many are taking a role in re-evaluating how their organizations manage and share stakeholder information. With businesses accumulating a growing amount of personal data from customers, employees and investors, audit committees can help ensure that data is being used only in ways those stakeholders have consented to—an oversight measure that can go a long way toward mitigating potential privacy issues.
Other areas of additional oversight include re-evaluating the organization’s cyber insurance policies to confirm that coverage matches need and even taking a role in post-mortem procedures following a breach.
Certainly, there is no one-size-fits-all approach for audit committees to follow when it comes to cyber security. However, understanding what to look for, as well as which threats—and which solutions—are most relevant to your company’s situation, will help you to strategically redefine your oversight mandate as cybercrime only continues to increase in complexity.
© 2018 KPMG LLP, a Canada limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.