It's a familiar saying but one worth repeating: It's not a matter of if a cyber incident occurs but when. Many organizations are taking this modern adage to heart and making data security a priority across all functions – audit committees included.
The days of physical files and locked cabinets are fading. Today's audit committees work with sensitive financial data that must be stored, archived and shared via networks of servers, internal networks, and cloud-based services. And while there are endless advantages to going digital, the risks of having that data stolen, lost, or leaked are enough to make any audit committee member lose sleep.
After all, failure to protect financial data can trigger both financial and reputational damages. There are data regulations, mandatory reporting laws, and international privacy obligations (EU's GDPR) that carry significant penalties if not upheld. Moreover, becoming a public victim of a cyber attack can do irreparable damage to even the most reputable brands.
Audit committees don't necessarily bear the full weight of these risks. They do, however, play a critical role in upholding data management and security measures; as well as ensuring cyber security remains top-of-mind for their organizations' leaders. As custodians of vital client and organizational data, they need to ask the important questions: What data are we managing? What value does it hold? Where is it being stored? If it was exposed, what would that mean for the company and how would we respond?
Like every other entity in an organization, audit committees share a responsibility for understanding their exposure, bringing attention to cyber security risks, and collaborating with colleagues to improve their strategies around data management and security. Only when all parties are working towards a stronger cyber posture can an organization be truly prepared for when a cyber disaster strikes.