In the face of ongoing, persistent and ever-more dramatic data breaches, corporate assurances to the security of information are rightfully met with investor and regulatory skepticism. And while companies have rushed to inoculate themselves against potential damage by purchasing cyber insurance, regulators – and insurers – are reviewing published cybersecurity disclosures carefully to determine whether the companies’ claims regarding their cybersecurity programs – people, processes and technology – are consistent with reality.
These reviews merit attention for several reasons. For example, the price for failing to adequately assess and disclose cyber risks could be regulatory sanction and/or a denied insurance claim.
Questions about disclosures – and inquiries from external auditors related to cybersecurity – have been raised at several conversations with our clients recently. The basis for the questions can be traced back to a U.S. Securities and Exchange Commission Guidance published in October 2011. But the urgency and frequency of the questions in meeting rooms and board rooms have increased, in apparent contradiction to public corporate cybersecurity assurances.
External auditors are generally asking two questions:
- For companies making disclosures: What programs exist to ensure the disclosures are accurate?
- For companies without disclosures: What controls and procedures are in place to ensure that there is nothing occurring that should be disclosed?
The typical response, to date, has been for management to provide a memo with a general description of relevant risks; a list of the people, processes and technology in place to address cyber risk; a list of relevant internal audit efforts addressing cyber risk; and a statement that management is not aware of any relevant undisclosed breaches.
These responses tend to be quantitative, which begs the question: Should Internal Audit evaluate and weigh in on the efficacy of cyber risk mitigation programs? A 2015 article in the Harvard Law School Forum on Governance and Financial Regulation says yes. I would agree.
Critical intellectual property (IP) – the so-called “crown jewels” – must be identified and protected. In addition to traditional perimeter defenses, companies need to develop and regularly review an intrusion response plan. The plan needs to account not only for theft, but also for the possible destruction of data. Response plans should be tested with live simulations designed to break and fix vulnerabilities before they can be exploited by hackers.
Sounds like common sense, doesn’t it? It has been my experience, however, that all too often, companies tend to address theoretical risks with theoretical responses. A self-assuring, “no stranger danger here” mentality may, in fact, be your organization’s greatest vulnerability. Instead, what companies are better off doing – and what most cybersecurity experts these days recommend – is to assume that they have already been breached, and focus their security efforts on rapid detection, interdiction and recovery.
To that, I would add the need for a strong cyber risk control and governance framework, such as the one developed by the National Institute of Standards and Technology (NIST).
As for internal audit, it definitely should be auditing cybersecurity disclosures to make sure that what management is telling shareholders is consistent with actual risks. Words matter, and the world is watching.