What boards need to keep in mind when it comes to risk and oversight
By Eve Tahminicioglu
There’s a laser focus on cybersecurity these days and regulations to keep breaches from happening are on the horizon.
A report released this week by EY Center for Board Matters looks at key regulatory changes globally and offers directors guidance on what they need to keep potential cyber risk in check.
“Cybersecurity needs to be at the top of board members agendas,” stresses Steve Klemash, partner at the EY Center for Board Matters. “In addition to the reputational, operational and financial impacts of a cyber-event, new regulatory and reporting developments at the federal, state and even global levels have made cybersecurity risk oversight more critical.”
Here’s a rundown from the report:
Assess the “true maturity” of its cyber risk management program: Many companies think they have adequate processes and controls in place, but there is room to refine and challenge the effectiveness of the program. There are parallels here with Sarbanes-Oxley when it was first implemented to combat accounting fraud. Initially companies were relatively confident in their internal controls, but they subsequently came to realize that their processes and controls were not fully mature in several areas.
Use American Institute of Certified Public Accountants (AICPA) guidance to evaluate and strengthen program: While AICPA guidance for evaluating an organization’s cybersecurity risk management program is voluntary, it contains a set of robust, business-centric evaluation criteria designed to ascertain the adequacy of the processes and controls implemented to address cyber risks. It can be used to identify gaps and design remediation activities to fill those gaps.
Keep up with evolving regulations: The European Union has adopted the General Data Protection Regulation (GDPR), which will take effect in May 2018 and require companies to notify national authorities of a breach within 72 hours. Failure to comply with the GDPR, once it takes effect next year, could result in fines of up to 4% of global revenue. The U.S., meanwhile, is attempting to move forward with enhanced cyber risk management standards and states, most notably New York, are following suit with their own regulations.
“Failing to understand these heightened requirements can place organizations at even greater financial risk,” Klemash explains.
“Cybersecurity is a fast-moving concern for organizations of all types and should be considered as part of the organization’s enterprise risk management program,” he continues. “Keeping up with regulatory developments and ensuring they have the information they need to evaluate cybersecurity risk and how it is addressed will be key to informed oversight now and in the future.”