I often find myself talking with reporters about internal audit’s role regarding risks, particularly cybersecurity. Recently, a reporter asked me about a new U.S. Securities and Exchange Commission (SEC) investigative report, “Cyber-Related Frauds Perpetrated Against Public Companies.” The report describes investigations at nine publicly traded companies that were victims of cyber fraud.
In each case studied by the SEC, employees were tricked into sending large sums to bank accounts controlled by fraudsters. Some of the scams continued for months, and often they were detected only after intervention by law enforcement or other outside parties. The nine companies wired a total of nearly $100 million to the criminals, most of which was unrecoverable, according to the SEC.
As a result of its investigation, the SEC cautioned public companies to consider cyber threats when implementing internal accounting controls. It’s good advice. But as internal auditors, we know that cybersecurity preparedness is not just an issue when implementing accounting controls. It is a vitally important facet of risk management every day, in every part of the organizations we serve.
Initiatives such as October’s National Cybersecurity Awareness Month have made important inroads to improving awareness of cyber threats, but there is a big difference between cybersecurity awareness and cybersecurity preparedness. At many of our organizations, there are gaping holes in our preparedness. For example, more than 90 percent of participants in the 2018 North American Pulse of Internal Audit survey from The IIA’s Audit Executive Center said their organization had a business continuity plan, but when it came to cyberattacks, many of those plans offered little more than a false sense of security. Only a quarter of survey participants said their plans provided clear, specific procedures for responding to a cyberattack, and 17 percent of respondents reported that their continuity plans did not include any procedures for a response.
As internal auditors, we recognize the importance of the preventive and detective controls that help protect our organizations from cyberattacks. But sooner or later, those controls will fail. Even the most carefully crafted controls break down occasionally, and there’s a strong consensus among experts that it is a matter of when, not if, our organizations will undergo a successful attack. Prevention and detection are important, but we also need to help ensure that, after an attack, our organizations can recover efficiently, effectively, and rapidly.
Cyber resilience takes into account the organization’s ability to operate during an attack, and to adapt and recover after the attack. It enables our companies to deliver intended outcomes despite adverse cyber events. But making the transition from cybersecurity to true cyber resilience won’t be easy. Culture changes are never easy, and changes that bring together the areas of information security, business continuity, and resilience are especially daunting. That’s why cyber resilience is an “all hands on deck” issue that deserves the attention of all three lines of defense.
At some companies, there is a view that cybersecurity issues should reside in the domain of IT and security experts, with internal audit providing little more than support. But part of internal audit’s scope must be to assess the organization’s cyber culture and help build one that is cyber-savvy. According to The IIA’s Global Technology Audit Guide (GTAG) “Assessing Cybersecurity Risk,” internal audit plays a crucial role in assessing an organization’s cybersecurity risks by considering:
Cybersecurity risks are relentlessly increasing, and the potential consequences extend far beyond the realm of IT. According to a report by the Council of Economic Advisors, malicious cyber activity cost the U.S. economy $57 billion to $109 billion in 2016 alone. The reputational risks may be even higher than the financial risks. In the words of Societe Generale Global Chief Information Security Officer Stéphane Nappo, “It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.”
The IIA’s International Standards for the Professional Practice of Internal Auditing require that chief audit executives report periodically to senior management and the board regarding significant risk and control issues. The frequency and content of those reports should depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board. If you, like most internal auditors, work at an organization that does not have clear, specific procedures for responding to and recovering from cyberattacks, it may be time to increase the frequency and content of communications regarding cyber threats and their potential consequences. The risks are too high to ignore.
The recent SEC report should serve as yet another reminder of internal controls regarding cybersecurity. This ever-present risk should always be on our radar, but when the SEC speaks, we should double down on our cybersecurity coverage.
I look forward to your thoughts on this important subject.