Cybersecurity oversight is a key fiduciary responsibility for a board of directors and was a significant concern for companies even before the COVID-19 pandemic forced so many organizations to suddenly shift to remote work. Data breaches and other cyber threats pose significant competitive, reputational, and litigation risks and require increasingly costly investments to prevent, detect, and respond to. Changes in the environment as a result of the pandemic have created new risks that need to be managed with board oversight.
With a cyber breach considered by most experts to be inevitable, cyber risk must be part of the board’s overall risk oversight. Keep in mind that directors don’t need to be technologists to play an effective role in cyber risk oversight. Every board can take the opportunity to improve the effectiveness of its cyber oversight practices.
The board should ask the following general questions to understand cybersecurity risk:
- What are our organizations’ top five cybersecurity risks?
- How are we managing these risks?
- How is security governance managed?
- In the event of a serious breach, has management developed a robust response protocol?
The board should also ask the following technology- and pandemic-related questions, broken up into four categories: commitments, working from anywhere, compliance, and plans.
- How confident is the company (and the board) that technology commitments are being met despite people and technology disruption due to the pandemic?
Working from anywhere:
- How has the company secured information due to employees’ and contractors’ working remotely?
- Is the company providing employees appropriate safeguards to securely operate remotely, including training?
- How is the company maintaining and validating compliance with its legal and regulatory requirements?
- What are the company plans for the “worst-case scenario” for pandemic-related incidents or outages? Have tabletop exercises been performed?
- What new metrics is the company providing for the board to monitor risk, including company viability? Are communication triggers in place for cases of unexpected disruption?
- How has the company applied lessons learned about its pandemic preparedness from its recent situations or situations from others in their industry?
- What changes to the scenario planning need to be made to improve the company’s future resilience?
- Have appropriate resources, including funding and personnel, been allocated to manage future risk?
Broadening role for the board
The National Association of Corporate Directors defines two critical roles for corporate boards: (1) “overseeing management on behalf of shareholders and other constituencies”; and (2) “advising management, albeit with limited involvement in everyday company operations.” Amid the pandemic, the board has an enhanced responsibility to provide advice based on past experiences, across industries, and based on current experiences, across organizations. To support this expanded responsibility, boards are:
- Adding directors for technology risks due to, for example, the work-from-anywhere environment.
- Adopting a technology and cyber committee to work with the company’s pandemic team.
- Requesting expert sessions for technology and security considerations for managing through the pandemic.
- Continuing to ask about security and technology risks in the supply chain, including vendor and business dependencies.
The role of the company
In this board conversation, the company also has responsibilities. Here are some of the technology-related items for the company to address with the board.
Companies should be prepared to communicate to the board that they are learning from the past, are performing scenario planning/tabletop exercises, are updating their strategic plans where necessary, and are ready to roll as they are presented with new changes and challenges.
Companies should have strategic plans for the “next normal” and perform scenario planning to consider:
- Key employee dependency and succession planning.
- Commitments made to clients, regulators, etc. for security, availability, confidentially, and compliance.
- Primary vendor, business partner, and service organization dependency for technology and security commitments (with knowledge that outsourcing does not remove company accountability).
- Rolling employee and contractor unavailability.
- Rolling supply chain unavailability.
- Sudden facility unavailability.
- Client or supply chain entity bankruptcy or other viability issues.
- Technology and technology-dependent commitments made via contracts or other agreements.
Then, companies should be prepared to answer questions related to the items noted above.
In conjunction with the overall strategy and scenario planning, technology is an enabler for success. Technology leaders such as the chief information officer and chief information security officer should communicate cyber risk to the board.
This is more of an art than a science. Technology leaders should not fall into the trap of presenting technical details about vulnerabilities. Rather, they should prepare to discuss issues in terms of “business risks” and the options the company has to manage the risks so that executives and the board can make decisions.
For example: “To maintain our competitiveness and business viability, we must be able collaborate on client matters anytime and anywhere,” and to do so, we have three options:
- Option A: Do nothing.
- Option B: Implement a cloud solution to address the risks related to security, compliance, information retention, etc.
- Option C: Implement a cloud solution to help support our legal, regulatory, and risk management obligations; or implement security enhancements such as multifactor authentication, encryption for client communication, and backup resources to support quicker recovery.
Audit committee considerations for auditor responsibilities
Lastly, external auditors have responsibilities, too. Auditors should get a sense for the level of oversight from a board and review meeting minutes, noting risk assessments reviewed, strategic plans assessed, and scenario planning performed. As external auditors, there will be focus on general disclosures about the pandemic and its overall impact on a reporting entity, along with other topics, such as:
- Asset impairments;
- Going concern;
- Use of estimates;
- Lease concessions;
- Paycheck Protection Program loans and Economic Injury Disaster Loans;
- Income taxes; and
- Subsequent events.
Key leadership role
Board leadership is critical and must continue to evolve in response to the pandemic. Technology and security are foundational areas to monitor for company success. Protecting your organizational information is now more important and as complicated as ever.
Editor’s note: The author discussed this topic on the Aug. 27 episode of the Go Beyond Disruption podcast with host Jim Gilbert, CPA/CITP, CGMA, and Jeff Olejnik of Wipfli LLP.
For more news and reporting on the coronavirus and how CPAs can handle challenges related to the pandemic, visit the JofA’s coronavirus resources page.
— Audrey Katcher, CPA/CITP, CGMA, is partner, Business Advisory Services at RubinBrown LLP. To comment on this article or to suggest an idea for another article, contact Jeff Drew, a JofA senior editor, at Jeff.Drew@aicpa-cima.com.