Cybersecurity. Considerations for the audit committee



Similar documents
Italy. EY s Global Information Security Survey 2013

Cybersecurity and internal audit. August 15, 2014

IT Governance. What is it and how to audit it. 21 April 2009

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Cybersecurity The role of Internal Audit

Addressing Cyber Risk Building robust cyber governance

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Developing a robust cyber security governance framework 16 April 2015

Fighting to close the gap

State of Security Survey GLOBAL FINDINGS

Address C-level Cybersecurity issues to enable and secure Digital transformation

INFORMATION SECURITY CYBER LIABILITY RISK MANAGEMENT. October Sponsored by:

Mitigating and managing cyber risk: ten issues to consider

12/11/15. Evolving Cybersecurity Risks. Agenda. The current cyber risk landscape Overview. Results on EY s Global Information Security Survey

How To Protect Your Data From Theft

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Cybersecurity and the AICPA Cybersecurity Attestation Project

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Managing cyber risks with insurance

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

OECD PROJECT ON CYBER RISK INSURANCE

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

A NEW APPROACH TO CYBER SECURITY

trends and audit considerations

Reducing Cyber Risk in Your Organization

Cybersecurity Strategic Consulting

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

Cyber Security Evolved

Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP

The enemies ashore Vulnerabilities & hackers: A relationship that works

Managing Cyber Risk: Are Companies Safeguarding Their Assets?

Cybersecurity and Privacy Hot Topics 2015

Internal audit value optimization for insurance organizations

ACE European Risk Briefing 2012

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Defining the Gap: The Cybersecurity Governance Study

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cyber security Building confidence in your digital future

Cybercrime: risks, penalties and prevention

Risk Considerations for Internal Audit

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

The Impact of Cybercrime on Business

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

Third-Party Risk Management for Life Sciences Companies

Managing IT Security with Penetration Testing

The NIST Cybersecurity Framework Encouraging NIST Adoption Via Cost/Benefit Analysis

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Where insights lead Cybersecurity and the role of internal audit: An urgent call to action

fs viewpoint

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Information Technology

Disaster recovery strategic planning: How achievable will it be?

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

MARSH REPORT October International Business Resilience Survey 2015

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Increase insight. Reduce risk. Feel confident.

THE WORLD IS MOVING FAST, SECURITY FASTER.

IBM Penetration Testing Services

CyberArk Privileged Threat Analytics. Solution Brief

Cybersecurity and the Threat to Your Company

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

RETHINKING CYBER SECURITY Changing the Business Conversation

Cyber security: Are consumer companies up to the challenge?

Assessing the strength of your security operating model

CGI Cyber Risk Advisory and Management Services for Insurers

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

REPORT. Next steps in cyber security

Cybersecurity Awareness for Executives

Cyber security: it s not just about technology

Managing Cyber Risk through Insurance

Certified Identity and Access Manager (CIAM) Overview & Curriculum

ALM Virtual Corporate Counsel Managing Cybersecurity Risks and Mitigating Data Breach Damage

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Access Governance. Delivering value. What you gain. Putting a project back on track for success

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Cyber security Building confidence in your digital future

Cyber and Data Risk What Keeps You Up at Night?

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Information Security Services

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Cybersecurity: What CFO s Need to Know

security changes with Orange focus on your business, we focus on your security

Five keys to a more secure data environment

Transcription:

Cybersecurity Considerations for the audit committee

Insights on November 2012 governance, risk and compliance Fighting to close the gap Ernst & Young s 2012 Global Information Security Survey 2012 Global Information Security Survey Many organizations are taking steps to enhance their information security capabilities, but few are keeping up with an ever-changing risk landscape. Find out more at ey.com/giss2012

As technology continues to e ol e the ene ts increase and so do the risks. Virtualization, mobilization and cloud technology have created new points of entry into businesses, leaving them vulnerable to covert cyber attacks. Many companies already have been breached, but not all of them know about it. Executives at many organizations say it s a struggle to contain the threats, and nearly impossible to thwart them. Ernst & Young interviewed more than 1,800 information security executives for the 2012 Global Information Security Survey, and 77% of them indicated an increase in external threats. Despite the enhancements companies have made, there is a gap between where security is and where it needs to be. Boards of directors are starting to take note, particularly members of the audit committee, who list cybersecurity among their top concerns. Boardroom attention Information technology (IT) is often a high-level agenda item discussed at least attack against US banks 1 and a resurgence of attacks on US companies from Chinese hackers 2 have shifted the IT conversation to cybersecurity and data protection, as well as made these discussions more frequent. Cybersecurity is not just a technology issue; it s a business risk that requires an enterprise-wide response. Yet only 38% of the executives who responded to the recent survey said they align their information security strategy to the organization s risk appetite and risk tolerance. Effective information security transformation requires leadership, commitment and the capacity to act. 1. Joseph Menn, Cyber attacks against banks more severe than most realize, Reuters, 18 May 2013. 2. David E. Sanger, Chinese Hackers Resume Attacks on U.S. Targets, The New York Times, 19 May 2013. 1

Getting up to speed Most audit committee members are deep knowledge of technological issues. They therefore rely more heavily on the to provide them with perspectives on IT risk management. Still, only 54% of survey respondents said they discuss information security in the boardroom quarterly or more frequently. provide data, such as the number of to convert the data into meaningful information that could help audit committees and boards better understand the possible risks facing the entity. On top of that, board and audit committee members may not know how to evaluate the quality of the information they receive or ask the right follow-up questions. Uncertainty can lead to hesitation, and inaction can damage the company s brand and reputation, disrupt business consequences of a cyber attack are often not well understood. Theft of funds and intellectual property is not the only risk. There are costs associated with losses expenses associated with remediation. performance, ultimately reducing earnings per share and the company s overall market value. Only 54% of respondents said they discuss information security in the boardroom quarterly or more frequently. Uncertainty can lead to hesitation, and inaction can damage the company s brand and reputation. 2

on businesses to cut costs where they can, and technology helps streamline the process. But the same technologies that propel businesses forward are the ones creating new risks. Companies want to increase operational responded to the Ernst & Young survey said they have moved to the cloud or plan to do so. However, 38% of those moving to the cloud indicated that they haven t done anything to mitigate the potential risks inherent in the cloud, such as legal, regulatory and compliance risks around data privacy. The majority of those who have taken measures are employing encryption techniques and stronger oversight of the contract management process for cloud service providers. Social media is another method companies use to enhance their brand by interacting with customers. The around-the-clock availability means that it can take little time or effort to damage a company s reputation. Challenges include data security, privacy concerns, regulatory compliance and concerns about employees use of work time and equipment to engage in social media. Thirty-eight percent of the companies represented in the survey don t have a coordinated approach to social media usage within or by the organization. For many companies, mobile technology goes well beyond cell phones. Tablet computer use has more than doubled since 2011, with 44% of survey respondents now allowing company or privately owned tablets. Thirteen percent support the use of privately owned tablets through a bring your own device policy. As employees spend more time away organization becomes tougher to control. But fewer than half of the organizations surveyed use encryption techniques to protect their information while tablets are in use. 59% of respondents say they have moved to the cloud or plan to do so. 38% do not have a coordinated approach to address social media usage. 3

Whose job is it? An effective security strategy needs to work in tandem with different functional areas. In the 2012 survey, 63% of the participants said the IT function is responsible for information security efforts. Twenty-six percent have made the CEO, CFO or COO responsible, making it a C-suite issue. But only 5% have given the task of information person most responsible for managing the While external threats ranging from hacktivism and state-sponsored espionage to organized crime and terrorism continue to increase, 3 so do instances of internal vulnerabilities. Inadvertent data loss is escalating, whether the source is a careless worker or a disgruntled former employee. Thirty-seven percent of those who responded to the survey said careless or oblivious employees were among the threats that had most increased their enterprise s risk exposure. Organizations must go beyond protecting the perimeter. They should also focus on protecting the data itself. It will take money and resources to train employees across the enterprise to keep information safe. However, only 22% of respondents said they plan to spend more on cybersecurity in the next 12 months. Putting the right processes in place would be a big step forward. However, the majority of organizations represented don t have a structured, effective framework for assessing and managing security risks. Instead, they indicated they rely on a patchwork of non-integrated, complex and fragile defenses. Sixty-three percent of respondents don t have a formal security architecture framework in place, and they don t plan on using one. Only 56% conduct penetration tests, and 19% fail to test at all. 22% of respondents said they plan to spend more on security in the next 12 months. 3. David E. Sanger and Nicole Perlroth, Cyber attacks against U.S. Corporations Are on the Rise, The New York Times, 12 May 2013. 4

What is your role? The company s board should set the tone for enhancing security and determine whether the full board or a committee should have oversight responsibility. In some cases, a risk committee, executive/operating committee or the audit committee will be given the oversight charge. Some audit committees may need better information about the company s processes, and they should leverage that information to understand what oversight is necessary. They should understand whether management has the right people and processes in place. The audit committee s action plan will depend on the company s level of maturity in managing security risks, and it may require more attention and time in sectors where these risks and the potential for services institutions. Depending on the circumstances, some boards of directors may want to consider bringing someone with a deep understanding of IT issues onto the board or audit committee. Audit committees should ask questions programs and then ask for benchmarks: how is the company doing relative to its competitors and the industry? They should also ask for an explanation of the measures that are in place to prevent or detect attacks. It s important to gauge the pulse of the company s tolerance for risk and evaluate the decisions made by management over which gaps are tolerable. Questions for the audit committee to consider: Has the company experienced an increase in the number of information security breaches? What has the company done to bolster its information security program? Is information security an IT function within the company? If so, to whom does it report? Is there anyone on the audit committee or on the board with an IT background? Is the audit committee involved in planning for better management of information security risks? How often does the committee discuss cybersecurity? Who presents that information to the board? Does the audit committee seek or receive routine updates on risks and advancements in information security? The board should set the tone for enhancing security. 5

Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. Ernst & Young Global Limited operating in the US. 2013 Ernst & Young LLP. All Rights Reserved. SCORE no. GA0001 BSC no. 1303-1046255 This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. n any speci c matter reference should be made to the appropriate advisor. ED 0114

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information