Authored by:
Janel Riley - National Audit Industry Leader, Technology
John Rodi -听Leader, 乐鱼(Leyu)体育官网 Board Leadership Center
Kyle Kappel -听U.S. Leader for Cyber
Jason Schneider - Audit Partner
Technology executives are bracing for an influx of cyber-attacks.
More than eight out of 10 technology, media and telecom (TMT) executives recently surveyed by 乐鱼(Leyu)体育官网 foresee increased cyber risk in the coming year. However, only 39% of respondents said their company can identify a cyber breach or attack within a week of it taking place and only 21% can contain it within a week of discovery.[1]听With breaches, ransomware, malware and other forms of attack on the rise, TMT companies have a lot to lose from a cyber event鈥攊ntellectual property, customer information, network infrastructure, data center access, competitive standing and, importantly, profits. According to IBM, the average total cost of a data breach in 2022 rose to $4.35 million globally and $9.44 million in the United States.摆2闭听
If we narrow the scope to technology companies specifically, the largest of which have millions of customer touchpoints and are already under intense public scrutiny, the operational, reputational, regulatory and financial risks become that much greater. With stakes like these, mitigating cyber risk has never been more critical.
From conversations with technology company boards, their audit committees and management, we鈥檝e identified three key actions boards should take to mitigate cyber risk:
1.听 Level up monitoring of management鈥檚 cyber preparedness to address the growing sophistication of threats
Boards are already making significant strides in monitoring management鈥檚 cyber security effectiveness. According to the 乐鱼(Leyu)体育官网 Board Leadership Center鈥檚听On the 2023 board agenda, boards are increasingly operating with greater IT and cyber expertise and sharpening their focus on how management implements company-specific dashboard reporting to identify critical risks and opportunities, assess cyber security talent, war-game various attack scenarios and more.[3]
And yet, despite this progress, the sophistication of threats is only accelerating, forcing companies and their boards to function in a continual state of catch-up. This phenomenon is particularly prevalent in the technology sector, as well as across media and telecom, where 83% of executives reportedly saw an increase in frequency of at least one type of cyber-attack over the past year.[4]听Like many other sectors, technology companies are prone to phishing and scamming incidents. However, they are also uniquely vulnerable to a range of more sophisticated cyber tactics. Per听乐鱼(Leyu)体育官网鈥檚 2022 Fraud Outlook, TMT executives were more likely than those in any other industry to report growth in malware (30% compared to 22% on average), social hacking (23% to 17%) and SQL injection attacks (18% to 11%).[5]
So, what makes technology companies, specifically, so vulnerable? Aren鈥檛 the most technologically savvy companies the most prepared for cyber events? Not necessarily. For one, technology companies are not only collecting, storing and managing data, they are also creating it. Constant innovation keeps these companies on the leading edge, but it also attracts bad actors. This is an industry-wide issue with cyber criminals targeting multiple technology companies at once to see where they can gain footing before striking.
Supply chain vulnerability is also a key concern. Technology companies face enhanced accountability for the security of their products鈥攚hether software, hardware or otherwise鈥攗p and down the supply chain, from the initial development of the technology to each customer touchpoint. In other words, the responsibility to mitigate cyber risk does not stop at point of sale. After all, a customer who purchases a new computer wants reasonable assurance that the company that sold it will remain vigilant of cyber vulnerabilities over the course of the computer鈥檚 life. Supply chain protection is particularly top-of-mind for management: 79% of technology executives surveyed by 乐鱼(Leyu)体育官网 view protecting their partner ecosystem and supply chain as just as important as building their own organization鈥檚 cyber defenses.[6]
Then, of course, there is reputational risk. We鈥檙e living in an era of intense scrutiny over how a company protects听and uses听customer data. Key stakeholders鈥攆rom customers to regulators to policymakers鈥攁re increasingly telling the largest technology companies, 鈥淛ust because you can doesn鈥檛 mean you should.鈥� The long-lasting reputational impact of a cyber-attack may in fact outweigh the financial repercussions.听
In light of the above challenges, technology company boards鈥攁nd their audit committees鈥攎ay need to sharpen their oversight in a number of critical areas, including:
- How sensitive management is to early warning signs of cyber events;
- The extent to which management embeds cyber considerations into the design process for new products and internal systems;
- Whether the company鈥檚 crisis response plan is robust and ready to go, taking into account the potential loss of critical infrastructure, such as data centers;
- The quality of processes and controls in place over cyber risk management, and whether they are keeping pace with the ever-evolving threat landscape;
- The cyber risks posed by the company鈥檚 entire supply chain; and
- If or when a cyber incident occurs, management鈥檚 ability to identify the source of the incident efficiently and effectively (i.e., a deficiency in internal controls) and put new procedures in place to prevent future incidents.
2.听 Keep a close eye on the regulatory environment and plan accordingly
As companies across sectors contend with the evolving cyber security landscape, understanding the impact of cyber risk on the company鈥檚 financial results and position is mission critical. Cyber security incidents can lead to additional expenses (including increased insurance premiums and legal liabilities), losses in revenue and diminished future cash flows.[7]听And, without appropriate controls in place, they also can lead to long-term litigation and reputational damage, impacting the company far beyond the current fiscal听 听year.[8]
Regulators are working to bring greater clarity to the connection between cyber risk and financial reporting. Under 2018 regulation from the U.S. Securities and Exchange Commission (SEC), companies that experience a cyber event are expected to provide reasonable assurance that information about the range and magnitude of financial impacts from that event be incorporated into financial reporting on a timely basis.[9]听This includes future effects as well, such as reduced revenues, increases in litigation, cyber security and insurance costs and the possibility of assets becoming impaired.[10]
In March 2022, the SEC took an even firmer stance, proposing new rules related to cyber risk management, strategy, governance and disclosure requirements for public companies.[11]听If enacted, the rules would increase the prominence of required disclosure on cyber security incidents in a number of corporate filings, including annual filings. They would also require disclosure of cyber events within four days of any incident being deemed material, and greater detail surrounding companies鈥� cyber security policies and procedures, management鈥檚 role in cyber security governance and the board鈥檚 level of oversight and expertise.[12]
With final SEC action on the proposed rule expected in the spring of 2023, companies across sectors, and their boards, need to prepare. For technology company boards, this should prompt an increased focus on the company鈥檚:
- Cyber security and privacy standards within the context of financial reporting.听Audit committees must play a key role in overseeing the impact of a breach or another cyber event on the financial statements.
- Inventory of all third-party relationships.听Dedicated assurance programs can verify cyber security protocols, strengthen vendor relationships and maximize related regulatory compliance across the supply chain.[13]
- Assessment of how future cyber regulation may impact the business.听While technology companies are already bound to extensive data privacy legislation, such as the General Data Protection Regulation and the California Consumer Privacy Act, they must also consider what future regulation from the SEC, the Federal Trade Commission or another governing body may mean for operations, strategy and reporting.
- Understanding of who will do the heavy lifting on regulatory compliance.听Boards may use new SEC reporting requirements as a marker to evaluate the composition of the company鈥檚 disclosure committee, making sure appropriate functional leaders (i.e., chief supply chain officer, chief information security officer and others) are included.[14]听They may also evaluate internally who will monitor compliance. The audit committee is traditionally tasked with cyber risk oversight, but the increased workload of SEC reporting may necessitate expansion to additional directors and committees.[15]
3.听 Recognize the link between cyber security and data governance
Once a standalone responsibility for the audit committee, we鈥檙e beginning to see cyber risk viewed under the larger umbrella of data governance. Companies and their boards are building robust data governance strategies to identify and address risks associated with cyber security, data privacy, data ethics and hygiene and artificial intelligence. While cyber risk has historically been the purview of the audit committee鈥攁nd audit committees clearly have a continued role in cyber risk oversight鈥攖he heightened complexity of the landscape means that oversight is increasingly touching multiple points on the board agenda. Where exactly it sits at the committee level depends on several factors, including the nature of the business, the company鈥檚 current level of cyber preparedness, the bandwidth of board committees and the unique skill sets of directors.[16]
For technology companies, this consolidation means that boards and audit committees must be ready to discuss and monitor cyber risk within the context of broader data governance issues. For example, fast-emerging technologies that will likely require increased board and committee focus include:
- Facial recognition software:听How is facial recognition data collected? Where is it stored? What are the associated privacy concerns and how is management mitigating them?
- Artificial intelligence and machine learning:听What are the ethical considerations? As technology continues to learn and adapt, what biases are implicit and how is management addressing them? What regulatory compliance (including E.U. regulations) and reputational risks are triggered by the company鈥檚 use of this technology?
Ultimately, how the board and management work together to address issues of data governance is the basis for digital trust: the confidence stakeholders have in the ability of an organization to harness digital technology to protect their interests and uphold societal expectations and values.[17]听As we鈥檝e seen countless times on the national and global scale, failing to preserve digital trust can have detrimental repercussions, financially, reputationally, legally and more.
Accountability and mitigation are critical
In today鈥檚 environment, technology companies must stay vigilant for data vulnerability. Cyber, privacy and other related data governance risks run rampant across the sector. Whether they arise in the earliest stages of product innovation or in customer data collection and storage, in machine learning or up and down the supply chain, technology company board members have their work cut out for them to anticipate and work with management to mitigate these risks.
The board must hold management accountable for action, or inaction, and should help leadership send and reinforce the message that the company鈥檚 security is the responsibility of every employee. Employee training, weaving data governance best practices into company culture and allowing for regular touchpoints between the board and the technology function are all integral to success. There is no one-size-fits-all approach. Instead, leaders say it takes a village, manned by skilled professionals who continually assess and identify emerging threats and develop comprehensive programs to address them.[18]听With the blistering pace of innovation in the technology sector, this is a tall order. However, by establishing a strong cyber risk management strategy today, technology companies can enjoy a sizeable competitive advantage tomorrow.