South African business owners need to understand that cybersecurity is not just a technical consideration, but an enterprise-wide risk that needs to be addressed at board level.
This according to Brian Browne, principal in Mazars’ Cybersecurity Practice in the US, who says that the increasing digitisation of corporate assets, the proliferation of network connectivity, the disappearance of distinct corporate borders, and the increasing motivation and capabilities of cybercriminals has made cybersecurity a significant business risk.
“In 93% of data breaches, the targeted systems were compromised within minutes. 83% of the time, those breaches were not discovered for weeks, leaving the attackers with plenty of time to do their damage and exfiltrate data,” Browne says.
Browne adds that a recent publication by the non-profit organisation, the National Association of Corporate Directors (NACD), which operates both in the US and abroad, offers a number of guidelines for companies to manage their cyber risks effectively at board level.
“The NACD’s Director’s Handbook on Cyber-Risk Oversight outlines five key principles that boards should consider to enhance the oversight of cyber risks. The first of these is that directors need to approach cybersecurity as an enterprise risk, as opposed to an IT issue. Secondly, the board and the individual directors need to understand the legal and regulatory implications of cyber risks that are applicable to their organisation,” Browne explains.
The third principle, according to Browne, is that boards need adequate access to cybersecurity expertise. “In lieu of adding directors with cyber security expertise, boards can close this gap through deep dive briefings or examinations, leveraging existing independent advisors, such as external auditors and outside counsel, or participating in director education programmes.”
Browne continues that principles four and five stipulate that directors set the expectation that their company’s management team establish an enterprise-wide cyber risk management framework and that board management discussions about cyber risk include identification of which risks to avoid, which to accept and which to mitigate through insurance.
“Although the NACD Blue Ribbon Commission on Risk Governance recommended that risk should be a function of the full board, research indicates that over 50% of boards assign cyber risk oversight to the audit committee,” Browne says.
Bilal Vallee, IT audit anager at Mazars South Africa, points out that the role of internal audit to provide an independent and objective assurance of cyber risk management is critical.
“The internal auditor can independently assess cyber security risks and controls to ensure alignment with the organisation’s risk. This involves evaluating the effectiveness of cyber security controls in the first line of defence and reviewing the adequacy of cyber security frameworks, standards, risk assessments, and governance of the second line of defence,” Vallee says.
He adds that the need for South African companies to take control of cyber risks at board level is vital, in light of the King IV Report on Corporate Governance.
Vallee points out that, for smaller companies, compliance with King IV’s guidelines is still voluntary but for JSE listed companies it has been made compulsory to fulfil the requirements set out in the report.
“The King IV Report on Corporate Governance places numerous obligations on the board regarding the management, protection and oversight of technology and information. The board is required to carry out adequacy and effectiveness reviews of the organisation’s technology and information function, and to comply with certain disclosure requirements with respect to technology and information,” Vallee says.
He notes that King IV has broadened the traditional three lines of defence to five lines of assurance to further incorporate assurance role players. These five lines of assurance include: governing bodies and committees; oversight bodies that own and manage risk and opportunity; specialist bodies that facilitate and oversee risk and opportunity; internal assurance providers; and external assurance providers.
This further emphasises that assurance is about having an adequate and effective control environment and the importance of strengthening the quality of reports for better decision making.
“King IV requires the audit and risk committee to ensure that implementation of the assurance model results in combining, co-ordinating and aligning the required assurance activities across the various lines of assurance.” Vallee continues.
“Partnering with an auditor that has extensive cyber-security experience, not only provides companies with an independent perspective on compliance, potentially identifying gaps that can be addressed prior to any regulatory body audit, but can also help a business improve its cyber resilience in future,” Vallee concludes.