With annual audits under way, the SolarWinds breach spotlights a couple of major corporate governance gaps—the urgent need for better IT controls and limited board audit committee tech expertise. Such voids are precisely what cyber-criminals exploit
The SolarWinds hack, among its many targets, affected leading tech firms and top government agencies. Unlike the infamous 2013 Target data breach when cyber-thieves stole vendor credentials to access confidential data, the SolarWinds hackers embedded malicious code in a trusted supplier’s software update.
The approximately 18,000 customers that downloaded the code were potentially vulnerable to an attack.
The malware is confirmed to have breached networks at prominent organizations including Cisco, Intel, Deloitte and U.S. Departments of State, Treasury and Homeland Security. The alarming news surely leaves boards wondering aloud whether their companies’ technology infrastructure is truly secure.
Audit questions
Major audit firms are asking the same questions and, accordingly, have further upped client IT controls scrutiny. Given this shift away from arcane accounting inspections, boards can no longer construct audit committees with only financial experts. They need to add tech leaders, with CIOs consulted regularly in oversight decisions and audit planning.
Without adequate compliance and control, no strategy can succeed. As supply chains in every industry rely more and more heavily on software, the SolarWinds hack shows that cyber risk can lurk in vendors’ inadequate controls. Even the most well-intentioned, non-tech independent directors are unlikely to be suitably prepared to address complex IT issues that are now central to operations, data security and audits.
Boards can no longer afford to take an approach that cybersecurity is not a problem until it’s a problem. PwC’s 2020 Annual Corporate Directors’ Survey found that two-thirds of respondents agreed that a cyber breach would reflect poorly on their board. Yet only 37% said they knew their company’s crisis management plan “very” well. Even fewer (32%) said they deeply understand cybersecurity.
At the audit committee level, KPMG’s most recent biannual Audit Committee Pulse Report ranked cyber risk atop corporate risk agendas. Related scores for organizational awareness, supply chain vulnerability, tech talent and system readiness all worsened from previous surveys.
The scale of the SolarWinds crisis may end boards’ cybersecurity inertia. So, too, will the potential legal fallout at SolarWinds, whose board will likely face legal and regulatory exposure. The combination of highly unfavorable business press and potential liability probably has every board’s attention now.
A blueprint for action
Boards’ ability to monitor cyber risks is hampered by a lack of director expertise, outdated and incomplete committee charters and highly diffused work responsibilities. Insufficient resources, weak oversight and poor coordination make matters worse—especially for invisible and elusive cyberthreats.
Here are five meaningful actions that boards, audit committees and executives should take to best prepare and protect their enterprises:
1. Revise the audit committee charter.
Most proxy statements and audit committee charters do not mention cybersecurity. Others reference it with just a few words under the banner of broader internal control oversight. Some charters are so antiquated that they still refer to “computerized information systems.” All need review, and many need immediate revision.
Apple is an example of best practice here. Its 47-point audit and finance committee charter dedicates a half-page to “Risk Oversight, Privacy and Data Security” duties.
When it comes to cybersecurity issues, Apple requires its committee to “regularly report to the Board the substance of such reviews and discussions and, as necessary, recommend to the Board such actions as the Committee deems appropriate.”
2. Recruit cyber-experts to the board and audit committee.
According to Corporate Board Member’s 2020 “What Directors Think” Report, 56% of leaders rated cybersecurity the “most challenging technology issue to oversee.” Only half reported that at least one of their board members was sufficiently knowledgeable about cybersecurity. In spite of this, only 17% of respondents selected IT/cyber experience as a top selection criterion for new board members!
Amazon is one company headed in the right direction. In September 2020, retired general Keith Alexander joined its board and audit committee. Alexander is the president and founder of advisory firm IronNet Cybersecurity and a former head of U.S. Cyber Command. Such experience clearly helps inform and elevate cybersecurity-related audit committee discussions and decisions.
3. Designate audit committee cyber-governance responsibilities on SolarWinds.
Not all boards are dismissive of cybersecurity risk, but often delegate it to committees other than audit. On FedEx’s board, for instance, one director serves on both the information technology and audit committees. Such overlap makes sense where it’s possible, but Spencer Stuart’s 2020 U.S. Board Index reports that only 12% of boards have technology committees.
UPS takes a different approach, with no director serving on both its audit and risk committees. According to the 2020 UPS proxy, its risk committee “oversees management’s identification and evaluation of strategic enterprise risks, including risks associated with intellectual property, operations, privacy, technology, information security, cybersecurity and cyber incident response, and business continuity.”
The audit committee more traditionally “oversees policies with respect to financial risk assessment, including guidelines to govern the process by which major financial and accounting risk assessment and management is undertaken.”
Its audit committee met eleven times last year, while its risk committee met just quarterly. The proxy statement reports that its CIO meets with the risk committee and the CFO meets with the audit committee.
UPS’s structure has major flaws. Relegating cyber risk to one of many agenda items discussed every three months is hardly enough. Cybersecurity should no longer be siloed and cannot be separated from audit planning. Audit committees need more tech expertise and CIOs should be updating them directly on IT controls. Overlooking increased risk often results in higher audit fees and potentially far worse data security problems.
4. Emphasize cybersecurity in internal control oversight.
IT control assessments and analytics are audit work’s future. Technology controls require special expertise, procedures and testing. Lax manual controls can undermine financial reporting and asset control, but cybersecurity lapses can be far more damaging.
The consequences can include technology outages, reputation impairment, regulatory punishment and unimaginable legal problems. The internal control section of the audit committee charter should be expanded to include specific cybersecurity requirements, given the pervasive role that technology now plays in almost all corporate activities.
5. Use charters as planning and review checklists for cybersecurity.
Even the best designs need careful implementation. Charters should serve as the checklists for all board and committee planning, as well as for reviews. As board member and committee assessments become more common, evaluating achievements against listed expectations should be the norm.
The reviews should make clear that audit committees have taken the necessary steps to oversee the design and effectiveness of preventative and detective IT controls, data integrity assurance, crisis response protocols and system maintenance and upgrade plans. If not thoroughly documented, auditors will only wonder if the work was really done.
Your next, next and next move
The dynamic business marketplace requires corporate governance to adapt much faster to change, especially when it comes to digital risks. Cybersecurity cannot be simplified as alternating offensive and defensive countermoves. Just like chess masters, cyber-governance winners among corporations will be the ones whose management teams and boards of directors strategize several moves ahead in a bid to thwart breaches.
Source: Forbes
US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor
A Cybersecurity Checklist For 2021: 6 Ways To Help You Protect Yourself In Coming Year