Enterprise risk management model (ERM)
As the Audit Committee chair for a public company, I am continually evaluating the enterprise risk management (ERM) model to monitor multiple components of risk to the organization. These can be operational risks like talent departures or the acquisition of a new business unit; or financial reporting risks such as the deployment of a new transaction system or new revenue models. But the traditional ERM model struggles to incorporate a component that is arguably one of the more dangerous risks to some companies today: cyber security risk.
In today’s cyber landscape, any company that manages and maintains sensitive data should consider how the Board oversees this risk. This could be via a cyber risk chair or lead director on their Board’s Audit Committee.
As an Audit Committee Chair, I ensure the annual operating plan budget has the appropriate resources, personnel and tools to support the company’s Accounting and Finance functions. If cyber security is a high risk for a company, there should be a similar level of inquiry to ensure that the IT & Security groups have adequate support.
Cybersecurity should not be an afterthought
This is not oversight for oversight’s sake. In a recent NYSE study, one in five board directors indicated they only discussed cyber security after an internal incident or one in the same industry. A designated chair or lead director not only can ask the right questions proactively, but can work with management to establish a baseline corporate cyber risk profile, monitor management’s progress towards improvement/objectives, and ensure the right amount of resources are made available to mitigate a company’s risk and ensure its continued trust with stakeholders.
Many companies have already concluded they haven’t supported cyber security adequately — banking is an industry leading the way. Last year, CEO Jamie Dimon announced JPMorgan Chase would be increasing its cyber security spend by $500 million annually. Other financial institutions have followed this lead and made similar out of cycle increases to cyber security spending. In total, financial firms have set aside an additional $2 billion to revamp their systems above and beyond their current spending run rate.
Modern cyber risks require a paradigm shift for businesses, but many are not ready to evolve to address these emergent issues. In the early 2000s, in the wake of Enron and WorldCom, the Sarbanes-Oxley Act imposed strict accounting reforms on corporate financial disclosures, and the underlying transaction processing systems, to prevent accounting fraud. What followed was a substantial increase in compliance spending to meet these requirements. Today, as we look at costly and highly publicized breaches such as Sony and Anthem, it demonstrates that companies require a new infusion of cyber risk management process.
Questions to think about
If you’re in an industry with a high degree of cyber risk exposure — which means you handle and process financial data and sensitive data like PII data, PIH data, PCI data, IP related data — it’s incumbent upon the board and the management team to look at this as a potential operating risk.
Start with these questions:
- What is the company’s level of cyber risk and what sources and types of sensitive data inform this assessment?
- Has the company created a baseline cyber risk assessment, and is there an ongoing process to map improvement over time?
- Is there a cyber breach response plan or crisis management plan?
- What information will be shared with the Board regarding cyber risk — is there a regular process to review status with the CIO at a Board committee level?
- Should we appoint a lead Director within the Audit Committee, formally expand the charter of the Audit Committee to include cyber risk, or is our cyber risk deemed high enough to create a separate, standing Cyber Risk Committee?
- What is the cost of cyber risk management in comparison to the cost of a data breach — have we looked at breaches in our industry to understand what the all in costs of a breach are?
- Should the company consider a Cyber Security Insurance Policy or other new classes of security technology to mitigate risk and costs?
At the end of the day, managing cyber security falls to the entire management team — it’s not just a CIO or CISO issue but a CEO and executive team issue. Having cyber security represented at the Board level helps ensure that the right level of review occurs as the Board discharges their fiduciary responsibility to monitor overall company risk.
Eric Brown, Chief Financial Officer & Chief Operating Officer