In April 2018, the Center for Audit Quality (CAQ) released a document to help board directors fulfill their fiduciary duties regarding the oversight of cyber risks. Titled “Cybersecurity Risk Management Oversight: A Tool for Board Members,” this short, 10-page document consists of questions for boards members to ask top management and financial auditors to improve cyber risk management and increase overall engagement among business leaders.

Four Key Takeaways From the CAQ Guidance

The questions are organized into four main areas, including how auditors may or may not be considering cyber risks in their scope of work, the roles of management and auditors regarding cybersecurity disclosures, how business leaders approach their risk management responsibilities, and how CPA firms can help boards improve oversight of cyber risks. Let’s take a look at these four categories in more detail.

1. How Financial Statement Auditors Evaluate Cyber Risk

The first section of the CAQ guidance urges board directors to understand how financial auditors consider cyber risks. It asks directors to pay attention to the extent that the audit process itself addresses risk and whether the auditors’ procedures are sufficient to assess the effectiveness of security controls.

2. The Roles of Management and Auditors in Cybersecurity Disclosures

The next element concerns the organization’s responsibilities and handling of cybersecurity disclosures, and directly addresses the U.S. Securities and Exchange Commission (SEC)’s updated guidance on that topic. It advises organizations to implement appropriate policies and procedures to ensure accurate and timely disclosure of material cyber events, address and prevent insider trading before the news of a breach reaches the public, and involve representatives from top management and the board in the disclosure process.

3. Business Leaders’ Approach to Cybersecurity Risk Management

The CAQ document also stresses the importance of selecting the right cybersecurity framework and considering the best way to communicate information about the cyber risk program to other stakeholders within the organization. It also asks board directors to consider whether management has processes in place to evaluate the effectiveness of the risk management program and implies that controls should be regularly evaluated.

In addition, the guidance urges board members to determine whether the organization’s leadership has purchased sufficient cyber insurance, addressed third-party risks and developed mechanisms to cope with potential breaches involving outside vendors.

Finally, the third section of the document advises board directors to determine whether the organization has conducted a data breach simulation to gauge top leadership’s ability to respond to an incident, in terms of both the immediate post-breach response and the public disclosure.

4. How CPA Firms Can Help With Cyber Risks

The final section of the guidance explains that boards should explore opportunities to recruit additional help, whether from the organization’s current auditing partner or another firm, to navigate through the many challenges associated with cybersecurity. According to the document, an audit “cannot prevent or detect a cybersecurity threat or breach,” thus directors should ask, “What is the goal of the cybersecurity examination?” They should also determine what other types of engagements are feasible to help improve the organization’s handling of cyber risks.

Dovetailing With NACD and AICPA

The CAQ document also makes brief but significant references to the work of two other important entities. First it cites the American Institute of CPAs (AICPA)’s work to keep the auditing profession relevant, including the recent release of its cybersecurity risk management reporting framework. It then references the National Association of Corporate Directors (NACD)’s effort to improve board directors’ awareness and engagement around cyber risks. Of the 10 pages in the CAQ document, three are comprised of lists of questions extracted from the NACD’s “Director’s Handbook on Cyber-Risk Oversight,” which was published last year.

The Conspicuous Absence of Cyber Resilience

The CAQ oversight guidance is one of the most condensed publications I’ve seen to date that provides useful and actionable information to board directors about cyber risks. However, I can’t help but wonder why it failed to address cyber resilience altogether. This topic has gained a lot of attention in light of recent ransomware disruptions.

While it’s easy to assume that cyber resilience is included under the broader umbrella of cyber risk management, it’s time for top management and board directors to engage in efforts to improve the organization’s ability to respond to and recover from cyber incidents. That means putting the company’s capabilities to the test, either through penetration testing exercises or via crisis simulations.

Board directors should also pay close attention to whether the organization’s processes are maturing and improving. The CAQ document notes that business leaders might be able to leverage a CPA firm to help assess the organization’s cybersecurity maturity level.

Even with these minor shortcomings, the CAQ’s “Cybersecurity Risk Management Oversight” tool is a condensed, powerful set of guiding questions that should be on the desktop of every board director, CEO and CISO.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…