In April 2018, the Center for Audit Quality (CAQ) released a document to help board directors fulfill their fiduciary duties regarding the oversight of cyber risks. Titled “Cybersecurity Risk Management Oversight: A Tool for Board Members,” this short, 10-page document consists of questions for boards members to ask top management and financial auditors to improve cyber risk management and increase overall engagement among business leaders.

Four Key Takeaways From the CAQ Guidance

The questions are organized into four main areas, including how auditors may or may not be considering cyber risks in their scope of work, the roles of management and auditors regarding cybersecurity disclosures, how business leaders approach their risk management responsibilities, and how CPA firms can help boards improve oversight of cyber risks. Let’s take a look at these four categories in more detail.

1. How Financial Statement Auditors Evaluate Cyber Risk

The first section of the CAQ guidance urges board directors to understand how financial auditors consider cyber risks. It asks directors to pay attention to the extent that the audit process itself addresses risk and whether the auditors’ procedures are sufficient to assess the effectiveness of security controls.

2. The Roles of Management and Auditors in Cybersecurity Disclosures

The next element concerns the organization’s responsibilities and handling of cybersecurity disclosures, and directly addresses the U.S. Securities and Exchange Commission (SEC)’s updated guidance on that topic. It advises organizations to implement appropriate policies and procedures to ensure accurate and timely disclosure of material cyber events, address and prevent insider trading before the news of a breach reaches the public, and involve representatives from top management and the board in the disclosure process.

3. Business Leaders’ Approach to Cybersecurity Risk Management

The CAQ document also stresses the importance of selecting the right cybersecurity framework and considering the best way to communicate information about the cyber risk program to other stakeholders within the organization. It also asks board directors to consider whether management has processes in place to evaluate the effectiveness of the risk management program and implies that controls should be regularly evaluated.

In addition, the guidance urges board members to determine whether the organization’s leadership has purchased sufficient cyber insurance, addressed third-party risks and developed mechanisms to cope with potential breaches involving outside vendors.

Finally, the third section of the document advises board directors to determine whether the organization has conducted a data breach simulation to gauge top leadership’s ability to respond to an incident, in terms of both the immediate post-breach response and the public disclosure.

4. How CPA Firms Can Help With Cyber Risks

The final section of the guidance explains that boards should explore opportunities to recruit additional help, whether from the organization’s current auditing partner or another firm, to navigate through the many challenges associated with cybersecurity. According to the document, an audit “cannot prevent or detect a cybersecurity threat or breach,” thus directors should ask, “What is the goal of the cybersecurity examination?” They should also determine what other types of engagements are feasible to help improve the organization’s handling of cyber risks.

Dovetailing With NACD and AICPA

The CAQ document also makes brief but significant references to the work of two other important entities. First it cites the American Institute of CPAs (AICPA)’s work to keep the auditing profession relevant, including the recent release of its cybersecurity risk management reporting framework. It then references the National Association of Corporate Directors (NACD)’s effort to improve board directors’ awareness and engagement around cyber risks. Of the 10 pages in the CAQ document, three are comprised of lists of questions extracted from the NACD’s “Director’s Handbook on Cyber-Risk Oversight,” which was published last year.

The Conspicuous Absence of Cyber Resilience

The CAQ oversight guidance is one of the most condensed publications I’ve seen to date that provides useful and actionable information to board directors about cyber risks. However, I can’t help but wonder why it failed to address cyber resilience altogether. This topic has gained a lot of attention in light of recent ransomware disruptions.

While it’s easy to assume that cyber resilience is included under the broader umbrella of cyber risk management, it’s time for top management and board directors to engage in efforts to improve the organization’s ability to respond to and recover from cyber incidents. That means putting the company’s capabilities to the test, either through penetration testing exercises or via crisis simulations.

Board directors should also pay close attention to whether the organization’s processes are maturing and improving. The CAQ document notes that business leaders might be able to leverage a CPA firm to help assess the organization’s cybersecurity maturity level.

Even with these minor shortcomings, the CAQ’s “Cybersecurity Risk Management Oversight” tool is a condensed, powerful set of guiding questions that should be on the desktop of every board director, CEO and CISO.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…