Cybersecurity governance

July 2019

Cybercrime is estimated to cost the world trillions of dollars annually,1 and even companies with the best preventative measures in place are vulnerable to cybersecurity breaches. “This is a fundamental, existential risk to enterprises. The entire organization can go down,” a member of the Audit Committee Leadership Network (ACLN) said. Policymakers, too, are keenly aware of the threat. Europe’s General Data Protection Regulation requires rapid breach notification and threatens massive financial penalties. In the United States, Securities and Exchange Commission guidance calls out the board’s role in cybersecurity oversight: “We believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

Given the importance of this risk, audit committee chairs are eager to learn and implement techniques for improving board-level cybersecurity oversight. On June 7, 2019, members of the ACLN and the European Audit Committee Leadership Network (EACLN) met in New York to discuss cybersecurity governance with two guests: Marianne Brown, a member of Northrop Grumman’s board of directors and co-chief operating officer of FIS, and Diana McKenzie, audit committee member at MetLife and former chief information officer at Workday and Amgen.