European Audit Committee Leadership Network, May 2015
On 8-9 April 2015, members of the European Audit Committee Leadership Network (EACLN) met in London to discuss cybersecurity, among other topics. For the session on cybersecurity, members were joined by Helen Arnold, Chief Information Officer and Chief Process Officer at SAP SE; François Brisson, global head of Cyber & Technology for Swiss Re; and Chris Gibson, director of the United Kingdom’s national Computer Emergency Response Team (CERT-UK). This ViewPoints provides a summary of the key issues raised during the discussion, along with background information and insights that members shared before and during the meeting.
Cybersecurity has become a top boardroom issue in recent years. Besides the economic cost of cybercrime, which is estimated at between $375 billion and $575 billion annually, a breach can also damage a company brand or market value, factors that cybercriminals are now exploiting. “The cybercriminals are figuring out they can make more money by manipulating share prices and selling stocks than selling credit card numbers,” said an EY cybersecurity expert.
At the EACLN meeting in London and in conversations with members before the meeting, discussion focused on several themes related to dealing with cyberrisks and cybersecurity:
Assessing cyberrisks is difficult due to the evolving nature of the risk, but good practices are surfacing. For example, experts recommend identifying the most important assets of the company and then making sure they are well protected. Knowing what type of attack the company might be at most risk for (such as IP theft, customer information theft or malicious shut down of operations) can also help a company understand its cyberrisk profile and put proper plans in place to mitigate those risks.
Mitigating cyberrisks requires more than a technological approach. Making cybersecurity part of the company culture can help create a “human firewall” of protection for company assets. Such a plan would include the CEO taking a leading role in overseeing cybersecurity and the company providing training for all employees, not just on how to defend against attacks but also on how to respond should an attack occur.
Audit committee and board oversight of cyberrisks and cybersecurity
EACLN members agreed that cybersecurity needs to be a full-board responsibility but said the audit committee can play a role, including evaluating controls and overseeing external and internal reporting on cybersecurity efforts. But members also said more standards are needed so boards can be sure they are providing the necessary oversight regarding cybersecurity.