Cybersecurity & Audit, CIO Involvement Grows, & Poor Security Culture – BSW #248

CFOs can expect to see more cybersecurity experts on their audit committees. Audit committee members increasingly say they need that expertise around the table to better manage this growing responsibility, according to a report by The Center for Audit Quality and Deloitte. Almost 100% of audit committees have members with finance and accounting expertise but only 35% have members who are strong in cybersecurity, the report finds. And yet cybersecurity is the fastest-growing risk focus for the committees.

All federal agencies must meet zero-trust goals that the U.S. Office of Management and Budget has set by 2024, building on earlier federal cybersecurity initiatives.

Half of CIOs are prioritizing security management this year, as CEOs push for IT and data security upgrades to reduce corporate risk, according to IDG's annual CIO survey, which included responses from almost 1,000 heads of IT and 250 line of business participants.

New federal rules taking effect this spring will require all U.S. banking organizations to meet two primary requirements: 1. Banking organizations must notify their primary federal regulator of any “computer-security incident that rises to the level of a notification incident” as soon as possible—but no later than 36 hours after a determination that such an incident has occurred. 2. A bank service provider must notify each affected banking organization as soon as possible when the provider determines it has experienced a computer-security incident that “has caused, or is reasonably likely to cause a material service disruption or degradation for four or more hours.”

Insureds who think they have coverage for cyber-related losses find that their insurance providers balk at paying claims—which is kinda the point of having insurance. Companies need to examine the scope and extent of their insurance policies, including cyberinsurance and non-cyberinsurance policies, as well as the nature of the risks they think they are insuring against. There are a host of traps for the unwary and the insurance discussion should include inside and outside counsel, risk management, HR and the cybersecurity team. The worst thing you can do is think you have coverage, pay for what you think is covered and find out that it’s not covered. The second worst is to only find out that it is covered after spending hundreds of thousands of dollars in legal fees.

The rapidly changing and fast-paced environment of today’s workplace requires leaders to have the tools and the skill sets they need to remain productive, efficient, and effective. With hybrid and remote work becoming more standardized and permanent, it falls to leaders to fill the void left by the COVID-19 pandemic. Communication must be the first step.

Corporate leadership is expected to set the tone for the entire company. That’s especially important with regard to how the organization approaches cybersecurity. If leadership doesn’t adopt strong security practices, chances are good that same attitude trickles down throughout the rest of the company, resulting in a greater risk of insider threats.