In today’s digital world, it is no longer a matter of if most companies will face a data breach, but when a breach will occur. Given the potential exposure and risk to a company’s valuable assets and information, the board of directors’ duty of oversight must include a focus on cybersecurity. In-house counsel can and should play a key role in facilitating the board’s cybersecurity work.
One major tool available to in-house counsel is an internal audit team. Internal auditing is critical for helping companies manage cybersecurity threats and preventative programs. Attorneys are often involved in evaluating existing and necessary controls, and are also responsible for working with both the audit committee and board to understand and address potential cybersecurity risks. Steven R. Walker, general counsel and managing director for the National Association of Corporate Directors (NACD) Board Services Group, recommends that attorneys focus on four key internal audit issues:
Be aware of the internal audit team’s resources.
Walker recommends that in-house counsel consider “the adequacy of the internal audit team’s resources for dealing with cyber risks.” He explains, “Although internal auditors at many companies are sharpening their focus on cybersecurity, these teams are often strained by the increased demand on their resources such as time, budget, and talent.” Walker emphasizes the importance of the internal audit team’s human resources. Assembling the internal audit dream team is no small task, but it’s an essential resource for cybersecurity. Walker explains that finding and retaining staff with the right skill and industry-specific experience is often challenging, and it is not unusual for companies to heavily invest in training and development for privacy and security personnel. “A focus on retaining this talent is crucial to any business,” he says. Therefore, in-house counsel should prepare their companies to prioritize developing, training, and adequately allocating resources to the internal audit team.
Keep the internal audit team in tune with your business.
Walker also emphasizes the importance of engagement between the internal audit team and the business it serves. “It is a well-known fact that in order to understand where the cyber risks are coming from, you have to understand how the business works,” says Walker. “That means not only looking at firewalls, networks and apps, but also understanding the company’s operations and how it interacts with customers and vendors.” Cybersecurity risks are moving targets. Most of the vulnerability lies in a company’s human element. In-house counsel should advise their companies to give internal audit teams a clear and thorough understanding of business operations. One possibility Walker recommends is to keep a “revolving door” for internal audit staff to stay in tune with the company. Companies could “implement a rotation of internal audit staff into and out of business units and other functional areas,” he says.
Stay connected and coordinated with the internal audit team.
Walker also emphasizes that “the level of coordination between the internal audit team and other key functions is critical to success.” Therefore, internal audit teams should be given access to other members of the cybersecurity “dream team.” “Audit committees should make sure the internal audit team has frequent and robust interaction with others in the organization who have roles in protecting digital assets,” says Walker. “This can include the chief information officer and chief information security officer, as well as human resources, supply procurement, and business leaders.” Coordination can make or break any important undertaking — and cybersecurity is no exception. In-house counsel should facilitate and promote opportunities for the internal audit team to stay coordinated with other key cybersecurity players.
Don’t forget to seek auditing outside the company.
Walker also notes that “internal auditing has a significant role vis-à-vis outside vendors.” The internal audit team’s functionality extends beyond the company’s own business units. They can also assist with auditing service providers and third parties. This is especially important because these outside vendors may not be on the same level of cybersecurity awareness and preparedness. “Service providers and third parties can pose significant cybersecurity risks. Unannounced audits of vendors by the internal audit team are an important tool in assessing potential weak links,” says Walker. This is especially important as the data systems of companies across the value chain become increasingly interconnected. The relationship can also go the other way. “Outside experts can also provide value to the internal audit team and IT department by periodically conducting independent assessments of the company’s information security and cyber-risk profiles,” explains Walker. In-house counsel should emphasize the importance of developing a strategy to manage outside vendors as a critical element of internal audit. These four key issues are vital talking points for in-house counsel guiding their business partners, internal audit teams, and boards of directors. Cybersecurity, however, requires an ongoing, comprehensive approach, beyond just a few key issues.
Wondering where to start?
Get valuable insight on cybersecurity and board engagement at Getting the Board on Board: Explaining Privacy and Security Risks to the Board (For When the “If” Becomes “When”). This panel will be Session #306 during the Association of Corporate Counsel (ACC) 2016 Annual Meeting on Monday, October 17 from 2:30 PM – 4:00 PM. Industry speakers will provide insights and practical tips on how in-house counsel can help the board more effectively engage with and implement a company’s cybersecurity efforts. The featured speakers are Julie Gruber (executive vice president, global general counsel, and corporate secretary at Gap, Inc.), Olga V. Mack (general counsel at ClearSlide, Inc.), Steven R. Walker (managing director and general counsel at the NACD), Ed Paulis (vice president and assistant general counsel at Zurich North America), and Dr. Felix Wittern (partner at Fieldfisher).
The discussion will cover how in-house counsel can help address the board’s structure, education, and training, the board’s role in planning for a breach, and its role in responding to a breach and its aftermath. This insight will be indispensable for any cybersecurity-savvy counsel. We hope to see you there!
Walker and NACD recommend that audit committee members and internal audit staff discuss the following cybersecurity questions:
What interaction and coordination does the internal audit team have with other corporate functions (e.g., information technology, information security, operations, supply chain, human resources, etc.) related to cybersecurity matters?
What skill sets does your internal audit team have that are related to information security? Cybersecurity? How do team members keep their skills current? How do you retain team members?
Does the company perform internal and/or external system penetration testing? Are the tests announced or unannounced? What role, if any, does the internal audit team play?
What types of prevention, detection, and reaction/response testing does the internal audit team perform in the threat and vulnerability management life cycle?
What role, if any, does the internal audit team play during a breach?
What role, if any, does the internal audit team play after a breach has occurred?
Who performs cyber-related investigations within the organization?
What arrangements does the company have with legal counsel or other third parties (e.g., independent investigative functions) should the need arise for immediate assistance?
What is the process for communicating with regulators and law enforcement? For communicating with the public? How, if at all, is the internal audit team involved?
How, if at all, does the internal audit team interact with law enforcement during or after a breach?