Today, board members increasingly face personal responsibility for their organization's cyber posture. This has increased the risk of authentication and created the need to gain insight into cyber programs.
One of the most effective ways to do this is to conduct an independent cybersecurity audit. This key element of responsible organizational governance can provide proactive leadership and expose potential blind spots. Cybersecurity audits are also necessary to comply with regulations that hold boards of directors and executives accountable for validating the effectiveness of their companies' cybersecurity programs.
recent regulations
As cyber regulatory scrutiny increases, dynamic evidence of compliance is required. The Securities and Exchange Commission's 2023 Rules on Cybersecurity Risk Governance and Public Company Incident Disclosure will require boards to oversee a company's cybersecurity controls and provide active oversight while facing personal liability for failures. It is obligatory to show. Public reporting bodies must also:
- Disclose all major cybersecurity incidents within 4 business days
- Describe the processes used to identify, assess, and manage significant risks from cybersecurity threats and their impact on business strategy, results of operations, and financial condition.
- Describe board oversight of cybersecurity risks and leadership’s role in assessing and managing significant risks posed by cybersecurity threats.
Another recent example is the New York State Department of Financial Services' revised cybersecurity regulations., This requires eligible companies to conduct independent audits of their cybersecurity programs and integrate cybersecurity into their business strategies. The changes are as follows:
- Additional controls and requirements for more regular risk and vulnerability assessments, more robust incident response, business continuity, and disaster recovery plans
- Updated notification requirements, including reporting ransomware payments.
- Updated direction for companies to invest in training and cybersecurity awareness at least once a year
Such rules reflect current trends toward increased regulatory oversight of corporate cybersecurity practices and disclosures. These frameworks already serve as the basis for similar regulations at the state and federal levels across the United States. In other words, cybersecurity audits are only becoming an important part of companies' regulatory obligations.
audit process
While there is no one-size-fits-all solution to implementing an effective cybersecurity audit process, most companies prefer their audits to include four phases: defining the scope of data collection; Run, simulated cybersecurity audit results validation scenarios, and submit final audit reports to leaders.
In addition, companies should hire an independent auditor who is experienced with the systems and business flows used by the company. This allows everyone involved to get the most out of the audit process in an efficient manner.
The first phase involves defining the scope of the cybersecurity audit and gathering information about the company's program through document collection, custom surveys, and stakeholder interviews. Documentation collected should include policies, procedures, and controls focused on cybersecurity. Contracts with vendors for critical systems. Business continuity plan. Cybersecurity insurance policy. Incident report. and related information technology system architecture.
Auditors should also assess the extent of regulations affecting the company. It is important to make this decision independently to identify obligations and potential risks that the company is not aware of. This should result in a memorandum outlining the scope of applicable regulations and interviews with stakeholders.
In the second phase, the auditor conducts the audit. This includes assessing how well your cybersecurity program complies with cybersecurity laws, regulations, and standards. Review collected documentation to identify risks, issues, and gaps in your cybersecurity program. Identifying significant and material cybersecurity risks and issues. Conducting on-site inspections and interviews. Perform a cybersecurity risk assessment.
The primary deliverable should be a draft memorandum summarizing the results of the cybersecurity audit and incorporating the results of the actions described above. This includes discussion of legal, business and technical gaps/risks. Areas that violate certain laws, regulations, or standards. Identifying specific controls.
In the third phase, auditors simulate a cyber incident to validate the organization's cybersecurity program and evaluate it against the results of the second phase. This typically involves auditors developing and conducting simulations based on recent cybersecurity incidents relevant to their industry, tailored to the organization's legal, business, and technical factors.
Each aspect of the scenario is relevant to the company's business and environment and should ensure that the risks, issues, and gaps identified in the cybersecurity framework are addressed. Notes should summarize observations from the simulated cybersecurity scenario, including participant feedback and notes.
In the final stage, the auditor should submit a detailed final audit report and presentation summarizing the organization's cybersecurity posture to legal counsel, executive management, and the board of directors, along with recommendations for strategic improvements and risk management. . This step allows the board to fully understand the state of its cyber program and strengthen security measures as needed.
The above is an overview of important features that should be included in your cybersecurity audit process. However, every company has unique circumstances, threats, and technology environments that may require additional considerations.
Board members must take an active leadership role in ensuring the organization's cybersecurity. These audits provide board members with the data and tools they need to properly assess cyber risk and act accordingly.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author information
Daniel B. Garrie is a distinguished neutral at JAMS, an arbitrator, mediator, and special master with expertise in cybersecurity, data privacy, e-discovery, and intellectual property.
Anna Diaz Gessner contributed to this article.
Please write to us: Author guidelines
