Your Business News
Why cyber risk is still a main responsibility for board members
September 9, 2022
Authored by RSM Canada LLP
Joel A. Humphrey, CPA, CA shared this article
VIDEO | September 09, 2022
Boards have contended with many risks recently, from the pandemic to supply chain disruptions to the war in Ukraine to the threat of a recession. But one risk should always remain top of mind: cyber risk. Cybersecurity should be a priority not only within the board's company, but also within that company's ecosystem of vendors and customers, as well as in the governments in countries where those parties do business.
Sudhir Kondisetty, a partner, consulting principal and national information technology risk leader at RSM US LLP, sat down with Directors & Boards (D&B) to discuss the board’s role in addressing cyber risk, including how to mitigate potential attacks.
Below is a transcript of the discussion; the conversation has been edited for clarity and length.
D&B: Sudhir, can you provide us a landscape view of potential infrastructure risks and concerns around cyber risk?
Kondisetty: It has really changed over the last decade. It used to be that cyber risk was focused on building a perimeter defense, including firewalls and external devices, to protect your internal data and systems. However, what we've seen with the growth of cloud applications and data center outsourcing is that very little information is stored exclusively on-premises of an organization.
In the last few years, there has been a refocus on, how are you protecting your data, wherever it is? Consider cloud due diligence, data center due diligence, vendor risk management, looking at all the possible attack factors for an intruder—for not only yourself, but also your vendors. And that's been the biggest sea change we've seen in cybersecurity in the last 10 years.
"A breach is a big deal. We don't like to use that word breach until it really is a breach. But knowing how to identify it, having a plan in place, knowing who you're going to call—that's all important to have built out before an incident happens."
Sudhir Kondisetty, a partner, consulting principal and national information technology risk leader at RSM US LLP
D&B: As a current RSM board member, you have a unique perspective on how boards can look at such risks. What do you recommend boards do to get ready for those kinds of risks—cloud and off-premises risks?
Kondisetty: It's twofold. Number one is you really need to dig into what your security department and IT department are doing. If you get the answer, “They've just outsourced it, so everything's fine; they don't have to worry about the problem,” that is the problem. You have to make sure they're understanding that their responsibility around security does not stop when they've outsourced it.
You need to dig into, what are they doing to perform that due diligence on their vendors? What is their responsibility, as opposed to their vendors’ responsibility? That is when most attacks occur. They originate from inside, meaning someone's desktop or mobile device is compromised and sends information out. That person may have trusted access to an application in the cloud, and they're pulling data down, and now that's available. Your security and IT departments still have a responsibility on the internal network.
But I think the most important thing is, security is not absolute. I think we've seen that with Fortune 100 companies that have spent millions of dollars on security infrastructure and personnel, and with government agencies that have been hacked and suffered data loss. The idea must be, it’s not a matter of if we're going to be hacked, it's when—and are we going to be in a position where we can suffer data loss?
Having a good plan in place to respond to an intrusion is really important. A breach is a big deal. We don't like to use that word breach until it really is a breach. But knowing how to identify it, having a plan in place, knowing who you're going to call—that's all important to have built out before an incident happens.
D&B: Do you recommend that a board go through an incident response drill or a tabletop exercise on a breach to help exercise the muscles?
Kondisetty: Absolutely. Just like you do with a disaster, you go through the exercises. You don't actually have to call the FBI. You don't actually have to execute the plan. But, yes, a tabletop exercise making sure people are available.
I've seen some clients actually pull the plug on the internet. Those that can operate predominantly in business hours, they can take that step of actually disconnecting and see what happens. That does give you a little bit of extra protection and understanding of, if this system's down, how does it affect other systems? I would go so far as to investigate if that's possible. If not, a tabletop exercise with all the parties involved is a great idea.
D&B: What key takeaways do you have for board members as they think about cyber risk? It's easy to say this is too technically complicated. What can they do to be better at this?
Kondisetty: One important thing is when you are selecting board members, have someone on the board who's technically savvy. That does not mean they have to be an energy security engineer or a hardcore programmer or anything like that. But they should have a background in and understanding of technology.
Number two, I would have regular updates from the security office—or if you don't have a security office, the CIO—on what is happening on the security front. We, for example, have a quarterly meeting with our CIO and CSO concurrently in one of our committees, and then they do an annual presentation to the board. This allows us to see trends, what struggles they're facing, what new technology they're putting in place.
Security is always changing, and you need that steady rhythm of communication from management to really understand what's happening.
Call us at 1 855 363 3526 or fill out the form below and we'll contact you to discuss your specific situation.
This article was written by Sudhir Kondisetty and originally appeared on 2022-09-09 RSM Canada, and is available online at https://rsmcanada.com/insights/services/risk-fraud-cybersecurity/why-cyber-risk-is-still-a-main-responsibility-for-board-members.html.
RSM Canada Alliance provides its members with access to resources of RSM Canada Operations ULC, RSM Canada LLP and certain of their affiliates (“RSM Canada”). RSM Canada Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM Canada. RSM Canada LLP is the Canadian member firm of RSM International, a global network of independent audit, tax and consulting firms. Members of RSM Canada Alliance have access to RSM International resources through RSM Canada but are not member firms of RSM International. Visit rsmcanada.com/aboutus for more information regarding RSM Canada and RSM International. The RSM trademark is used under license by RSM Canada. RSM Canada Alliance products and services are proprietary to RSM Canada.
FCR a proud member of RSM Canada Alliance, a premier affiliation of independent accounting and consulting firms across North America. RSM Canada Alliance provides our firm with access to resources of RSM, the leading provider of audit, tax and consulting services focused on the middle market. RSM Canada LLP is a licensed CPA firm and the Canadian member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM Canada Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.
For more information on how FCR can assist you, please call us at 1 855 363 3526