Cyber risk tops internal audit list
Cyber risk was the most commonly cited threat by heads of internal audit across Europe regardless of nationality or business sector, according to a new report written by some members of ECIIA.
The EU’s General Data Protection Regulation and the broader challenge of managing data came second in the surveyRisk in focus: hot topics for internal audit 2018. The pace of innovation businesses face was the third most widely cited risk concern.
“The defining theme of this report is the fundamental impact that technology has in shaping, enabling and disrupting organisations’ operations and strategies,” Farid Aractingi, ECIIA President said. “This is a pressure that requires internal auditors to learn new skills and adopt innovative tools to bolster their capabilities in an increasingly digital world.”
The report’s research team interviewed chief audit executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK.
Not surprisingly there were some regional differences. CAEs in the UK and Spain said that political uncertainty could expose their organisations to fresh threats and opportunities. In the UK, these views were largely prompted by the prospect of Brexit; in Spain they arose within multinational businesses having expanded into Mexico and the implications of the Trump administration’s hostile position towards the country.
Those in the financial services sector showed more concern over regulatory complexity than any other industry. Notably, for CAEs at institutions in France, Italy, the Netherlands and Spain the continuing development of the European Central Bank’s three-year old Single Supervisory Mechanism was cited as a risk.
The European Commission has launched measures to strengthen cyber security across Europe.
It proposes to extend the powers of ENISA, Europe’s current cyber agency. In particular, the proposals aim to ensure ENISA is better placed to support member states in implementing the NIS Directive. And the agency will become a centre of expertise on cybersecurity certification, if the proposals are approved.
“ECIIA welcomes the strengthening of cross-border efforts to tackle the growing threat of cybercrime,” Henrik Stein, ECIIA President, says. “A more standardised certification system for ICT products across Europe could help improve assurance and transparency in the market.”
Implementing the NIS Directive is seen by the Commission as vital plank in its cyber strategy.
“The NIS Directive is a first essential step with a view to promoting a culture of risk management, by introducing security requirements as legal obligations for the key economic actors,” says the paper.
Internal auditors will play an important role in ensuring organisations comply with the new security requirements and have systems in place to better combat cybercrime.
The cyber security package was issued by the Directorate-General for Communications Networks, Content and Technology.
It builds on the Commissions objectives to:
Increase capabilities and preparedness of member states and businesses
Improve cooperation and coordination across Member States and EU
institutions, agencies and bodies
Increase EU level capabilities to complement the action of Member States, in particular in the case of cross-border cyber crises
Boost awareness of citizens and businesses on cybersecurity issues
Increase the overall transparency of cybersecurity assurance of ICT products and services to strengthen trust in the digital single market and in digital innovation; and
Avoid fragmentation of certification schemes in the EU and related security
requirements and evaluation criteria across Member States and sectors.
ECIIA members attended a free cyber risk governance conference held in Brussels on 29 June hosted by MEP Antennas Guoga.
The event – organised jointly by ECIIA and FERMA – presented recommendations a new cyber risk governance model designed to include key internal stakeholders, the risk and audit committees. A working group representing risk managers and internal auditors from eight EU countries developed the model and other recommendations was presented at the event.
The proposed model will increase cyber-resilience, define the key stakeholders and the conditions for success.
ECIIA and FERMA collaborate in cyber risk initiative
Given the growing risk posed by cyberattacks on businesses across Europe, ECIIA and the Federation of European Risk Management Associations (FERMA) have launched a joint initiative aimed at helping organisations strengthen their cyber defences.
The group’s key objective is to help define the best governance model when managing cyber risk. The two bodies set up a working group to explore the scope and range of the work needed, which held its first meeting in 11 January 2017 in Brussels.
“We want to explore ways of helping organisations create better risk management and auditing structures to deal with this threat,” Henrik Stein, ECIIA President, says. “Given the fast- moving nature of cyber-risk and recent European legislative changes, a fresh look at how such threats are managed is timely.”
The group will The European Parliament adopted the Network and Information Security Directive July 2016, which EU countries have 21 months to transpose into local legislation – and an extra six months to designate national authorities to deal with cyber matters. The legislation is aimed at strengthening Europe’s cyber defenses.
In May 2016, it adopted the General Data Protection Regulation, which comes into effect 25th May 2018. The legislation introduces tougher measures on data protection and higher sanctions for those who do not comply.
The ECIIA/FERMA working group aims to publish its preliminary findings in the summer.