Cybersecurity and data risk is set to remain the number one risk to organisations in 2023, according to the last Risk in Focus report. To address such a pervasive risk, the report lists a number of areas where internal audit can efficiently help organisations.
This webinar provided details on these recommendations and help participants implement them. The discussion will focus on these three areas and more. If you couldn’t attend it, you can watch the replay. Key messages are also available below.
Speakers
- Bernd Benker, BMW
- Sabine Scholz, Fresenius
- Jérôme Ferry, Firmenich
- Guy-Philippe Goldstein, Expert in Cybersecurity
Key messages
Introduction
Cybersecurity and data security remain the number one threat in the Risk in Focus 2023 survey and 82% of respondents ranked it in the top 5 risks.
The organization’s effectiveness in terms of communication of new cyber threats, countermeasures and advices throughout the business
First of all, it is important to assess the maturity of the organization towards cyber risks before assessing the vulnerability. IA (Internal Audit) plays an important role and can use criteria, and standards to assess cyber risk management.
It is crucial to ensure that the right message goes to the right people with the right application, inside the right system and that they are informed about the right incident timely all IT assets must be properly mapped with people and service lines.
Cyber awareness must be created in the whole organization through ongoing communication (root cause, phishing campaign..) and knowledge must be enhanced (training,..). In crisis periods, war rooms play an important role for communication and the speed of reaction.
The Board’s involvement in business cyber risks, data security
It is part of the Board’s mission to have a clear awareness and understanding of cyber risks. KPIs should be developed for the Board, they must remain simple, exhaustive, and developed in connection with incidents, damages to business while covering a holistic view of the business and be linked to the evaluation of business risks.
Quarterly or at least annual review of the risk assessment and mitigation can be organized with 2d line representatives and presented to the Audit Committee/Board.
A clear governance system must be set up to facilitate the Board oversight role and IA must assess it (who reports? how many times,…).
The assessment of potential loss from cyber risk
It is interesting to have an evaluation of cyber risks by a third party and insurance companies may help in this area; they tell if the organization may “be insured” for cyber risks and how much it would cost.
To assess the business and financial impact, IA can check what exists already in the company (business impact, information protection assessments (confidentiality/ integrity/ availability framework)).
The adequacy of the recovery plans in place
Organizations must have a plan and it must be tested to assess the strength of the systems, the level of organizations’ preparedness to recover each system, to define recovery priorities (what to be recovered first) and to ensure that they are ready for “the pen and paper” mode. Critical dependencies and operational redundancies must be known. A proper analysis of the security of the backup system is also key.
The testing of security practices, patches, procedures and the focus on third-party technology supplier threat
IA should use a structured approach: check policies and practices implemented; collaborate with 2d line, check their approach and their tests (sampling of systems, locations, patch status, root cause analyses,…): avoid duplication. IA may run independently their own tests.
For third-party supplier threats, it is a bargaining power: it is impossible to get the right to audit very large international companies. It is difficult to mitigate this risk.
We are progressing in cyber risk management and IA can play an important role to assist the organizations and the Board in mitigating this very important risk!