Internal Audit’s Critical Role in Mitigating Cybersecurity Risks
May 27, 2021
Internal Audit (IA) can and should play a key role in supporting organizations in reducing cyber risk. These audits can serve as the critical barrier between a potential cyber-attack and your organization. Due to the cost, risk, and reputational damage that can result from a cyber incident or data breach, both public and private organizations are actively contemplating their cyber strategy and response plan.
Beginning in 2018, publicly traded companies are required by the U.S. Securities and Exchange Commission (SEC) to disclose obligations relating to cybersecurity risks and cyber incidents. This disclosure is presented within Management’s Discussion and Analysis (MD&A) of Financial Condition and Results of Operations. Each registrant should outline known cybersecurity risks, as well as disclose any cybersecurity incidents that occurred during the fiscal year. This disclosure can include the costs of ongoing cybersecurity activities, remediation efforts, loss of intellectual property, regulatory investigations, and litigation actions.
While private companies and government entities are not subject to SEC regulations disclosures, the cost of even a small cyber event, such as business email compromise (BEC) attacks, can range between $1,240 and $44,000 . Additionally, a data breach can range from $2.65 million to over $5 million.
As cyber-crime can escalate quickly, IA and risk management functions within an organization are more relevant than ever, serving as a crucial defense to potential cyber-attacks.
What Drives Cyber Risk?
While there are many factors that drive cyber risk, organizations should consider prioritizing the following when determining if they are at an increased risk for cyber-attacks:
- Technology: Technology has grown more pervasive in the world. Now that we have 24/7 access to our accounts, data accessible from the cloud and mobile devices allow entry to most organizations’ internal networks.
- Business Models: Advancements in technology have created significant shifts in business models from on-site service to remote, outsourced, or offshore teams around the globe.
- Data Volume: In addition to the technology and business models changing, the amount of data has exponentially grown. This includes employee, customer, and vendor data that can be confidential, personal, and proprietary and needs to be protected to ensure compliance with laws.
The changes in technology, business models, and influx of data create multiple motives that drive cyber risk. These motives have attracted internal fraudsters, corporate invaders, and hackers from around the world. As law enforcement practices are still developing for this type of crime, it can be a costly and difficult area to monitor appropriately.
How Can IA Support Organizational Cybersecurity Programs?
An effective risk management principle to support cybersecurity is to incorporate multiple layers of defense. The first layer of defense revolves around the business and Information Technology (IT) functions that support an organization’s daily operations. The second includes the IT risk management function that creates the governance standards and oversight within the organization. The third level of defense incorporates an organization’s IA function by assessing the effectiveness of controls, reporting observations to the board, and documenting financial and regulatory compliance.  IA can assist in the defense through five critical elements that compliment a successful cybersecurity strategy and response plan. The five critical elements are as follows:
- Business Continuity
- Crisis Management
- Continuous Improvement 
IA supports protection and detection through testing and review of policies, processes, and procedures for compliance to both IT governance and industry best practices. IA also drives business continuity and crisis management through coordinating and communicating with all levels of an organization and planning for a variety of disasters, including cyber-attacks. Further, business continuity management mitigates the cost of a data breach by approximately $280,000 based on a breach of $3.92 million.  Last, IA focuses on bringing value to the organization, taking the lessons learned from each department within an organization and enhancing those processes and procedures for continuous improvement. 
How Can Your Organization Move Forward?
Cyber incidents are becoming more prevalent and represent a significant cost for organizations. Given the constant shift of priorities and budgets, it can be challenging for IA to plan and coordinate a response to the variety of cyber threats in the marketplace. It is critical for organizations to understand, adopt, and plan for these risks. The following risk mitigation practices and techniques can serve as an opportunity to evaluate and address the current risk environment related to cybersecurity:
- Risks Assessments: Conduct an organizational risk assessment with a focus on identifying, assessing, and creating cybersecurity mitigation plans.
- Cybersecurity Strategy Development: In conjunction with management, and/or the board of directors, develop a cybersecurity strategy and policy based on industry best practices (e.g., NIST, COBIT, ITIL, HITRUST, etc.).
- Audit Plan Development: After completing a risk assessment and developing a cybersecurity strategy, develop an audit plan that integrates the testing of the effectiveness of cybersecurity controls in place.