Independent Cybersecurity Audits Are Powerful Tools for Boards

Board members today increasingly face personal liability for their organization’s cyber posture. This has raised the stakes of attestations and created a need to gain insight into cyber programs.

One of the most effective ways to do so is through independent cybersecurity audits. This essential component of responsible organizational governance can demonstrate proactive leadership and reveal possible blind spots. Cybersecurity audits are also necessary for compliance with regulations that hold the board and C-suite accountable for verifying the efficacy of their company’s cybersecurity program.

Recent Regulations

Growing cyber regulatory oversight is demanding dynamic evidence of compliance. The Securities and Exchange Commission’s 2023 rules on cybersecurity risk governance and public company incident disclosure require boards of directors to oversee corporate cybersecurity management and demonstrate active oversight, while facing personal liability for failures. Public reporting companies must also:

• Disclose all material cybersecurity incidents within four business days
• Describe process(es) used to identify, assess, and manage material risks from cybersecurity threats, and their effect on business strategy, results of operations, or financial condition
• Describe the board’s oversight of cybersecurity risks and leadership’s role in assessing and managing material risks from cybersecurity threats

Another recent example is the New York State Department of Financial Services’ amended cybersecurity regulation, which requires covered entities to conduct independent audits of their cybersecurity programs and integrates cybersecurity into business strategy. Changes include:

• Additional controls and requirements for more regular risk and vulnerability assessments, along with more robust incident response, business continuity, and disaster recovery planning
• Updated notification requirements, which include reporting ransomware payments
• Updated direction for companies to invest in at least annual training and cybersecurity awareness

Such rules reflect the current trend toward increased regulatory oversight of companies’ cybersecurity practices and disclosures. These frameworks are already serving as the basis for similar regulations at the state and federal level across the US. In short, cybersecurity audits are only becoming a larger part of companies’ regulatory obligations.

Audit Process

While there is no one-size-fits-all solution to implementing an effective cybersecurity audit process, most companies will want their audits to include the following four phases: define scope of data collection, perform the cybersecurity audit, validate audit findings through simulated cyber scenarios, and present the final audit report to leadership.

Additionally, companies should engage an independent auditor who is experienced with the systems and business flow used at the company. This helps ensure everyone involved gets the most out of the audit process in an efficient manner.

The first phase should define the scope of the cybersecurity audit and gather information on the company’s program through document collection, custom questionnaires, and stakeholder interviews. Documents collected should include cybersecurity-focused policies, procedures, and controls; contracts with vendors regarding critical systems; business continuity plans; cybersecurity insurance policies; incident reports; and relevant information technology system architecture.

The auditor also should assess the scope of regulations affecting the company. It is important that this determination be made independently to identify obligations or potential risks that the company might not be aware of. This should result in memoranda addressing the scope of applicable regulations and summaries of stakeholder interviews.

In the second phase, the auditor conducts the audit, which includes assessing the extent to which the cybersecurity program complies with cybersecurity laws, regulations, and standards; reviewing collected documents to identify risks, issues, and gaps in the cybersecurity program; identifying material and critical cybersecurity risks and issues; conducting on-site inspections and interviews; and performing a cybersecurity risk assessment.

The key deliverable should be a draft memorandum that summarizes the findings of the cybersecurity audit and incorporates the results of the above actions. This includes a discussion of legal, business, and technical gaps/risks; areas of noncompliance with specific laws, regulations, and standards; and identification of specific controls.

In the third phase, the auditor simulates cyber incidents to validate the organization’s cybersecurity program and assess it against the findings of the second phase. This typically involves the auditor developing and conducting simulations tailored to the organization’s legal, business, and technical factors and based on recent cybersecurity incidents relevant to its industry.

Each aspect of the scenario should be relevant to the company’s business and environment, ensuring that it challenges identified risks, issues, and gaps in the cybersecurity framework. A memorandum should summarize the observations from the simulated cybersecurity scenarios, including participant feedback and notes.

In the last phase, the auditor should deliver a detailed final audit report memorandum and presentation to legal counsel, the C-suite, and the board that summarizes the organization’s cybersecurity posture, with recommendations for strategic improvements and risk management. This step ensures that the board is fully apprised of the state of the cyber program and can act to enhance security measures as appropriate.

The above is a general overview of important features a cybersecurity audit process should include. But every company has unique circumstances, threats, and technical environments that may call for additional considerations.

Board members must take an active leadership role in ensuring the cybersecurity of their organizations. These audits give board members the data and tools they need to properly assess their cyber risks and act accordingly.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Daniel B. Garrie is a distinguished neutral with JAMS, an arbitrator, mediator, and special master with expertise in cybersecurity, data privacy, e-discovery, and intellectual property.

Anna Diaz Gessner contributed to this article.

Write for Us: Author Guidelines