Audit committees can strengthen cybersecurity against emerging threats

Ransomware, third-party breaches are popular forms of attack

May 10, 2020

Evolving cybersecurity challenges are demanding more attention from audit committees as part of their expanding risk-management responsibilities. Digital transitions across all industries have triggered subtle changes to threats, requiring audit committees to refine their cybersecurity plans and considerations accordingly.  

Ransomware and third-party breaches, in particular, emerged at the end of the 2010s as the most significant forms of cyberattacks. They are not necessarily novel threats, but cybercriminals have tailored their tactics to new vulnerabilities, such as the growing use of cloud technology to store data.

More specifically, ransomware is a malicious software program that infiltrates an organization through a variety of means, most commonly email phishing. The software encrypts files, drives and devices connected to the network. Then the hacker demands a ransom to unlock the files. A third-party breach describes an incident in which a company’s data is accessed and compromised through an external business partner, such as an email or cloud service provider. 

“The strains on businesses are becoming much worse,” said Matt Franko, director of security, privacy and risk consulting at RSM. “The malicious software is smarter. It’s starting to be more advanced than the tools available to defend systems. And they’re encrypting backup drives, so if a system goes down and you cannot bring those backups into place, that’s where you see organizations having to shut their doors and figure out what their rebound  strategy is going to be—either pay the ransom or rebuild the system.”

Although these types of attacks can result in significant financial, operational and reputational losses, a well-organized, prepared audit committee can help your board position the company to handle cybersecurity risks. Consider these five components to a sound strategy:


A growing number of companies are including a cybersecurity expert at the board level. This trend is especially noticeable in critical infrastructure organizations, such as energy, utilities and health care. A director with cybersecurity expertise can raise issues and impart valuable perspectives to influence strategy and decisions. A cybersecurity expert can also help facilitate essential communications that support the company’s cyber-risk management processes.


If an audit committee could quantify elements of its cybersecurity assessment and plan, it would help your board see strengths, vulnerabilities, trends and its overall appetite for risk. For example, what percentage of money spent on IT is devoted specifically to cybersecurity? How many cybersecurity incidents have occurred in the last reporting period? How does the company measure cybersecurity awareness among all of its employees? Such metrics probably will resonate with the entire board and other stakeholders, provided the committee presents and contextualizes them in audience-friendly ways that show performance relative to relevant baselines and factors, such as industry averages and external indicators.


Your board should establish a business culture that embraces cybersecurity measures; a lack of awareness can lead to weak passwords and a lack of vigilance vetting emails can expose the company to harmful programs. To that end, one of the most basic practices your board can adopt is considering cybersecurity consequences to key decisions. Franko shared a cautionary tale: “An organization was going to go to a 24-hour day during the holiday season. What they failed to understand was the significant impact on their PCI (payment card industry) compliance. They did not have the necessary video storage to be able to monitor the environment for 24 hours a day. So something as simple as that actually almost caused them to be fined.”

Incident response

Given the prevalence of cyberattacks, a prepared audit committee understands that being targeted is a matter of when, not if. A company should regularly test its incident response plan to strengthen any weaknesses and improve response times. There should be a clear delineation of responsibilities between the security and operations departments, as well as a clear understanding of responsibilities and jurisdictions when external parties are involved. It’s imperative for the audit committee to be engaged because that ensures a direct line of communication to your board. If a security report channels through the IT department or chief information officer, raw results might be diluted by the time they reach the board.

Threat-specific risks

The threat of ransomware attacks and third-party breaches requires audit committees to examine questions that underscore specific risks. Regarding ransomware, who has local administrative rights? Are certain people in the organization more likely to be targeted by a phishing scam because they have greater access to sensitive data? Minimizing risk involves limiting those with administrative rights as much as possible. When it comes to third-party risk management, the audit committee must assess the value chain of partnerships and determine what relationships pose risks. What security responsibilities is each organization responsible for, and do all parties agree on how they are allocated? If your board’s senior leadership asks the right questions, strengthened defenses are likely to follow.

Subscribe to Critical Insights for Board Members

We work to understand the responsibilities of public and private boards of governance and share our views on what matters—for board members and those who report into them.  Set your preferences today.