May 6, 2021

Board Cyber Risk Oversight: Revisit an “Everyone” or “Cyber-Expert” Approach Regularly

One skill that gets mentioned as an area of improvement for boards relates to IT or cyber expertise.  Perceived shortcomings in any board risk oversight responsibility can often come with consequences – in connection with losses from Greensill Capital and Archegos, the recent resignation of the risk committee chair of Credit Suisse is one example. A recent Bloomberg article discusses board oversight of cyber risk and notes some boards have been adding “cyber experts” while others say boards need cyber literacy.

In terms of approach for providing cyber risk oversight, each board will decide what’s appropriate given the company’s particular facts and circumstances. When it comes to board cyber literacy, boards frequently rely on management to help the board stay up to date about cyber risks, while the article said some boards are turning to cyber consultants for help. The article includes a reminder from the head of Accenture Security that cyber literacy is a two-way street and management’s role shouldn’t be overlooked:

Boosting cyber literacy isn’t just about directors learning the language of security but ensuring that chief information security officers can explain their work. ‘We have to ensure the CISO can communicate effectively at the board level, not in bits and bytes.’

A 2019 report from University of California, Berkeley and Booz Allen Hamilton based on interviews with directors about beliefs, practices and aspirations relating to cybersecurity oversight recognizes the tension around the need for board cyber expertise.  The report suggests boards re-assess decisions relating to cybersecurity oversight on a regular basis to take account of changes in internal and external risks.  At the time of the study, a majority of directors interviewed leaned toward distributed cyber expertise among board members. The report provides these considerations for boards that might be leaning toward an “everyone” or a “cyber-expert” approach:

Leans “Everyone”

– Ensure adequate training and education is defined, used, and kept up-to-date

– Engage external third-party expertise for specialized knowledge, and most importantly to prevent group-think traps

– Amplify accountability for cyber oversight in subset groups (likely committees)

Leans “Cyber-Expert”

– Seek out specific board members who offer deep specialized knowledge of cyber (e.g., crisis management, technology, and threat landscape)

– Prioritize full board discussion of cyber oversight over committee delegation

– Engage external subject-matter experts to test and enhance internal expertise

Dr. Jessica Wachter Named SEC Chief Economist and Director of DERA

Earlier this week, the SEC announced that Dr. Jessica Wachter has been appointed as the agency’s Chief Economist and Director of the Division of Economic and Risk Analysis (DERA).  Since 2003, Dr. Wachter has been a professor at the Wharton School and holds the Dr. Bruce I. Jacobs Chair of Quantitative Finance and is a Research Associate with the National Bureau of Economic Research.  Dr. Wachter is recognized as one of the leading academic researchers on financial markets. In this role, Dr. Wachter will lead DERA as it provides economic analysis to support decision-making at the SEC.

Audit Committee Resource: CAQ’s External Auditor Assessment Guide

For those looking for a resource to help audit committees evaluate the company’s external auditor, the Center for Audit Quality recently released an updated version of its external auditor assessment tool.  Audit committees of course meet regularly with the company’s external auditor and engage in informal assessment of the auditor throughout the year.  But, when it’s time for the audit committee to conduct a more formal annual assessment, CAQ’s assessment tool can be used as a guide.

For audit committee’s looking for input about factors to consider when assessing the auditor, the guide offers a good starting point. CAQ’s assessment tool includes sample questions to help the committee assess the external auditor and then also discuss as part of its annual evaluation of the auditor. Questions cover topics relating to, among other things, the engagement team skill and responsiveness, engagement team succession, workload, audit plan and risks, scope and cost considerations, audit quality, interaction with the external auditor and auditor independence, objectivity and professional skepticism.

When assessing the external auditor, CAQ suggests the audit committee also seek input from management. To help with this process, the assessment tool includes a sample rating form for members of management to complete. The rating form solicits feedback to a variety of factors relating to the external auditor’s quality of service provided, sufficiency of resources, communication, objectivity, etc.

– Lynn Jokela