Cyber security risk: Key areas of focus: where should the audit committee train its sights? We suggest four priorities.

• Author: Whalen, Dennis T.
• Position: ON THE GOVERNANCE AGENDA

DESPITE YEARS OF EFFORT and billions of dollars spent annually to protect digital assets, hardly a week goes by without news of a major cyber security breach. And the consequences of a major breach can be devastating in terms of lost revenue, stock price decline, negative press, damage to reputation, lawsuits, internal investigations, and--often the most impactful--the distraction the breach causes the business. As a result, investors and regulators are increasingly challenging boards to step up their oversight of cyber security and calling for greater transparency around major breaches and their impact on the business.

It's not surprising that cyber risk is now near the top of board and audit committee agendas. According to KPMG's 2014 Global Audit Committee Survey, nearly 45% of audit committees in the U.S. have primary oversight responsibility for cyber security risk; yet, only 25% say the quality of the information they receive about cyber security is good. So a critical question for every audit committee is: What information is key to assessing whether management has its arms around cyber risk? Certainly, the audit committee needs to hear from a CISO or CIO who is knowledgeable and can help them see the big picture. But what should be the key areas of focus? While the answer will vary depending on the situation, we suggest four areas of focus:

* Periodically review management's cyber security risk assessment. Every company should be conducting cyber security risk assessments as a matter of course. What are the company's highest value digital assets, and what are the greatest threats and risks to those assets? How quickly will the company know if .a security breach occurs? In a robust cyber security risk assessment, key areas of focus will include: cyber security leadership and governance, human factors or "people risks" (which account for a larger percentage of cyber breaches), legal and regulatory compliance, business continuity, operations and technology, and information risk.

If the company has the right internal resources, the cyber security risk assessment can be conducted internally; however, as the cyber threat becomes more sophisticated, the company may need to call on recognized security specialists for support.

* Understand the company's cyber security strategy and governance structure and how it fits into the company's overall ERM program. Once viewed as a standalone program, cyber security is increasingly a...