As described in the June 2014 Update, SEC Commissioner Luis Aguilar raised questions in a recent speech as to whether the audit committee should be assigned responsibility for cybersecurity. He asserted that the audit committee “may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to their already full agenda.”
Similar issues arose during a panel discussion of cybersecurity issues and their implications for financial reporting and auditing at the PCAOB’s June 24-25 public meeting with its Standing Advisory Committee. Panelist Charles M. Elson, Director of the John L. Weinberg Center for Corporate Governance at the University of Delaware, observed that cybersecurity risk was likely to end up in the purview of the audit committee and predicted that auditors would eventually assume responsibility for cyber risk disclosure --
I suppose that we will probably ultimately in this area end up sending this to the audit committee in many companies. And, in the audit committee itself, it will occupy a disclosure point that I think ultimately will be -- you will have to get assurance from the auditor. There will be auditor participation in cybersecurity and auditor participation in disclosure of cybersecurity risk. So my gut is that it comes out of the audit committee itself.
And you could set up a separate committee, but that’s an awful small – I don’t want to say small –it’s an important area, but it’s a rather narrow area to set up a separate committee. I don’t think it fits in compliance really. It’s not compliance. * * * It’s really an operational threat. But the operations committee is the full board itself, and I am sure the full board is interested, but you are going to need some focus and specialization That’s why my guess is ultimately that it ends up with the audit committee. It ends up as a reporting factor from the auditor and ultimately we are going to have to design some assurance procedures around it such that the audit committee and the full board gets comfort to the company that it is responding effectively to it.
In contrast, Standing Advisory Group member Mike Cook, a former head of Deloitte & Touche and a public company audit committee chair, argued that the full board should be responsible for cybersecurity risk and urged that audit committees and auditors not play a major role --
This notion that this is an issue for auditors and audit committees * * * I think is misguided. And, as an audit committee chairman, if someone at a board level sent this to me and said that the audit committee has this responsibility for cybersecurity risk, I would stamp it “return to sender” and send it back.
This is a responsibility in almost every company of the full board. Every company is different. The kind of risks they might have are very different. If you are a manufacturing company, maybe it’s the safety risk that can be threatened by a cybersecurity attack. Maybe it’s intellectual property. * * * There is all kinds of different things that can be the risk of a cybersecurity attack. We have always had
5 Update │ July 2014
technology risk in the financial reporting area. * * * But to engender this discussion where this becomes a responsibility of auditors and we are going to have that responsibility at the audit committee level is, in my mind, again just not the right place to be. * * *
These are enterprise-wide risks that need to be dealt with by the full board, and I would suggest that we are not doing ourselves any favors – I can tell you that the accounting firms are not doing themselves any favor – by ginning up these – and I read the literature that comes from each of the major firms – “20 Questions the Audit Committee Should Ask About Cybersecurity Risk.” And about 15 of them are appropriate questions for a board to ask and have nothing to do with the audit committee. * * *
Now if a company has no cybersecurity risks that they need to deal with at the board level, God bless them. * * * But all companies have significant operating and enterprise-wide risks that they need to be addressing at the board level, and, to throw this over your shoulder and carry it to the audit committee and the auditing firms, is to misplace that responsibility. * * *
(The foregoing quotations are based on the archived audio webcast available on the PCAOB’s website.)
Comment: As noted in the June, 2014 Update, the appropriate committee structure for addressing cybersecurity depends on the expertise of the board members. While many audit committees have general responsibility for risk assessment and evaluation, there is a growing trend to assign responsibility for particular risk areas, such as cybersecurity, to a separate committee. Audit committees need to make sure that additional areas of responsibility, such as cyber risk, don’t detract from their ability to perform their primary task of overseeing the company’s financial reporting.