Corporate governance in COVID-19: Cybersecurity and technology considerations
Cybersecurity oversight is a key fiduciary responsibility for a board of directors and was a significant concern for companies even before the COVID-19 pandemic forced so many organizations to suddenly shift to remote work. Data breaches and other cyber threats pose significant competitive, reputational, and litigation risks and require increasingly costly investments to prevent, detect, and respond to. Changes in the environment as a result of the pandemic have created new risks that need to be managed with board oversight.
With a cyber breach considered by most experts to be inevitable, cyber risk must be part of the board’s overall risk oversight. Keep in mind that directors don’t need to be technologists to play an effective role in cyber risk oversight. Every board can take the opportunity to improve the effectiveness of its cyber oversight practices.
The board should ask the following general questions to understand cybersecurity risk:
The board should also ask the following technology- and pandemic-related questions, broken up into four categories: commitments, working from anywhere, compliance, and plans.
The National Association of Corporate Directors defines two critical roles for corporate boards: (1) “overseeing management on behalf of shareholders and other constituencies”; and (2) “advising management, albeit with limited involvement in everyday company operations.” Amid the pandemic, the board has an enhanced responsibility to provide advice based on past experiences, across industries, and based on current experiences, across organizations. To support this expanded responsibility, boards are:
In this board conversation, the company also has responsibilities. Here are some of the technology-related items for the company to address with the board.
Companies should be prepared to communicate to the board that they are learning from the past, are performing scenario planning/tabletop exercises, are updating their strategic plans where necessary, and are ready to roll as they are presented with new changes and challenges.
Companies should have strategic plans for the “next normal” and perform scenario planning to consider:
Then, companies should be prepared to answer questions related to the items noted above.
In conjunction with the overall strategy and scenario planning, technology is an enabler for success. Technology leaders such as the chief information officer and chief information security officer should communicate cyber risk to the board.
This is more of an art than a science. Technology leaders should not fall into the trap of presenting technical details about vulnerabilities. Rather, they should prepare to discuss issues in terms of “business risks” and the options the company has to manage the risks so that executives and the board can make decisions.
For example: “To maintain our competitiveness and business viability, we must be able collaborate on client matters anytime and anywhere,” and to do so, we have three options:
Lastly, external auditors have responsibilities, too. Auditors should get a sense for the level of oversight from a board and review meeting minutes, noting risk assessments reviewed, strategic plans assessed, and scenario planning performed. As external auditors, there will be focus on general disclosures about the pandemic and its overall impact on a reporting entity, along with other topics, such as:
Board leadership is critical and must continue to evolve in response to the pandemic. Technology and security are foundational areas to monitor for company success. Protecting your organizational information is now more important and as complicated as ever.
Editor’s note: The author discussed this topic on the Aug. 27 episode of the Go Beyond Disruption podcast with host Jim Gilbert, CPA/CITP, CGMA, and Jeff Olejnik of Wipfli LLP.
For more news and reporting on the coronavirus and how CPAs can handle challenges related to the pandemic, visit the JofA’s coronavirus resources page.
— Audrey Katcher, CPA/CITP, CGMA, is partner, Business Advisory Services at RubinBrown LLP. To comment on this article or to suggest an idea for another article, contact Jeff Drew, a JofA senior editor, at Jeff.Drew@aicpa-cima.com.
Research & References of Corporate governance in COVID-19: Cybersecurity and technology considerations|A&C Accounting And Tax Services