Richard Chambers President and CEO Institute of Internal Auditors

Boards of directors must actively participate in measuring and monitoring an organization’s strategy on cybersecurity, a new report from The Institute of Internal Auditors Research Foundation™ (IIARF™) and ISACA^® urges.

The report, released August 18, 2014 at the opening of 2014 Governance, Risk, and Control Conference™ here, offers in-depth guidance on the key questions board members should be asking and how they can monitor and influence policies and practices involving cyberrisks.

“This new report captures the theme on which the GRC conference is built by inviting yet another stakeholder — the board — to become involved in accessing and mitigating cyberrisks,” said IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA. “It provides the practical guidance that board members need to become active partners in battling cybercrime.”

The guidance builds on five principles cited in a report by the National Association of Corporate Directors (NACD) in conjunction with the American International Group (AIG), and the Internet Security Alliance (ISA).

“Cybersecurity is a continually growing issue and needs to be a strategic priority of boards of directors. It is not just an IT issue,” said Ron Hale, Ph.D., CISM, acting chief executive officer of ISACA. “This report is an important collaboration of our organizations, bringing together the global expertise of thousands who are working toward better detecting and mitigating cyberthreats. It urges executives to roll up their sleeves and get involved in the cybersecurity process, and provides concrete questions to get started.”

The IIARF-ISACA report details how boards must position themselves to provide direction and support for cybersecurity efforts. It offers strategies and specific direction on several topics, including how boards must stay abreast of legal implications, demand adequate access to cybersecurity expertise, set expectations that management establish an enterprisewide risk management network, and communicate with management what risks should be avoided, accepted, mitigated, or transferred through insurance.

For example, one strategy outlined in the report urges board members to view themselves as a “fourth line of defense” against cyber risks, providing an additional safety net after management and internal controls (first line), financial controls, risk management, security, and other tools (second line), and internal audit (third line).

That means requiring annual “health check” reports that include descriptions and updates on every aspect of cyber protection. The checks should be performed by internal audit or an external security organization, according to the report.

The report’s conclusion offers a strong challenge to board members to be much more involved — or face potential consequences. Citing the high-profile cyberattack against Target stores during the 2013 holiday season, the report notes that proxy adviser Institutional Shareholder Services recently recommended the ouster of seven of 10 of the company’s directors “for failure to provide sufficient risk oversight.”

About The IIARF

Established in 1976, The Institute of Internal Auditors Research Foundation (IIARF) is the global leader in sponsoring, disseminating, and promoting research and knowledge resources about internal audit. Its mission is to shape, advance, and expand knowledge of internal auditing by providing relevant research and educational products to the profession globally.

About The IIA

The Institute of Internal Auditors^® (The IIA) is the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, and certifications. Established in 1941, The IIA today serves more than 180,000 members from 190 countries. The association’s global headquarters are in Altamonte Springs, Fla. For more information, visit www.theiia.org.

About ISACA

With more than 115,000 constituents in 180 countries, ISACA helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology.