Guest Blog by Wendy Barnes, Strategic Advisor, Templar Executives
If you are a member,or chair, of an organisation’s Audit and Risk Assurance Committee, (ARAC), you will be interested in assurance on how the organisation is managing risk, what internal controls exist and how effective they are, and what governance is in place to ensure evidence based decision making and discussions happen. The ARAC will spent a substantial amount of its meeting time discussing the financial management of an organisation. In general, it will assume that the systems that produce the financial information that the Board and organisation rely on is produced by safe, robust and protected systems. Maybe the ARAC should take an interest in testing whether this assumption is correct. Are the systems which contain financial information safe from cyber threats? Could an employee with a grudge or who has been paid by a competitor to get insider information, get access to the organisation’s financial systems and manipulate them for their own means?
Fantasy world? I think not – In a report published in 2012, 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as “difficult” and 17% as being “disgruntled. The insider was identified in 74% of cases.* (Source: Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector by Adam Cummings (CERT), Todd Lewellen (CERT), David McIntire (CERT), Andrew P. Moore, Randall F. Trzeciak)
As well as the financial systems, I feel that ARAC should also play a role in seeking assurance that the organisation is addressing risks from cyber threats at a holistic level. The ARAC should know if the Board is reviewing the cyber threats and vulnerabilities the organisation is exposed to and that the risks from these threats are being managed effectively and pragmatically.
The ARAC should be asking the Board if they know what the organisations critical information assets are, do they understand and address the insider threats, and is information assurance integrated in to the organisation governance and decision making processes?
So how can the ARAC achieve this. Well all it takes is for one member of the ARAC to take a special interest in this area. They don’t need to be an expert in cyber security. They do need to know what questions to ask. This person should get to know the Senior Information Risk Owner, or whoever has Board level responsibilities for Information Assurance and Cyber Security, provide them with support and get an understanding of the challenges and opportunities they face. Just by taking these small steps the ARAC can go a long way to getting the necessary assurance on Information and Cyber Security Risks.