Forbes magazine usually discusses matters of interest to large corporations, but an article by Noah Barsky, a professor at Villanova, on why the SolarWinds breach reinforces the need for management technical expertise can apply even to organizations without large boards or audit committees.
While the SolarWinds hack targeted Fortune 500 companies and government agencies, all companies no matter what their size have a need for strong IT controls but may not have the technical expertise to implement them. This creates an opportunity for cyber criminals to exploit. Management today needs not just financial audits but cyber security audits. Directors must understand technology, not just finance.
PwC's 2020 Corporate Directors' survey found two thirds of respondents agreed that a cyber breach would reflect poorly on their brand, but only 37% knew their company's crisis management plan "very well" and only 32% understood cyber security. Failure to understand and plan for a data breach can result in lawsuits, regulatory action and loss of reputation.
Barsky recommends five actions:
- Revise audit committee's mission. For small companies without internal auditing, this requires adding a cyber security audit to financial statements.
- Recruit experts. Unlike Amazon, a small company can't hire a retired general to join its board, but they can ask an independent consultant to review their security.
- Designate cyber-governance responsibility. At least one person should be responsible for the company's computer system, ands have an outside support if needed. Cyber risk should be reviewed on an ongoing basis.
- Emphasize cyber security in internal control oversight.
- Review checklists for cyber security. All reviews and planning meetings should address this topic. All decisions should be documented.