Audit committees rank cybersecurity as top priority amid SEC crackdown

March 14, 2024

Cyberattacks are just one of several rapidly changing threats confronting audit committees, according to the Center for Audit Quality and Deloitte.

Dive Brief:

Audit committees rank cybersecurity as their top oversight priority, the Center for Audit Quality and Deloitte found in a survey conducted as the Securities and Exchange Commission pushed forward with strict rules on cyberattack disclosure.

Among audit committee members, 69% deemed cybersecurity as a leading concern, with 30% ranking it as their No. 1 risk priority, CAQ and Deloitte said in an annual report. Forty-eight percent of committee members viewed enterprise risk management as a top concern, with 16% identifying it as the top priority.

“It appears that audit committees, in the face of escalating threats, understand the attention cybersecurity demands and that it needs to be overseen with rigorous discipline,” Krista Parsons, audit and assurance managing director at Deloitte, said in an email response to questions.

Dive Insight:
The SEC in December enacted a rule requiring companies to disclose in annual 10-Ks how they manage cyber risk, including defenses, board cybersecurity oversight and assessment of potential and actual attacks. Companies must also detail a cyberattack within four days after finding that it will cause a material loss.

For years, CFOs have had to scramble to adequately budget for defenses against a rising number of ransomware and other cyberattacks — often in a costly, rearguard effort.

Among many government organizations tracking cybercrime, the FBI’s Internet Crime Complaint Center received more than 2,800 ransomware complaints in 2023, and losses rose 74% compared with the prior year to $59.6 million.

“Cybersecurity continues to command focus across multiple board committees as well as the board,” CAQ and Deloitte said in the report, noting that 73% of the 266 audit committee members surveyed said they discuss cyber risk at least every quarter. The survey was conducted from Sept. 28 until Nov. 12, 2023.

Held to higher compliance standards, many companies — including Microsoft and Hewlett Packard Enterprise — have filed cybersecurity breach disclosures with the SEC this year.

Microsoft in January disclosed in a Form 8-K filing that a “nation-state associated threat actor” gained access to and exfiltrated information from a “very small percentage” of employee email accounts, including members of the company’s senior leadership team and employees in its cybersecurity, legal and other functions.

“As of the date of this filing, the incident has not had a material impact on the company’s operations,” the Redmond, Washington-based technology giant said in the disclosure.

The constant evolution in threats prompts close monitoring of cybersecurity, according to Parsons, governance services leader at Deloitte’s Center for Board Effectiveness.

“Adding an extra layer of complexity is the proliferation and rapid advancement of artificial intelligence, which may be an additional contributing factor to the focus on cyber,” she said.

Companies will likely rank cybersecurity as a top concern in the future even as they adapt to the new SEC disclosure requirement, Parsons said. “We don’t expect cybersecurity to be meaningfully de-prioritized in the near future, even as organizations become more accustomed to the newly enacted reporting requirements.”

Audit committees face several other rapidly changing challenges, according to CAQ and Deloitte.

“In today’s ever-evolving risk landscape, it is becoming increasingly difficult to predict specific risks,” Vanessa Teitelbaum, senior director for professional practice at CAQ, said in an email response to questions.

“Black swan events — things once deemed unlikely like pandemics and climate disasters that are increasingly prevalent in our changing world — may not be adequately captured,” she said.

Company directors should encourage management to continuously size up risks rather than make such assessments on an annual basis, she said.

“A strong ERM process is one that considers high impact, low-likelihood risks alongside high-impact, high-likelihood risks,” Teitelbaum said. “ERM must be able to handle new threats, be both efficient and effective, and have proper resources to support it.”

[CFO Dive]