Bridging the gap in cybersecurity and M&A

The pandemic created new challenges for cybersecurity. Achieving operational excellence in cybersecurity means pushing for resources and leadership buy-in.

< back to insights gallery

Bridging the gap in cybersecurity and M&A

ARTICLE | July 19, 2022 | Authored by RSM US LLP

Bridging the gap in cybersecurity and M&A

Cybersecurity gaps can be dangerous for companies focused on growth and M&A

Cybersecurity vulnerabilities can threaten businesses of all sizes, but for middle market firms busy with growth and mergers and acquisitions, these lapses can be especially dangerous.

RSM advisors recently spoke with the Association for Corporate Growth to discuss ways cybersecurity has changed since the start of the pandemic and how the middle market can protect itself from the cyber risks facing businesses today. Topics included the intersection of cybersecurity and M&A, why threat actors are targeting companies undergoing an acquisition, and what buyers can do after a transaction to ensure they have the right cybersecurity infrastructure in place.

This interview has been edited for clarity and length.

Q: Since the start of the pandemic, which developments have had the biggest impact on cybersecurity for midsize businesses?

A: The biggest impact was the sudden shift to the cloud. The demands of everybody going remote meant moving to the cloud pretty rapidly. A lot of times, because there wasn’t the opportunity to properly look at what that looks like, put in the secure architecture, and take the time to properly build an infrastructure, infrastructure and security ended up being an afterthought because of the need to continue with business operations.

That was March 2020. As we closed out 2021 and began 2022, we saw that impact, where some things were missed in that intense need to go remote. Did we have secure architecture in place? Did we completely secure our S3 buckets in AWS (Amazon Web Services)? Did we close the hole on all the different services?

The other thing was the so-called Great Resignation. We see a break in continuity of experienced professionals. If one person managed your IT infrastructure for 10 years and suddenly they leave, that’s an incredible gap to fill—and that’s what we saw across the board, across all industries.

We also saw the desperate need for more IT professionals, cybersecurity professionals and experienced professionals to deal with the sudden transition to the cloud. There just aren’t that many out there. We’ve had that gap in the talent pipeline in the cybersecurity industry for many, many years now.

Everybody’s being affected by the rise in threat actors taking advantage of lack of infrastructure or aging or older infrastructure, insecure infrastructure, and the lack of people. We see ransomware attacks up 400% over the last year. All of this is converging in a perfect storm, where the last two years have kept us very busy in the cybersecurity field.

In addition, 2021 concluded with one of the largest vulnerabilities in history, affecting just about every application on the internet and keeping incident responders very, very busy.

Q: How are companies tracking threats and keeping an eye on the security infrastructure when they may not have the right roles filled at this time?

A: We’ve seen the rise of third-party vendors and managed service providers like RSM—our own RSM Defense launched this year. You have what’s considered a managed SOC—a managed security operations center—and a dedicated team of incident responders who are monitoring when these alerts come in and say, are we suddenly having a denial-of-service attack on our firewall?

That frees up your internal personnel if you don’t have enough people if you’re a smaller business. Again, if you just can’t have the talent, outsource it. Managed service providers have enough people with visibility—they have a larger team and can keep their eye on the ball. With this increased depth of capabilities, many companies are shifting to managed services, sometimes called an MSSP (managed security service provider).

That has been one of the biggest things that have helped a lot of businesses from 2020 and 2021. And it’s likely to continue through the remainder of 2022 as cybersecurity becomes critical to business operations.

Q: What impact have some of the challenges related to renewed ransom attacks, the Great Resignation, and the talent shortage had on mergers and acquisitions?

A: Interestingly, the SEC and the FBI issued an alert last year, around October, that threat actors are specifically targeting SPACs, IPOs, mergers and acquisitions, and any companies in the final stages of either going public or being acquired. They want financial data. They want to influence the stock price. They want to influence the purchase price.

Private equity companies are now very concerned about not only whether a company they take on or acquire can generate revenue, but will they be a cybersecurity risk? Will the company suffer a potential breach or ransomware attack before an acquisition takes place? Because then the private equity company will have to handle the aftermath and the cleanup, and that’s very costly. This is one of the biggest shifts when it comes to venture capital, private equity, mergers, and acquisitions: Cybersecurity has taken a very significant role alongside all the other factors.

The SEC added cybersecurity to its requirements for companies going public. In preparation for an IPO or for acquisition, from the cybersecurity standpoint, are you prepared to meet all the regulations? Are you prepared to go public with your current infrastructure? And how secure is it right now?

Q: What are some things the buyer should do to optimize the asset they just bought? What should they focus on from a cyber perspective?

A: Companies should do an overall security assessment. A simple gap analysis can show where a company stands. The biggest thing is continuity—we call it business continuity in the cybersecurity industry.

If you have an acquisition where an IT person has been there for 10 years, maybe they’re not happy about this new purchase. If they leave, that’s a big deal. So focus on your people and identify the key individuals for infrastructure, cybersecurity, and technology, and what you can do to make sure either they stay or you have a proper transfer of knowledge and can replace those individuals.

Right before a merger, acquisition, or IPO, and then right after, are some of the most critical times. That’s where companies are most vulnerable—that high-stress-anxiety transition time. Companies on both sides should absolutely do what they can to try to make their people feel comfortable.

The lack of transparency in transactions can leave people wondering, do I have a job? What’s going on? What does the new company want? The situation could cause a lot of distress. So making sure that your people feel comfortable and like they have a place in the new environment is very important.

You also don’t want to drop the ball when it comes to maintaining infrastructure patching, getting eyes on your assets, incident response, etc. Don’t let your guard down. You may find that the company didn’t have all the resources they stated or maybe they didn’t have a cybersecurity program—that’s where that gap analysis can come into play. You can identify vulnerabilities and start to fill in those gaps, protect the perimeter of the company, and make sure you have protection.

Q: How can companies get an organization on board with cybersecurity priorities and build a culture around cybersecurity?

A: That is the million-dollar question—something the entire cybersecurity industry, frankly, struggles with. It comes from the top down. Leadership has to really care about and understand cybersecurity. They have to make it a priority. Cybersecurity shouldn’t be an afterthought.

Compliance is a great way to start. However, that only looks at certain aspects. So, for instance, with PCI (the payment card industry), only the assets that are in scope for PCI are looked at. Well, what about your other assets? They’re still vulnerable. You need to look at the entire picture.

Companies must make sure that the executive board and everybody at the top are aligned when it comes to cybersecurity, and understand the need for it. That also means good communication from IT infrastructure, and from cybersecurity to the executive board—making sure that those conversations are happening. Metrics and reporting can go a long way in trying to translate some of these complicated issues from cybersecurity.

Cybersecurity resources are often considered the no-fun police, but we have to explain why we are doing this—what is the purpose of these phishing exercises that may seem tedious? What’s the purpose of taking away local admin access from developers? Why are we making lives more challenging? That’s where companies must have that clear and transparent communication and metrics.

Reporting can really go a long way and demonstrate the value of your security team. Here are the threats we’re responding to. Here are the incidents we have been alerted to that we’ve prevented. Here’s the patch we’re putting in place. Here are the improvements we’re making to the business. This is how this is a good return on investment, in you investing in us, because here’s how we’re protecting the business.

Providing real-world examples is also important, to show similar companies—attacks and the fallout. Here’s the business loss. Here’s the revenue loss. We don’t want to have that happen to us. What do we do to make sure we’re protected against that? That can help drive the potential risks home to folks who are not technical.

Another big thing is that it’s getting really hard to get cybersecurity insurance. We have seen a drastic rise in premiums, and cybersecurity insurance companies are getting really strict about the requirements for coverage. They’re asking questions such as, do you have multifactor authentication everywhere? Do you have a vendor risk management program? Do you have a threat intel program? They’re getting down into the details, and they will verify that you have all this.

For example, one client had a recent attack and went to its insurance company for coverage, and the insurer went to verify that the company had antivirus software everywhere, as stated in its attestation. The insurer found one laptop without antivirus on it and denied coverage because of the wording that said the company had antivirus everywhere. It was an IT test laptop, but because it didn’t have antivirus on it, the company was denied coverage.

Those are the kinds of issues we’re seeing now. Many companies were dropped from their insurance because insurers got really stretched, especially after SolarWinds. Insurers are requiring due diligence, and will not offer coverage without a secure infrastructure. If you don’t do so-called reasonable security or due diligence, companies are not going to cover you. In fact, Barclays has now said they will not cover cybersecurity at all.

We’re going to continue to see this issue going forward, and it’s going to get stricter and a lot harder to obtain coverage. That’s unfortunate for the middle market, because the premiums are getting very high. If the price of the premium outweighs the return on investment on the coverage, we may see more companies go without cyber insurance in 2022 and beyond.

Q: Are companies allocating more dollars toward cybersecurity to qualify for insurance or to protect against potential threats?

A: Statistically, no. On average, the cybersecurity budget is still, at most, 8% of the IT budget. And already we know that the IT budget is not as big as it should be. So that’s still an issue, and still the trend across all industries and all companies.

The bigger companies have finally separated out cybersecurity, where it might have its own budget and IT has its own budget. The better way to handle things is to dedicate specific resources, because often when you carve a budget out of another budget, it can breed resentment.

For a cybersecurity engineer, IT counterparts should be partners. They’re going to help with the patching; they’re going to help maintain that infrastructure. So, it shouldn’t be a fight for resources between the two. Instead, it should be a totally separate budget.

But we’re still not seeing that drastic increase in budget and that prioritization. Cybersecurity is still considered a cost center rather than a critical piece to the business. However, once companies bridge that gap between the nontechnical executive board and your technology folks, we’re going to start to see some good improvements and see cybersecurity and IT Infrastructure as an investment, not necessarily a sunk cost.

That’s where things need to change. And that’s why cybersecurity needs to be pervasive throughout the company. You need to have a culture of cybersecurity, and that needs to come from the top.

Q: Are there any differences across industries in the attitudes toward cyber?

A: To an extent. Those differences are often driven by compliance requirements. For example, the government sector is very much driven by a multitude of compliance regulations and adherence to different standards. The government will literally not do business with you unless you adhere to its requirements. And government contracts can be particularly lucrative.

Other than that, in private industry or when it comes to issues with privacy, the fines are not creating a good enough incentive to drive changes. Compliance does help; it does absolutely have a role. Being a part of that does drive security to an extent. The government and the financial industry are probably the two of the strictest, followed by health care. Health care with HIPAA (the Health Insurance Portability and Accountability Act) and the financial industry with SOCs (security operations centers), PCI, SOC 2, etc., are directly tied to very strict compliance regulations. Standards are typically not as strict in other industries. And it all depends on the data companies are gathering.

Q: What cybersecurity trends that will really impact businesses over the rest of the year should investors or operators be aware of?

A: The cloud will continue to reign king as more and more companies shift there from on-premises data centers. The cloud is ending up being cheaper for companies, and it’s easier to maintain. We’re continuing to see the absolute need for application security as more and more companies are going to SaaS—software as a service.

We’re also going to continue to see this great shortage of cybersecurity people—specifically, experienced cybersecurity people—likely for a couple of years. Add to that the significant rise of threat actors, ransomware attacks, and massive critical portabilities that hit over the last two years, and we’re likely in for a rocky remainder of the year.

Hopefully, companies can take the lessons learned and everything we’ve seen in the last two years and finally be on board with making critical investments—updating aging and older IT infrastructure, investing in cybersecurity and starting to care about these things.

Let’s Talk!

Call us at (541) 773-6633 (Oregon), (208) 373-7890 (Idaho) or fill out the form below and we’ll contact you to discuss your specific situation.





  • Topic Name:
  • Should be Empty:

This article was written by RSM US LLP and originally appeared on Jul 19, 2022.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/industries/private-equity/bridging-the-gap-in-cybersecurity-and-m-a.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

KDP is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how KDP LLP can assist you, please call us at:

Oregon Office:
(541) 773-6633

Idaho Office:
(208) 373-7890

Increasing a nonprofit’s impact through operational efficiency

Nonprofit organizations often have lean operational budgets. They want to put as much of their resources as possible into fulfilling important missions. But a nonprofit that struggles with its operations will soon find itself with limited mission impact as well.

< back to insights gallery

Increasing a nonprofit’s impact through operational efficiency

ARTICLE | July 13, 2022 | Authored by RSM US LLP

Nonprofits can improve their operational efficiency by undertaking four key actions

Nonprofit organizations often have lean operational budgets. They want to put as much of their resources as possible into fulfilling important missions. But a nonprofit that struggles with its operations will soon find itself with limited mission impact as well.

As such, it is vital that nonprofits be as efficient as possible. Their operations must be as smooth, or even smoother, than their counterparts in the for-profit world. Gone are the days when nonprofits could get away with substandard operational practices.

But there are paths to operational efficiency that are cost-neutral or better. Nonprofits can improve their operational efficiency by undertaking four key actions:

  • Eliminate
  • Automate
  • Outsource
  • Enhance

Each of these actions is crucial to increasing an organization’s impact and should be looked at individually.

Eliminate

It can feel intimidating to look at an organization’s structure and say, “What can we cut?” This sensation of being overwhelmed is one reason why so many nonprofits never address their processes or methods.

So don’t do it—or rather, avoid trying to overhaul your entire organization all at once. Instead, take inventory of your key tasks and systems. Look for small changes. Are there steps that were once necessary but are now irrelevant? Are certain activities redundant or needlessly complex?

It is unlikely that every process or every task is important, or even necessary. For example, one nonprofit had a policy that three separate people had to approve a certain report. But it became clear that the last reviewer was just a rubber stamp, and two rounds of approval were sufficient. Eliminating that final round of approval created a substantial gain in efficiency, and importantly, it did so without sacrificing internal controls.

Once the philosophy of eliminating the unnecessary takes hold, an organization can tackle the bigger issues. Another nonprofit, for instance, had four different departments that were essentially walled off from one another. That meant four siloes with four entirely different processes for accomplishing one goal. Eliminating the silo mentality provoked an efficiency boom in the organization, with no drop-off in quality.

Therefore, be brutally honest when eliminating those activities that have outlived their usefulness. By rejecting redundancy, your organization becomes more efficient, and employees will find a greater sense of purpose in their jobs.

Automate

Consider the case of the nonprofit that published a special report every 90 days. The data was important to the organization’s mission, but because it took 90 days to compile, by the time the report came out, it contained nothing but old data. As such, the organization’s employees were taking a great deal of time and effort to provide instantly obsolete information.

Today, that organization creates a new report daily, so every morning the nonprofit’s leaders have access to the latest data. But it wasn’t magic that turned 90 days of labor into a few hours of work. It was automation.

There are certain tasks where the human touch is essential and cannot be replaced. For the other tasks, however, automation can speed up processes and eradicate tedious work. Nonprofits should embrace technological solutions as much as possible to automate their processes.

Standardizing processes and adding controls for critical data will help nonprofits support their members and donors. Speed to insights is essential. Nonprofits need to align their data strategy, governance, centralization and self-service initiatives to achieve innovative data maturity. 

Data inputs, advanced calculations, information consolidation—all of these and more are functions that can be automated. Changing manual tasks into automated procedures will increase data accuracy, enhance the ability of leaders to make informed decisions and allow staff members to focus more on their core jobs.

Enterprise resource planning (ERP) systems, customer relationship management (CRM) systems and association management systems (AMS) can help nonprofits take advantage of the latest technological options, saving a tremendous amount of human effort and personnel costs. Whatever technology an organization adopts, it needs to optimize the system to its own unique needs.

It’s not just about having the latest and greatest systems. It’s about using those systems to the best of the nonprofit’s ability. The goal is for staff members to view repetitive, boring tasks as a thing of the past, letting the machines take over.

Outsource

While your staff members may be great at fulfilling the missions of your nonprofit, they probably aren’t experts at converting a database to the cloud or troubleshooting tech issues. And they don’t have to be.

Outsourcing your information technology can free your staff members from moonlighting as “accidental techies” (as they are affectionately known in the nonprofit world), while enhancing the effectiveness of your IT platform. A managed services provider (MSP) can offer experienced professionals who are knowledgeable about the latest tech developments. Outsourced IT advisors can often solve problems faster than nonprofit staff who are not as well-versed in IT. And more important, these professionals can suggest upgrades, monitor cyberthreats and utilize advanced features that minimize the chances of those problems occurring in the first place.

IT is the most common function that nonprofits outsource, but there are other areas in which an MSP can be invaluable. Many providers offer finance and accounting outsourcing (FAO), in which experienced professionals handle the nonprofit’s books, provide enhanced financial reporting and look for the best ways to maintain the organization’s finances. Some nonprofit organizations also outsource parts of their human resource departments, streamlining their HR functions.

A premier MSP offers not just plug-and-play solutions, but actively engages with the nonprofit’s brain trust to transform the organization. In such cases, a nonprofit can work with an interim chief financial officer or chief information officer to hone its overall approach.

Whether the nonprofit adopts IT, FAO, HR or strategic outsourcing, the MSP’s professionals will typically offer advanced tools and present best practices that they have learned by working with other clients. Another key benefit of working with an MSP is the ability to scale up or down at each level of expertise, depending on the organization’s needs. For such reasons, outsourcing has the potential to create a tremendous return on investment for the nonprofit.

Enhance

Your nonprofit does something better than any other organization, which is why donors make contributions, sponsors sign up and staff members work so hard. But the final key to increasing your impact is to aim higher than maintaining those standards. The goal is to enhance, refocus and double down on your differentiators.

Of course, by virtue of eliminating, automating and outsourcing where possible, the tasks that remain are essential by default. As such, these are the core critical elements of your nonprofit, and you can achieve optimal efficiency by devoting more resources to those mission-specific activities.

Consider the time and money your organization has saved, and invest those newfound reserves into driving your mission forward. Keep in mind that with improved systems now in place, your nonprofit will have better data, smoother workflows and more energized employees to tackle challenges.

Good governance and insightful analytics build trust within your organization. To maintain effective communication, partner with the different areas of your nonprofit to understand the downstream and upstream impact of changes in your data and reporting demand. Align your data and reporting strategy with your team’s key data elements to produce quality analytics.

At this stage, it’s not about making fundamental changes or altering your procedures. Rather, it is about honoring your nonprofit’s vision. Enhancing your nonprofit means being open to new ideas while maintaining a strong focus on achieving your organization’s objectives.

In sum, nonprofits can eliminate, automate, outsource and enhance their way to improved operational efficiency. Doing so greatly increases the odds that they will make a significant impact and continue to fulfill their missions.

Let’s Talk!

Call us at (541) 773-6633 (Oregon), (208) 373-7890 (Idaho) or fill out the form below and we’ll contact you to discuss your specific situation.





  • Topic Name:
  • Should be Empty:

This article was written by Matt Haggerty, Joy Cruz, Morgan Diestler, Jacob Petraitis and originally appeared on Jul 13, 2022.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/industries/nonprofit/increasing-a-nonprofits-impact-through-operational-efficiency.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

KDP is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how KDP LLP can assist you, please call us at:

Oregon Office:
(541) 773-6633

Idaho Office:
(208) 373-7890

Cybersecurity governance and the board’s role

The SEC has proposed amendments to its cybersecurity rules for private companies. If enacted, some boards may require cultural and structural changes to address governance gaps.

< back to insights gallery

Cybersecurity governance and the board’s role

ARTICLE | July 07, 2022 | Authored by RSM US LLP

The U.S. Securities and Exchange Commission (SEC) has proposed amendments to its cybersecurity rules for public companies, aiming to strengthen cybersecurity oversight, governance and incident disclosure. The proposed rules would enhance cybersecurity protocols and require some boards to make structural and cultural changes to address governance gaps and vulnerabilities.

A governance gap between boards and cybersecurity leadership

Similar to the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, the proposed amendments seek to bridge the common disconnect between boards and cybersecurity leadership. While boards are typically composed of seasoned business leaders, cybersecurity expertise is often lacking. Although it is increasingly common for an organization’s chief information security officer to brief the board on a quarterly basis, the CISO often reports with a technical perspective that members may not completely understand, let alone know how to evaluate in the context of other corporate governance needs.

“To close this gap, boards must increase their oversight and develop a governance culture which elevates cybersecurity throughout the enterprise and treats it like any other business risk.”

Rod Hackman, Board member

In addition, board communication is often limited to affirming technologies previously implemented or reviewing key performance indicators on issues already addressed—while downplaying potential risk to organizational assets. These gaps in board communication can lead members to ask cybersecurity leadership the wrong questions and make ineffective requests and recommendations, exacerbating risks to the business.

“To close this gap, boards must increase their oversight and develop a governance culture which elevates cybersecurity throughout the enterprise and treats it like any other business risk,” says Rod Hackman, a member of the board of directors of an SEC-reporting company who leads the board’s cybersecurity oversight function. “Until the board and CISO meet in the middle and begin to speak the language of business, and understand cybersecurity as a business risk, effective governance will continue to suffer.”

Boards must also understand that the SEC proposed amendments are not exclusive and other legislation, such as CIRCIA, may have overlapping disclosure requirements for some organizations–which can create conflicting reporting directives.

Practical actions for boards to close the gap

To ensure cybersecurity is a priority for both your board and your management team, communication between the groups must be focused and transparent. Boards should reject the preconceived notion that cybersecurity is too difficult to deal with. According to Hackman, “The first step toward better governance is to engage management and likely outside advisors to arrive at a common understanding of how the business works by identifying and mapping all operational and support elements of the business, both internal and external. What are the most important assets, and how do they interact? What threatens them? How will the business respond if threats are realized?”

Assets, in this context, relate to a myriad of aspects that comprise the organization, including the:

  • Value of its data, both structured and unstructured
  • Efficacy of its processes, particularly those that contribute to customer experience
  • Safety of employees, products and in some cases, customers
  • Availability of products and services

Cybersecurity threats affect a complex array of organizational assets that businesses often don’t appreciate in totality due to the failure to align information, such as:

  • Process flows for financial compliance
  • Business capability models as a basis for broad technological change
  • Asset registries for compliance
  • Network topologies to support IT management activities

Disclosing details of a material cybersecurity incident during an active investigation will present new challenges, including:

  • Establishing materiality of the cyber incident to determine if disclosure is warranted
  • Getting a clear understanding of what information will be disclosed and to whom
  • Ascertaining if critical company data was improperly accessed, stolen or altered in any way
  • Having appropriate expertise on the company board to provide oversight

Mapping cyber risk to organizational assets greatly enhances a board’s ability to provide better oversight and gives the board peace of mind knowing investments in cybersecurity are effective and align with business objectives.

Steps your board can take to address gaps in communication and governance within your organization include:

Determine organizational perceptions of cybersecurity. A secure organization is increasingly a stated desired outcome in organizational strategy. Board members should gather information to assess whether cybersecurity is a shared objective among executive management—not merely the concern of a security or IT department. A board should also understand on what basis management determines the resiliency and security of the organization’s assets.

Obtain a full understanding of your organizational assets. Board members should request a consolidation and summary of organizational assets from management, assessed by business impact and reconciled to security control/framework(s). This information will help the board and management develop a common understanding of cybersecurity and provide both groups with insight into the organization and its underlying technology. This analysis promotes ownership by both the board and management because it creates a complete picture of the enterprise. The potential cost of misunderstanding the risk environment compels a high level of visibility and transparency.

Gain clarity on cyber disclosure requirements for your organization. Board members should understand and challenge management’s procedures for assessing the materiality of a cyber incident along with the process of disclosing suitable information within 72 hours. The process should ensure understanding of competing disclosure requirements of multiple regulatory authorities and consider the risk of disclosing inaccurate information.

Achieving these objectives will require a substantial commitment from many boards, and potentially a change in board culture. Companies should also anticipate additional expenditures on internal and external resources to meaningfully address the SEC’s proposed requirements if they are enacted. On the upside, board members can anticipate better visibility into cybersecurity risks, and management teams can address those risks more proactively.

“Regulators and the marketplace are forcing change to close the cybersecurity governance gap. The days of simply attending a board meeting four times a year after reviewing board materials prepared by management are over,” says Hackman.

The takeaway

Boards often do not have a grasp on the risks that cybersecurity poses to the business—and delegating cybersecurity management solely to the IT department does not work anymore. Without an effective framework in place, many boards may be unprepared for a cyberattack. Your board should proactively evaluate and adjust its processes to ensure full insight into cybersecurity risks and their potential effect on investors.

The good news is, although it is complicated and oversight is challenging, cybersecurity is manageable if your board is open to better understanding it and is willing to dedicate the resources to support it.

Let’s Talk!

Call us at (541) 773-6633 (Oregon), (208) 373-7890 (Idaho) or fill out the form below and we’ll contact you to discuss your specific situation.





  • Topic Name:
  • Should be Empty:

This article was written by Tauseef Ghazi, Rick Shriner and originally appeared on Jul 07, 2022.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/cybersecurity-governance-and-the-boards-role.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

KDP is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how KDP LLP can assist you, please call us at:

Oregon Office:
(541) 773-6633

Idaho Office:
(208) 373-7890