©Techa Tungateja/Paul Bradbury/iStock/Getty Images Plus
Ransomware. Data breaches. Malware. Social hacking. When cyber criminals attack, their victims may pay a hefty price — financially, reputationally and legally. For technology companies, the largest of which have millions of customer touchpoints, the stakes are even higher. One cyber event has the potential to cripple network infrastructure, release highly sensitive customer information, expose intellectual property and wreak havoc at scale. And with the sophistication of cybercrime only increasing, technology companies and their boards are typically operating in a continual state of catch-up.
Tech Savvy Does Not Mean Cyber Savvy
Logic might suggest that technology companies, given their cutting-edge products and superior IT environments, are less vulnerable to cybercrime than companies in other industries. But this is not necessarily the case. According to KPMG’s 2022 Fraud Outlook, executives in the technology, media & telecom sector were more likely than those in any other to report growth in malware (30%, compared to 22% on average), social hacking (23% to 17%) and SQL injection attacks (18% to 11%). As for confidence in their defense capabilities, only 39% of respondents said they can identify a cyber breach or attack within a week of its occurrence, and only 21% can contain it within a week of discovery.
What Makes Technology Companies So Vulnerable?
Constant innovation is a double-edged sword. Creating the latest technology products, software and hardware generates a competitive advantage, but it also pins a target on companies’ backs.
Cyber risks lurk all along the supply chain. From initial development of a product to each customer touchpoint, technology companies are accountable for securing their products every step of the way. The longer and more complex the supply chain, the greater the vulnerability.
“Just because you can doesn’t mean you should.” This concept is loudly proclaimed across the industry, with customers, regulators and policymakers challenging technology companies to think critically about the customer data they create, store and utilize. When this data is compromised or misused, the long-lasting reputational damage may outweigh the financial repercussions.
The list goes on, but equally as important as identifying cyber vulnerabilities is mitigating them. And the board plays a key role in overseeing this process.
Top Considerations for Boards
In conversations with technology company boards and audit committees, three key topics are increasingly top of mind:
1. As the sophistication of cyber threats grows, so too must board-level monitoring. According to the KPMG Board Leadership Center’s On the 2023 board agenda, boards are making significant strides in monitoring and holding management accountable on cyber risk. They are thinking critically about how management identifies cyber risks, assessing cyber security talent, war-gaming various attack scenarios and enhancing their own IT and cyber acumen. However, while boards are upskilling on cyber, so too are cyber criminals. The result: a continuous loop of identifying and addressing increasingly sophisticated threats.
Considering this, technology company boards — and their audit committees — should consider leveling up their monitoring of management’s cyber preparedness. For example:
- Is management sensitive to early warning signs of attack?
- Are there high-quality processes and controls in place? Are they keeping pace with the evolving threat landscape?
- In the event of a cyber incident, how quickly and accurately is management able to identify the root cause and adopt new procedures to prevent future incidents?
2. The regulatory environment is changing — start preparing now for SEC disclosure rules ahead. Technology companies already understand that cyber incidents can lead to additional expenses, losses in revenue, diminished future cash flows and, without appropriate controls in place, long-term litigation and reputational damage. However, to date, the connection between cyber risk and financial statements has not been codified. Regulators are working to change this. In March 2022, the SEC proposed new rules related to cyber risk management, strategy, governance and disclosure requirements. If enacted, these rules would require public companies to disclose cyber events within four days of an incident being deemed material, as well as greater detail around cyber policies, procedures and management- and board-level governance.
With final rules expected in spring 2023, technology company boards need to be asking management:
- How would a cyber event impact the financial position of the company?
- Are all third-party relationships compliant with internal cyber security protocols, as well as those proposed by regulators?
- How will new reporting requirements impact operations, strategy and reporting?
- Who will do the heavy lifting on regulatory compliance?
Cyber risk is just one piece of the data governance puzzle. Historically, cyber risk has been under the purview of the board’s audit committee. However, boards are beginning to look at cyber security within the broader context of data governance — a field that also includes data privacy, data ethics and hygiene and artificial intelligence. Oversight of cyber and related risks is increasingly touching multiple points of the board agenda, and therefore multiple committees as well.
In assessing cyber preparedness, it is critical that boards not lose sight of this bigger data governance picture. This means tuning into emerging technologies and their related risks. Boards might ask:
- How is management implementing emerging technologies such as facial recognition software, artificial intelligence and machine learning?
- How is that data collected and stored, and what are the privacy and ethical considerations?
- What regulatory compliance and reputational risks are triggered by the use of these technologies?
Cyber Mitigation is Everyone's Responsibility
Safeguarding a company’s cyber security is ultimately the responsibility of every individual in the organization. Employees should stay vigilant about data vulnerability and incorporate cyber best practices into their day-to-day routines. Management should reinforce this message regularly, while implementing high-quality processes and controls that identify and mitigate cyber risks and trigger an efficient and effective response in the event of a breach. And finally, the board should hold management accountable for action, or inaction, related to cyber and data governance risk. If all three parties — employees, management and the board — work together to address these risks in a rigorous and timely manner today, they will engender trust, unlock value and enjoy a sizeable competitive advantage tomorrow.
This op-ed draws in part from an Audit Insight from KPMG U.S. Janel Riley is National Audit Industry Leader, Technology for KPMG U.S and John Rodi is Leader, KPMG Board Leadership Center for KPMG U.S.