Do Boards Need a Technology Audit Committee?

As technology continues to advance at a fast pace, problems and concerns related to the use of this technology in businesses abound. This includes technological changes that result in new threats (e.g. security threats), products that don’t live up to expectation (e.g. defective software), failed business transactions arising from technological glitches (e.g. inaccurate information processing), IT systems failures shutting down business operations (e.g. power outage resulting in network failure) etcetera, which people have come to refer to as cyber incidents. Cyber incidents impact a company’s bottom line through various direct and indirect ways:

1) The cost of recovery from cyber incidents often run into millions of dollars especially when litigation is involved – One may recall the US retailer Target which lost around US$180 million to cyber thieves in 2013 after it failed to encrypt customer data, resulting in a seven-week shutdown of its cash registers.

2) Business activities get hampered when an organization’s IT infrastructure/network is down – For example, some Delta Air Lines flights were grounded for hours during the holiday season in 2014 because of a system outage.

3) Fluctuations in stock prices and/or share price can occur – When hackers stole about 40 million credit card numbers from the Japanese firm Tokyo-based Heart Co., Ltd early last year, shares of one American company plunged by 12 percent. This was due to investors’ fear that this cyber attack would have a long-lasting impact on companies with similar customer data infrastructure.

The list goes on and cyber incidents that hit companies can range from the loss of business data (e.g. email hacks leading to lost customers) to more serious things such as extortionary attacks demanding ransom in bitcoins, malware etcetera.

Technological changes have also affected corporate boards’ duties and how they govern a company’s use of technology. The proliferation of BYOD, cloud services, social media, and mobile computing has made it increasingly difficult for board members to keep up with technological developments or ensure that there is proper oversight over what the company is doing when it comes to collecting various types of information related to its business activities – both old and new. In addition, many technologies are developed in-house by IT professionals and there is only so much the board can do to stay informed, without having someone on the team who understands technology.

Most boards adopt a reactive approach to cyber risks. This means that they wait until something bad happens before they start looking for advice on how to handle or prevent these incidents from happening again. At best, this is described as governing by exception – i.e. waiting until an incident hits before they look into ways of preventing it from re-occurring.

This begs the question: should boards have access to continuous, relevant information that enables them to be proactive in dealing with cyber risks? Answering this question affirmatively is made easier by considering cases like Target (mentioned above) where board members were unaware of the need to upgrade their security software even though they were aware of the fact that cybercriminals had been targeting them for a while. In other words, boards need access to better information related to cyber incidents.

In addition, given the global nature of today’s business environment and how companies are doing more business across borders, a challenge faced by many board members is ensuring that senior management teams adhere to local laws in offshore jurisdictions when it comes to using technology to gather different types of information about people – be it employees or customers. When managing multinational companies with subsidiaries set up in various countries around the world, directors could find themselves breaching multiple laws if they don’t have proper oversight over what is being collected and stored where. This has led some corporate boards to set up sub-committees to oversee the use of technology.

         A sub-committee that is made up of board members with knowledge about how technology works and who are also aware of the latest information security threats, could help boards stay abreast of potential risks related to cyber incidents. For example, companies using mobile devices for work purposes need to ensure they have an IT strategy in place so as not only to protect business data but also stop users from accessing unauthorized video or audio content on their devices – this creates issues with laws around censorship and account suspensions.

Companies should strive to continuously invest in technology that will improve their operational efficiency even though budgets are tight. Instead investing in people who understand how cyber criminals operate would help boards better govern their organizations, stay abreast of potential cyber risks and prepare for any contingency now before it becomes a crisis.

In conclusion, companies need to have proper oversight over how technology is being used in order to prevent cyber incidents from happening. In this respect, corporate boards should be able to access continuous information about the latest information security threats so as they can be proactive in dealing with them. In addition, more international companies are setting up sub-committees on the board who understand how technology works so they can avoid breaching local laws when it comes to collecting different types of data through various means (e.g., social media).

As new technologies emerge (e.g., the Internet of things) or hackers get smarter at exploiting existing ones to gain access to corporate networks, directors may need a seat at the table when it comes to discussing how these threats will emerge and affect their organization. In this respect, board members should have technological expertise apart from understanding cyber risks so they can be better equipped in governing their companies.

In conclusion, boards could benefit from setting up technology committees that can advise them on what steps should be taken to protect business data and personally identifiable information about employees and customers from potential security breaches. In this day and age where technology is used for all aspects of business, including mergers and acquisitions, keeping track of organizational assets (e.g., data) becomes increasingly important. As such, cybercriminals are likely to become more sophisticated at targeting organizations, having technological expertise on boards could help them better prepare for emerging cyber risks.

Leave a Reply

Your email address will not be published. Required fields are marked *