Independent Cybersecurity Audits Are Powerful Tools for Boards


Bloomberg Law


Independent Cybersecurity Audits Are Powerful Tools for Boards


March 11, 2024


By Daniel B. Garrie, Esq.

Board members today increasingly face personal liability for their organization’s cyber posture. This has raised the stakes of attestations and created a need to gain insight into cyber programs.

One of the most effective ways to do so is through independent cybersecurity audits. This essential component of responsible organizational governance can demonstrate proactive leadership and reveal possible blind spots. Cybersecurity audits are also necessary for compliance with regulations that hold the board and C-suite accountable for verifying the efficacy of their company’s cybersecurity program.

Recent Regulations

Growing cyber regulatory oversight is demanding dynamic evidence of compliance. The Securities and Exchange Commission’s 2023 rules on cybersecurity risk governance and public company incident disclosure require boards of directors to oversee corporate cybersecurity management and demonstrate active oversight, while facing personal liability for failures. Public reporting companies must also:

  • Disclose all material cybersecurity incidents within four business days
  • Describe process(es) used to identify, assess, and manage material risks from cybersecurity threats, and their effect on business strategy, results of operations, or financial condition
  • Describe the board’s oversight of cybersecurity risks and leadership’s role in assessing and managing material risks from cybersecurity threats

Another recent example is the New York State Department of Financial Services’ amended cybersecurity regulation, which requires covered entities to conduct independent audits of their cybersecurity programs and integrates cybersecurity into business strategy. Changes include:

  • Additional controls and requirements for more regular risk and vulnerability assessments, along with more robust incident response, business continuity, and disaster recovery planning
  • Updated notification requirements, which include reporting ransomware payments
  • Updated direction for companies to invest in at least annual training and cybersecurity awareness

To read the full article, go to Bloomberg Law

Contact Us