Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 1
CAE Communications and Common Audit Committee Questions about Cybersecurity YULIA GURMAN DIRECTOR, INTERNAL AUDIT& CORPORATE SECURITY RYAN HOPKINS ASSISTANT DIRECTOR, INTERNAL AUDIT PACKAGING CORPORATION OF AMERICA (PCA) Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 2
BIOS Yulia Gurman Director, Internal Audit and Corporate Security Packaging Corporation of America Yulia has over 17 years of work experience in internal audit and compliance in the US. She also serves on the Board of Governors (Chicago Chapter) and Committee of Research and Education Advisors for the IIA. She specializes in internal audit, compliance, risk and control advisory, project management as well as financial and operational audits. She has worked in real estate, manufacturing and retail sectors. Yulia has considerable experience in managing business risks and improving operational efficiencies. She is known for providing forward-thinking insights to management ensuring challenges are tackled. Ryan Hopkins Assistant Director, Internal Audit Packaging Corporation of America Ryan is an Assistant Director of Internal Audit with over 13 years of audit and consulting experience. Ryan began his career in public accounting at Grant Thornton where he provided audit and consulting services to more than 35 national and multi-national clients. Ryan s previous work experience also includes Accenture s Internal Audit team where he supervised and executed operational and compliance audits of emerging areas of risk, IT controls, and pre-implementation and post-implementation reviews of multi-million dollar ERP and custom application projects. Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 3
Discussion Topics Current Cybersecurity Trends Understanding the Needs Reporting Educating Boards and Audit Committees Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 4
Polling Question What's your current role within your organization? a. CAE or Internal Audit (IA) Department Head b. IA Manager or Sr. Manager c. Staff or Senior Auditor d. Other role outside of Internal Audit Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 5
Packaging Corporation of America (PCA) PCA: Domestic company headquartered in Lake Forest, IL One of the largest manufacturers of containerboard and corrugated packaging 2018 revenue $7 billion Decentralized environment with facilities located across the United States Audit Committee: 5 seasoned members Industry and IT expertise All independent Board member Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 6
Current Cybersecurity Trends Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 7
Polling Question Does your Audit Committee include members with IT/Cybersecurity expertise? a. Yes b. No Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 8
Audit Committee Questions About Cybersecurity and Director Survey Results Only 50% of directors* are confident that their companies are properly secured against cyberattacks. To gain confidence, boards are asking questions about Resource Allocation, Vulnerabilities & Risk, and Cyber Risk Management Approaches. In what areas of the cybersecurity program are investments being made? Only 30% of directors surveyed* indicated that their organizations evaluate security of mergers, acquisitions and new product development, yet the What Cyber Risk Management Approaches are in use today? What percentage of your** cybersecurity budget is devoted to the five key cybersecurity functions identified by NIST? Please estimate for each time period. Which areas of your** organization s IT infrastructure do you believe are most vulnerable to risk? Which of the following statements apply to your** organization s cyber risk management approach? Source: (*) NACD 2018 2019 Public Company Governance Survey; (**) Wall Street Journal The Cybersecurity Imperative Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 9
Recent Security Incidents Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 10
HTTPS://YOUTU.BE/0_ZFUMLNJK8 Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 11
Discussion How do you react to the news? Do you provide comments on the breaches in the news to your Audit Committees (ACs)? Do you update the AC on controls in place to prevent and detect a similar breach? Breach response protocol? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 12
Understanding the Needs of the Audit Committee Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 13
Understanding the Needs Talk to Management and the Audit Committee and seek feedback on the areas of most interest Understand the level of detail needed Too much vs. too little Frequency of updates Deliverables, reporting and metrics Examples: Number of system vulnerabilities Length of time to identify and respond to a breach Formal and/or informal communication Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 14
What are your Crown Jewels? Questions to consider when identifying your organizations crown jewels: What are our company s most critical data assets? Where do they reside? Are they located on one or multiple systems? How are they accessed? Who has permission to access them? Cyber criminals target companies of all sizes and from every industry, seeking anything that might be of value, including: Sensitive consumer data, such as credit card numbers or medical information Sensitive employee data Social Security Numbers, drivers' license numbers, and bank account numbers Business plans, including merger or acquisition strategies Contracts with customers, suppliers, distributors, joint venture partners Product designs Source code Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 15
Common Questions Asked About Cybersecurity Are we adequately protected? Do we know our biggest threats? Do we have sufficient and effective IT resources? Are cybersecurity disclosures sufficient? Do we have the right resources to address our concerns? Are roles & responsibilities clear? How do we identify new threats? What is Internal Audit s role? What is the level of External Auditor oversight? Is an incident response plan in place and tested periodically? What are the breach costs and impact? What is our cybersecurity insurance coverage? Common exclusions? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 16
Reporting Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 17
Polling Question Who is responsible on updating the Audit Committee on Cybersecurity matters? a. Internal Audit only b. IA and Management (IT) Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 18
How and What to Report? Each organization is unique and we should consider cybersecurity risk and maturity with context in the following areas: Senior Management perspectives: Risk tolerance Maturity goals Peer organizations maturity benchmarking: Industry peers Peers with similar organizational structure Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 19
NIST Cybersecurity Framework In 2014, the National Institute of Standards and Technology (NIST) released a framework for improving the cybersecurity of critical infrastructure in response to the President s 2013 executive order on cybersecurity. The NIST framework is a voluntary, risk-based approach that companies can use to assess their cybersecurity exposure and respond to cyber risk. The current framework version includes a set of cybersecurity activities expressed through five functions that provide a high-level, strategic view of the management of cybersecurity. These five functions are further divided into 23 categories and 108 subcategories that describe the cybersecurity activities and desired outcomes in more granularity. Each of the NIST CSF functions, categories, and subcategories can be assigned implementation tier ratings designating the maturity level in each area. The tiers range from tier 1 (least mature) to tier 4 (most mature) and describe the extent to which cybersecurity risk management is guided by business needs and its integration into an organization s overall risk management practices. Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 20
Roles and Responsibilities Are reporting roles and responsibilities clearly defined for reporting: Cybersecurity breaches Maturity assessment results Network security assessment results Cybersecurity awareness training and results What else are you reporting on? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 21
Example Communications/Deliverables Cybersecurity maturity assessment results (using a framework) Enhancements to cybersecurity practices Compared to prior year? Network security assessment Employee cybersecurity training and awareness Social Engineering test results Other? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 22
Educating Boards and Audit Committees Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 23
What Can CAEs Do? Educate Management and the Board about trends and emerging risks and share innovative practices on how to mitigate certain cyber risks As Internal Auditors, we know our organization's environment and also know what our peers are facing and we can help the Audit Committees and Management understand which risks are more predominant for our industry We should also be able to explain which risks are critical and relevant vs. some that are remote to your organization Not everyone is created equally in terms of cyber risk vulnerabilities! Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 24
Resources A lot of information available!!! SEC: Interpretive Guidance on Public Company Cybersecurity Disclosures IIA: Internal Audit s Growing Engagement in Cyber Management Internal Auditors: More Than Cybersecurity Police And much more NACD: Resource Center: Cyber-Risk Oversight Consulting firms: white papers, newsletters, webinars, etc. Your PEERS! Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 25
Questions and Answers? Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 26
Thank you for your time and attention! IIA CHAPTER CHICAGO 59 TH ANNUAL SEMINAR Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 27