Some 62 percent of audit committees (ACs) members in Singapore surveyed in a recent KPMG study of ACs said that more time should be devoted to cyber security in 2015.
However, the ACs of other ASEAN nations surveyed – Thailand, Indonesia and the Philippines – are less concerned with spending more time on cyber security, including data privacy and protection of intellectual property in 2015.
Less than half, or 47 percent of Thailand’s AC members, want to spend more time on cyber security, while 36 percent in Indonesia and 35 percent in the Philippines said the same.
Shortfall in quality of cyber information received?
Half of Singapore respondents also categorize the quality of information they receive about cyber security, data privacy risks and their potential impact on the company as needing improvement.
Again, results from the other ASEAN nations did not fully correspond with findings from Singapore.
Only about a third of respondents in Indonesia and the Philippines thought the information they receive about cyber issues were in need of improvements.
Thailand was the most satisfied of the ASEAN nations – only 18 percent of AC members surveyed said they wanted better quality cyber information.
“The Singapore results reflect heightened concerns about cyber security,” said Irving Low, Head of Risk Consulting at KPMG in Singapore. “Global cyber breaches and attacks highlight that Singapore companies are not immune. The establishment of the Singapore Cyber Security Agency also demonstrates Singapore’s commitment to monitoring and mitigating national cyber threats.
“Based on our observations, the cyber-related information provided to Boards and ACs here has not kept pace with the increasing risk cyber is posing to organizations. This is partly because of the complexity involved. Cyber security risks exist as a result of not just technological factors, but also human and cultural factors.”
Communication with CIOs
Of the ASEAN nations, Singapore had the highest percentage of respondents – 52 percent – who
indicated that the AC’s communications with the CIO were insignificant or not applicable.
More than a third of respondents from Indonesia and Thailand also indicated the same, while only 18 percent of AC members surveyed in the Philippines said interactions were insignificant.
Where communication between the CIO and AC existed, 19 percent of Singapore AC members felt
that improvements were needed; 23 percent felt that communications were good with periodic
issues, while only six percent chose excellent.
In comparison, Thailand, Indonesia and the Philippines seemed more satisfied, with just five
percent, seven percent, and six percent respectively indicating that the quality of communications need improvements.
“As many ACs delegate responsibility for overseeing risk management and internal controls, they are correspondently overseeing more non-financial reporting risks such as compliance, operational and information technology (IT) risks and controls.
“Given how technology risks feature far more prominently in organisational risk profiles these days, the AC should engage more actively with the CIO by requesting for regular updates on an organization’s IT risk profile,” said Low.
Oversight of cyber and data risks limited to specific groups
Globally, 28 percent of respondents said that the full board was responsible for the oversight of cyber security and data privacy risks.
The AC was next in line, with 22 percent of respondents indicating that the group was accountable for the majority of tasks to do with cyber security and data privacy.
For Singapore, 31 percent of respondents – above the global average – assigned cyber and data risk to the full board. Another 31 percent said the Risk Committee was responsible.
The majority of the ASEAN AC members surveyed indicated that cyber and data risk tended to be more assigned to specific groups, rather than the full board.
Some 41 percent of respondents from the Philippines assigned cyber security and data privacy to the Technology Committee, 36 percent of respondents from Indonesia said the Risk Committee was responsible while 22 percent of respondents in Thailand pointed to Audit & Risk or Finance Committee.
“The board committee structure required to adequately and effectively oversee cyber and technology related risks depends on the nature, size and complexity of the organization,” says Low.
“We are certainly seeing a trend in the establishment of Board Risk Committees (separate from the AC) to enable deeper discussion and debate on key risks. We are seeing Boards taking more interest in specific risk areas, such as cyber security, given the potential for operational disruption, financial loss and reputational damage.”
View the original content and more from this author here: http://ift.tt/1CE32uT
from cyber security caucus http://ift.tt/1QYL0zf
via IFTTT
No comments:
Post a Comment