European Audit Committee Leadership Network, May 2014
On 2 April 2014, members of the European Audit Committee Leadership Network (EACLN) met in London to discuss cybersecurity, among other topics. In this session, members were joined by Andrew Archibald, deputy director of the National Cyber Crime Unit of the United Kingdom’s National Crime Agency (NCA) and Paul C Dwyer, director of strategic solutions at the security firm Mandiant (recently acquired by FireEye).
EACLN members and their guests discussed a number of issues related to cybersecurity, which fell into three main areas:
Update on the cybersecurity threat and company responses
Since the EACLN members’ last discussion of cybersecurity in November 2012, cyberattacks of various kinds have continued to draw headlines, revealing an increasingly sophisticated criminal underground and extensive surveillance by intelligence agencies like the US National Security Agency (NSA). Mr Dwyer and Mr Archibald underscored the gravity of the threat and Mr Dwyer lamented the impact of NSA contractor Edward Snowden’s revelations on trust in government. Meanwhile, companies are scrambling to improve their defenses against evolving threats. Members and guests mentioned measures such as extending security policies to business partners and employees’ mobile devices and developing plans that enable quick and effective responses to incidents.
Governments are also struggling to marshal an effective response to the threat. Fresh legislation and new organizations are emerging at both the national and European Union (EU) level. Efforts are aimed at strengthening government capabilities, supporting cooperation and information sharing among companies and with government, and mandating security measures for certain types of data and in certain sectors. Reflecting on how law enforcement works with the private sector, Mr Archibald pointed to a cultural shift in which deeper engagement on prevention and mitigation increasingly complements investigation and prosecution.
Boards are struggling to keep up with the rapid evolution of the problem and how they address it. Mr Dwyer offered a number of actions for boards to take, noting that companies may be liable for failing to achieve an adequate standard of supervision. For boards and especially audit committees, the question of what to disclose about security incidents and company responses is an additional challenge involving not only compliance with breach notification laws but also strategic considerations around the timing of disclosures and the accounting for associated costs.