Audit Committee members want more time for cyber security

AC members want more time for cyber security

Half of Singapore respondents feel quality of cyber-related information needs improvement


Some 62 percent of audit committees (ACs) members in Singapore surveyed in a recent KPMG study of ACs said that more agenda time should be devoted to cyber security in 2015.

Globally, more than half - or 55 percent - of survey respondents feel likewise. Through a cyber security lens is a report focusing on the views of about 1,500 AC members in 27 markets, including Singapore.

However, the ACs of other ASEAN nations surveyed – Thailand, Indonesia and the Philippines – are less concerned with spending more time on cyber security, including data privacy and protection of intellectual property in 2015.

Less than half, or 47 percent of Thailand’s AC members, want to spend more time on cyber security, while 36 percent in Indonesia and 35 percent in the Philippines said the same. 


Shortfall in quality of cyber information received? 

Half of Singapore respondents also categorise the quality of information they receive about cyber security, data privacy risks and their potential impact on the company as needing improvement. This was above the global average of 41 percent.

Again, results from the other ASEAN nations did not fully correspond with findings from Singapore. Only about a third of respondents in Indonesia and the Philippines thought the information they receive about cyber issues were in need of improvements.

Thailand was the most satisfied of the ASEAN nations - only 18 percent of AC members surveyed said they wanted better quality cyber information.

Said Mr Irving Low, Head of Risk Consulting at KPMG in Singapore: "The Singapore results reflect heightened concerns about cyber security. Global cyber breaches and attacks highlight that Singapore companies are not immune. The establishment of the Singapore Cyber Security Agency also demonstrates Singapore’s commitment to monitoring and mitigating national cyber threats.

"Based on our observations, the cyber-related information provided to Boards and ACs here has not kept pace with the increasing risk cyber is posing to organisations. This is partly because of the complexity involved. Cyber security risks exist as a result of not just technological factors, but also human and cultural factors." 


Greater need for AC to communicate with CIO 

Globally, respondents’ views of the quality of the AC’s communications with the Chief Information Officer (CIO) were split quite evenly across the different options:

  • 23 percent felt that communications between the AC and CIO were excellent. 
  • 29 percent indicated that interactions were good but that issues arise periodically. 
  • 20 percent said improvements are needed. 
  • 27 percent felt interactions between the CIO and the AC were insignificant or not applicable. 

Of the ASEAN nations, Singapore had the highest percentage of respondents – 52 percent – who indicated that the AC’s communications with the CIO were insignificant or not applicable. 

More than a third of respondents from Indonesia and Thailand also indicated the same, while only 18 percent of AC members surveyed in the Philippines said interactions were insignificant. 

Where communication between the CIO and AC existed, 19 percent of Singapore AC members felt that improvements were needed; 23 percent felt that communications were good with periodic issues, while only six percent chose excellent. 

In comparison, Thailand, Indonesia and the Philippines seemed more satisfied, with just five percent, seven percent, and six percent respectively indicating that the quality of communications need improvements. 

"As many ACs delegate responsibility for overseeing risk management and internal controls, they are correspondently overseeing more non-financial reporting risks such as compliance, operational and information technology (IT) risks and controls. 

"Given how technology risks feature far more prominently in organisational risk profiles these days, the AC should engage more actively with the CIO by requesting for regular updates on an organisation’s IT risk profile," said Mr Low.


Oversight of cyber and data risks limited to specific groups

Globally, 28 percent of respondents said that the full board was responsible for the oversight of cyber security and data privacy risks.

The AC was next in line, with 22 percent of respondents indicating that the group was accountable for the majority of tasks to do with cyber security and data privacy.

For Singapore, 31 percent of respondents – above the global average – assigned cyber and data risk to the full board. Another 31 percent said the Risk Committee was responsible.

The majority of the ASEAN AC members surveyed indicated that cyber and data risk tended to be more assigned to specific groups, rather than the full board. 

Some 41 percent of respondents from the Philippines assigned cyber security and data privacy to the Technology Committee, 36 percent of respondents from Indonesia said the Risk Committee was responsible while 22 percent of respondents in Thailand pointed to Audit & Risk or Finance Committee.

Said Mr Low: "The board committee structure required to adequately and effectively oversee cyber and technology related risks depends on the nature, size and complexity of the organisation. 

"We are certainly seeing a trend in the establishment of Board Risk Committees (separate from the AC) to enable deeper discussion and debate on key risks. We are seeing Boards taking more interest in specific risk areas, such as cyber security, given the potential for operational disruption, financial loss and reputational damage." 

Connect with us