Boards of Directors Considerations
Company boards face a significant challenge in overseeing how companies manage their cybersecurity risk. Board members charged with cybersecurity risk oversight may want to consider asking the questions outlined below as they engage in discussions about cybersecurity risks and disclosures with management and public company auditors. Note that the questions below are not meant to be all-inclusive or to be seen as a checklist; rather, they provide examples of the types of questions board members may ask of management and the financial statement auditor. This dialogue can help board members enhance their understanding of how the company is managing its cybersecurity risks. It can also help clarify the financial statement auditor’s responsibility for cybersecurity risk considerations in the context of the financial statement audit and, if applicable, the integrated audit of ICFR. These questions also may help boards understand additional services accounting firms could provide over the company’s cybersecurity risk management program and related disclosures.