The SolarWinds Breach Reinforces Why Boards And Audit Committees Need More Tech Expertise


With annual audits under way, the SolarWinds breach spotlights a couple of major corporate governance gaps—the urgent need for better IT controls and limited board audit committee tech expertise. Such voids are precisely what cyber-criminals exploit.

The SolarWinds hack, among its many targets, affected leading tech firms and top government agencies. Unlike the infamous 2013 Target data breach when cyber-thieves stole vendor credentials to access confidential data, the SolarWinds hackers embedded malicious code in a trusted supplier’s software update. The approximately 18,000 customers that downloaded the code were potentially vulnerable to an attack.

The malware is confirmed to have breached networks at prominent organizations including Cisco, Intel, Deloitte and U.S. Departments of State, Treasury and Homeland Security. The alarming news surely leaves boards wondering aloud whether their companies’ technology infrastructure is truly secure. 

Audit questions

Major audit firms are asking the same questions and, accordingly, have further upped client IT controls scrutiny. Given this shift away from arcane accounting inspections, boards can no longer construct audit committees with only financial experts. They need to add tech leaders, with CIOs consulted regularly in oversight decisions and audit planning.

Without adequate compliance and control, no strategy can succeed. As supply chains in every industry rely more and more heavily on software, the SolarWinds hack shows that cyber risk can lurk in vendors’ inadequate controls. Even the most well-intentioned, non-tech independent directors are unlikely to be suitably prepared to address complex IT issues that are now central to operations, data security and audits.

Boards can no longer afford to take an approach that cybersecurity is not a problem until it’s a problem. PwC’s 2020 Annual Corporate Directors’ Survey found that two-thirds of respondents agreed that a cyber breach would reflect poorly on their board. Yet only 37% said they knew their company’s crisis management plan “very” well. Even fewer (32%) said they deeply understand cybersecurity.

At the audit committee level,…

Source…