The Internal Audit Role in assessing Cybersecurity May Louise Farrugia September 2016

There are only two types of companies: those that have been hacked and those that will be. - Robert Mueller, Former FBI Director

Cyber risk is not just IT risk Concerns all personnel within the company Internal audit has a key role to play

Objectives of the study To understand the attitudes of Maltese internal audit functions towards assessing cybersecurity To identify barriers hindering cybersecurity assessments To recommend improvements in this area

Research Methodology Primary Research 11 semi-structured interviews: 7 PLCs + 4 ‘Big Four’ Audit Firms Secondary Research Academic journals, reports, articles, books, past dissertations, professional standards and company documents

Findings: Cybercrime and Cybersecurity controls

How probable is cybercrime? “ Maltese companies are not immune to it Not as likely to be hit as foreign companies ” Internal Audit’s Perception of the Probability of Cybercrime (IAPLCs)

How probable is cybercrime? “ Numerous attacks remain unreported or undiscovered Accidental cybercrime Increase abroad  increase locally ” Internal Audit’s Perception of the Probability of Cybercrime (IAAFs)

What is the impact of cybercrime? “ Depends of the activity of the company ” Internal Audit’s Perception of the Impact of Cybercrime (IAPLCs)

What is the impact of cybercrime? Internal Audit’s Perception of the Impact of Cybercrime (IAAFs)

Reasons for cybersecurity controls Number of IAPLC Respondents (n=7) Security/Protection of systems, data and/or other company assets 3 Mitigation of cyber risk and/or cyberattacks Maintaining reputation Fraud management 2 Confidentiality of data Integrity of data Financial damage, including loss of future revenue due to corporate espionage Availability of data 1

Reasons for cybersecurity controls Number of IAAF Respondents (n=4) Mitigation of cyber risk and/or cyberattacks 3 Fraud management 1 Business improvement Regulatory compliance Reliability of financial reporting

Types of cybersecurity controls Control Used/Recommended Number of IAPLC Respondents (n=7) Number of IAAF Respondents (n=4) Passwords 7 4 Anti-Virus Software 3 Firewalls Encryption Staff Training Vulnerability Assessments 6 2 Penetration Testing Cyberinsurance -

Types of cybersecurity controls: Emerging technologies Controls over access to social media Monitoring the cloud Controls over smart devices

Findings: Cybercrime assessments and internal audit

Is cybersecurity assessed? 3/6 - Constantly 1/6 - Ongoing (by suppliers) + One-time outsourced 1/6 - Ad-hoc audits 1/6 - One-time audit 6/7 Yes 1/7 No

Is cybersecurity assessed in a typical engagement? Cybersecurity assessments are always considered + Engagements usually involve some aspect of a cybersecurity assessment 4/4 Yes

Included in the Audit Plan vs. Ad-Hoc 4/6 Included 2/4 1/6 Ad-Hoc 1/4 1/6 Both 1/4

Is the process similar to a normal audit? 5/6 Yes Risk-Based Approach 4/4

Is this being requested? Audit Committee (3/5) Regulators (2/5) Management (2/5) External Auditors (1/5) Parent Company (1/5) 5/6 Yes 1/6 No

To whom are results reported? Recipients Number of Respondents (n=6) Audit Committee/Board 6 President/CEO 3 Group Chief Internal Auditor 2 Executive Management 1 General Manager of the operation concerned

What are the necessary factors?  Technical skill and experience (3/4)  Good understanding of client and its risks (2/4)  Full support from management (1/4)  Knowledge (Basic vs. Specialised) (6/7)  Time and Frequency (2/7)  A good budget (1/7)

What determines the success of an assessment? The assessment itself Improvements External Reviews Good understanding of risks Mitigation of risk Penetration testing Meeting client’s expectations

What is the role of the internal auditor? Third line of defence Highlight risks and deficiencies Provide practical recommendations Maintain basic knowledge Raise awareness

Findings: Internal audit team knowledge

Do you hold any related qualifications? (IAPLCs) 5/7 Yes CISA(5/5) CRISC (2/5) 2/7 No

Do you hold any related qualifications? (IAAFs) CISA CISM CRISC CGEIT CISSP CPTE CEH ISO27001 4/4 Yes

Did you/your team receive training? (IAPLCs) Organised by the PLC (1/7) 5/7 Yes 2/7 No

Did you/your team receive training? (IAAFs) Organised by the firm (3/4) Supported by the firm (1/4) 4/4 Yes

Is local awareness appropriate? 4/7 But increasing No 2/4 3/7 Yes 2/4

Findings: Barriers

Do you face barriers in assessing cybersecurity? (IAPLCs) Lack of knowledge (5/6) Lack of financial resources (4/6) Lack of time (3/6) 6/7 Yes 1/7 No

Do you face barriers in assessing cybersecurity? (IAAFs) Lack of management involvement and commitment Lack of knowledge Lack of time Management’s mentality 3/4 Yes 1/4 No

How will cybersecurity impact the future of the internal auditor? Required knowledge No longer the profile of an accountant More time devoted to cybersecurity Recruitment of skilled people Provision of training to unskilled employees

Recommendations Implementation of a Cybersecurity Framework e.g. NIST Cybersecurity Framework Education and Training  Top management  Training sessions/ Conferences Out-/Co-Sourcing Cybersecurity Assessments

Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are. - Jeh Johnson, US Secretary of Homeland Security

Thanks! may.farrugia@gmail.com