Cyber-security risk is now an integral part in many companies’ annual audit plans.
According to the 2016 Internal Audit Capabilities and Needs Survey conducted by global consulting firm Pritivit, 73 per cent of organizations now include cyber-security risk in their internal audits, a 20 per cent increase from last year. The survey also found that top-performing organizations have better cyber-risk addressing capabilities, especially those whose boards of directors have high levels of engagement in information security risks.
In the past decade, cyber-security has evolved from a simple IT risk to a very important business risk. It is now a regular issue being discussed in boardrooms. In fact, 57 per cent of organizations have received inquiries from customers, clients, and insurers about their cyber-security status.
According to the survey, 92 per cent of organizations with a high level of board engagement in information security risks implement a cyber-security risk plan, compared to only 77 per cent of those without a high-level of board engagement. Meanwhile, 83 per cent of companies that include cyber-security risk in the annual audit plan have a cyber-security risk policy, versus 53 per cent that do not include cyber-security risk.
Over 1,300 internal audit practitioners, including more than 150 chief audit executives and mostly from North America, participated in the survey, which is in its tenth year.
A more interconnected world is more exposed to cyber-security risks, so companies need to make cyber-security a high priority in their plans. That includes having a cyber-security insurance policy in place to deal with any risks such as malware and cyber-attacks, such as information theft and extortion, especially for data-sensitive businesses.