In this increasingly digital business world, technology risks are evolving and expanding. Corporate boards play a vital role in ensuring these risks are top of mind with senior management. Directors are not technology experts per se, but it is important for them to stay on top of these issues and be prepared to ask probing questions regarding the organization’s cybersecurity readiness and current or planned use of emerging technologies like artificial intelligence (AI). The role of the audit committee in overseeing these risks continues to evolve and expand.
Cybersecurity: A priority of oversight
Let’s begin with cybersecurity. Outside of financial reporting and internal controls, cybersecurity is the No. 1 area of focus for audit committees, according to a recent survey that Deloitte jointly conducted with the Center for Audit Quality. The Audit Committee Practices Report: Priorities and Committee Composition indicates that more than half the respondents (53 percent) delegate cybersecurity oversight to their audit committee, and nearly two-thirds (63 percent) selected cybersecurity as a top area of focus over the next year.
The SEC’s proposed rule calls for enhanced disclosures around cybersecurity incidents, risk management, strategy and governance, and would further increase the importance of the audit committee’s involvement in this area. Although the audit committee’s role in cybersecurity oversight could expand, only 41 percent of the survey respondents believe their audit committee members have appropriate cybersecurity experience and expertise. To flatten their learning curves, 43 percent of respondents indicated that their audit committee has met with subject-matter specialists outside of management to stay current on this evolving risk.
Directors need perspective to appropriately oversee a company’s readiness for a cyber incident, as well as the strategies, policies and procedures in place for risk mitigation. The chief information security officer (or equivalent) should consider providing the audit committee with regular updates on current threats (including mitigation strategies) and attacks. Additionally, directors should receive frequent updates on the cyberthreat landscape and evolving regulatory environment.
Taking aim at AI risk
Cyber risks aren’t the only technology-driven risks that may call for increased audit committee oversight. As the use of AI expands—and, with it, concerns about data privacy, ethical implications of AI, and other matters—audit committees will be expected to address associated risks. Recently, an AI chatbot released in November 2022 set a record for the fastest- growing user base (faster than TikTok and Instagram). It is important for audit committees to stay apprised of the risks emerging technologies such as these pose to their organizations.
Directors may consider whether investments in AI are consistent with the organization’s strategy and goals—a required business capability as opposed to just a “nice to have.” To set an appropriate tone and guiding principles for the development of an ethical AI framework, members should ask questions regarding the transparency of the algorithms, potential for discriminatory outcomes, whether the tools have been tested for errors in a controlled environment and the measures in place to ensure reliability.
It is unreasonable to expect directors to be bona fide cybersecurity and AI experts. Nevertheless, it is important for audit committee members to continually raise their competency levels and stay informed on these emerging areas of risk. There are many ways to get up to speed: request deep dives from internal and external experts and insist they use plain language in their briefings; meet with other board members to share respective experiences and lessons learned, without breaching confidentiality; and regularly attend in-person and virtual conferences and trainings focused on these subjects. Above all, directors can set a strong tone at the top and bring their innate curiosity, inquisitive minds and professional skepticism to these discussions.