‘Fortifying your defense’ whitepaper defines three lines of defense to tackle critical risks and mitigate financial and reputational damage
NEW YORK, August 15, 2012 – With more companies migrating into the digital realm and relying on hacker-susceptible mobile and cloud technologies, data security threats and breaches have increased exponentially, with more than 1,037 publicly reported incidents of loss, theft or exposure of personally identifiable information recorded in 2011, according to Open Security Foundation/DataLossDB.org. Companies must therefore deploy an ever-more robust defense strategy by constructing three lines of defense with internal audit playing a critical role in providing assurance around data security and privacy controls and practices, according to a new PwC US whitepaper titled Fortifying your defenses: The role of internal audit in assuring data security and privacy.
“Despite all the attention around data security, the risk of breaches is only getting worse with severe ramifications, not only in terms of dollar costs, but also management attention and company reputation,” said Dean Simone, leader of PwC’s U.S. risk assurance practice. “To battle the ever-changing hacker profiles and accelerating rate of technological change, companies need to constantly re-evaluate their privacy and security plans. No company, no matter how well it has secured its data, is ever finished maintaining information security and privacy, but by establishing three lines of defense involving internal audit, they are putting in place the best safeguards to deal with critical risks to a business.”
According to PwC, most companies do have security controls and privacy policies, and they are often quite comprehensive. All too often, however, no one checks to see if these protocols are being followed. In addition, new threats to information security are often overlooked, which demands new procedures and tools.
As data thieves become even more inventive, corporate policies, procedures, tools, training and compliance efforts have not kept up. In some instances, PwC found that some security capabilities have actually diminished over the last three years. In 2011, only 39 percent of nearly 10,000 executives in 138 countries said they reviewed their privacy policies annually, compared to 52 percent in 2009. Only 41 percent had an identity management strategy in 2011, a decrease from 48 percent in 2009.
According to the whitepaper, government bodies are increasing the penalties they impose on companies whose security flaws allow data breaches. At least 50 countries have enacted data privacy laws, and more are expected to follow.
“No matter how strong a company’s data security policies and controls are, a company won’t really know the adequacy of its defense if it doesn’t continually verify that those defenses are sound, uncompromised and applied in a consistent manner,” said Jason Pett, PwC's U.S. internal audit services leader. “Internal audit has to play a far more substantial role in information security, and audit committees must also increase their attention on the increasing risk, heightening the expectations they place on internal audit to place adequate focus on data security and privacy concerns.”
To combat the ever-increasing attacks on their data or any critical risk to the business, PwC’s Fortifying your defenses identified the three lines of defense that companies should initiate:
Management: Companies that are good at managing information security risks typically assign responsibility for their security regimes at the highest levels of the organization. Management has ownership, responsibility and accountability for assessing, controlling and mitigating risks.
Risk management and compliance functions: These functions facilitate and monitor the implementation of effective risk management practices by management and help risk owners in reporting adequate risk-related information up and down the firm.
Internal audit: Provides objective assurance to the board and executive management on how effectively the organization assesses and manages its risks. It’s imperative that this line of defense be at least as strong as the first two for critical risk areas.
“Keeping the audit committee apprised of emerging risks and effective ways to address them is a critical role of internal audit, and they must stay ahead of the threat curve. If internal audit stays on the sidelines, a company could rush into launching a new process, product or system without adequate controls,” continued Pett. “Internal audit must als o understand changes to the business, either internally or externally driven, and move quickly to conduct special audits for new information security threats. In order to effectively monitor and communicate the risks of data security, all companies need internal audit to serve as that strong third line of defense.”
About PwC’s Risk Assurance practice
PwC understands that significant risk is rarely confined to discrete areas within an organization. Rather, most significant risks have a wide-ranging impact across the organization. As a result, PwC's Risk Assurance practice has developed a holistic approach to risk that protects business, facilitates strategic decision making and enhances efficiency. This approach is complemented by the extensive risk and controls technical knowledge and sector-specific experience of its Risk Assurance professionals. The end result is a risk solution tailored to meet the unique needs of clients.
About the PwC Network
PwC firms help organizations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with close to 169,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at http://www.pwc.com.
© 2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.