We need mandatory third party security and privacy audits to matter as much to the directors and shareholders as financial audits. Shareholders wanting to be protected from fraud and misrepresentation by companies understating the risks and overstating potential rewards for the investors is what had lead to governments requiring public corporations to have third party financial audits.
The consequences to shareholder value of security and privacy breaches needs to overshadow any potential profit gained by failing in due diligence in this regard, so that shareholders place the same importance and value on this type of mandatory third party evaluation of a corporation’s data and security stance as the current financial audit regime. Without that we will continue to see the endless stream of data breaches and fundamental lack of care when it comes to security and privacy that pervades the tech (my) industry.
The potential consequences are not only to customers, but the lack of due care is a major economic threat as cybersecurity is so pitiful that even apart from threats to government exposed by the recent SolarWinds fiasco, companies are risking their raison d’être in that their intellectual property is essentially ‘up for grabs’.
And of course we cannot forget that the threats are not only external but as seen with the Zoom data collection and the US intelligence agency attack tool exposures, that there are internal threats as well. Here in Canada in the RCMP the Cameron Ortis case illustrates that it’s not just remote threats that need to be considered.
The upshot: data responsibility needs to be an integral part of financial due diligence, and won’t ‘just happen’.