Cybersecurity is Top-of-Mind for Audit Committee and CFOs in the New Reality

© Traitov/iStock/Getty Images Plus

The challenges from the COVID-19 pandemic continue to permeate the healthcare industry. While the focus for healthcare organizations continues to be on vaccine rollout and pandemic mitigation, priorities among financial and accounting executives are beginning to shift.

According to KPMG’s most recent survey of over 50 leading health system Chief Financial Officers (CFOs) and Audit and Compliance Committee Chairs, there’s a push-pull happening between the CFO’s forward-looking focus on risks and opportunities, and ongoing blocking and tackling audit committees must address. That is on top of the need for continued vigilance around the risks brought about from a dispersed workforce, ongoing migrations to the cloud, and accelerated digital transformation driven by emergent and varied technologies.

The question becomes, what is behind these sometimes-conflicting priorities and what does it mean for organizations required to plan for ongoing uncertainty while mitigating financial risk?

CFOs and Audit and Compliance Committee chairs share high prioritization on cybersecurity.

Boards today are doing more to monitor cyber security effectiveness, having amassed greater IT expertise on board and relevant committees in order to fill knowledge gaps. For audit and compliance committees, internal controls will always have a place within the audit; data governance and compliance with privacy laws and regulations continue to be a priority for compliance committees.

Healthcare information is extremely valuable to hackers, and IT systems are vulnerable to ransomware attacks due to the number of entry points available to attackers across a variety of disparate systems. Complicating this issue, major supply chain disruptions led CFOs and committees to pay even closer attention to the risks associated with third-party products and services, both within the context of cyber security and other strategic/operational areas.

One major trend this past year was the importance of a holistic approach to data governance — one that encompasses the processes and protocols around integrity, protection, availability, and use of data. KPMG,’s recent report, Thriving in an AI World finds cybersecurity breaches to be the greatest potential risk of AI adoption for industry respondents, with the healthcare industry focused on privacy violations as the foremost concern. 

As a baseline, organizational leaders must be asking questions around their systems’ cyber security preparedness, and whether a plan has been documented and communicated throughout the system and to the Board. Consider: Do you pay the ransom or not, how would you handle payroll, documentation of patient care, and other access needs? Do you have the appropriate plans, resources and partners to weather such an attack? Being without access to your systems can be costly to your organization. Healthcare systems should consider whether or not to have cyber insurance and what level of coverage to carry.

Outside of cybersecurity, CFOs and Audit Committee Chairs have divergent focuses.

For CFOs, other top priorities include longer-term strategies, like cost reduction and working capital management and planning for uncertainty. For audit and compliance committee chairs, these are rivaled by internal controls and managing physician relationships — a reflection of their lens of risk, compliance, and controls. One of the greater challenges from these differences in priorities is that, as KPMG notes in our report on the 2021 healthcare and audit agenda, “The events of last year have put significant pressure on employees, management, the audit and compliance committee and the board to balance competing priorities.”

Organizations should channel competing priorities into operational strengths.

Because CFOs and Committee Chairs focus on different strategic areas, they may identify unique gaps in preparedness. As we found in the December…