Mandatory cyber audits coming for publicly-traded companies, Canadian audience told

Governments or regulators are getting so sensitive about cyber security they may demand publicly-traded companies to undergo annual cyber audits as well as financial audits, says a former U.S. Homeland Security secretary who is now a consultant on risk management.

Tom Ridge made the prediction to a Canadian audience at the third annual International Cyber Risk Management Conference in Toronto, where he also repeatedly asserted that to fight cyber attacks the public and private sectors have to build resilient organizations.

Tom Ridge

Companies regularly bring in third parties to check finances, he noted, even though they believe their C-level executives are top. Similarly, he said, “at some point in time the business community is going to say, ‘I got a great CSO, chief technology officer… but just to be sure I want to bring in to see if there’s new technology, if they’ve got a new cyber auditing process.

Then he added, “I believe in the United States of America, if you’re a publicly-traded company in the next few years, [government] may require a cyber audit in addition to a fiscal one.”

Cyber security, he said “is no longer the poor CISO’s problem.”

Asked in an interview if governments should be more aggressive in regulating companies to improve their level of cyber security, he said there’s a positive role for governments to play. In the U.S. the National Institute of Standards and Technology (NIST) has issued a cyber security framework organization can use to establish cyber strategies, he pointed out.

“I think if companies wait for government to give them solutions to identify technologies they’d be waiting [a while] because governments move more slowly than icebergs.” On the other hand oversight can be helpful, he added.

“Government is inclined to punish,” he added. “But so far regulators have urged organizations to think differently about this as a business risk.” At the same time, he admitted there has been a warning that organizations that are careless risk seeing “the heavy hand of government in a very punitive way”

“So I think right now the best thing the government could do is raise that level of awareness and kind of push executives to take a look at it, particularly from the regulatory side. It’s not an IT problem, it’s a business risk and you’d better deal with it.”

In his keynote address, Ridge hammered home one word: Resilience. To fight cyber attacks the public and private sectors have to build resilient organizations, he said.

“You want to close cyber gaps? Good luck … “You can’t close all the gaps, let’s accept that as the reality of the digital world. But you sure can close some of them and as other emerge you can make it far more difficult hard for the bad guys to exploit them.

Russia, China and Iran continue to use the Internet for economic and political espionage, he said at one point, but he also admitted his own government has used an unnamed “digital weapon” — perhaps an allusion to reports that the U.S. and Israel used the Stuxnet virus to infect Iranian nuclear centrifuges.

When asked later about the chances of international collaboration to stop cyber attacks, Ridge said, “I’m a real sceptic the global community will ever come up with protocols that everybody will live by and have enforced.”

Better, he said that the counties partnering with the U.S. in the so-called Five Eyes intelligence partnership – Canada, the U.K., Australia and New Zealand – sign their own cyber pact and expand from that. “There’s lots of countries out there that would be happy to sign international agreements than then ignore them before the ink dries.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now