Chief audit executives in the power and utility industry rank cyber security as the highest risk and biggest concern for their industry, according to a new report from PricewaterhouseCoopers.
PwC’s ninth annual survey of chief audit executives in the power and utilities industry found that while information technology continues to be a high-risk area among CAEs, it’s also a key enabler for more effective and efficient risk management through governance, risk and compliance technologies and data analytics.
“The risks of a cyber-weapon of mass destruction taking out portions of America’s power grid became very real for utilities in recent years,” said the report. “Many utilities are intently focused on IT security. In fact, survey respondents rank cyber security as the highest risk overall and most concerning, in particular, the ease in which adversaries penetrate systems.”
The report noted that hackers are getting more sophisticated and the number of breaches has risen dramatically. While many companies are focusing more on IT security, increased investments in operations and new technology such as cloud computing applications are also creating new security exposures at power and utility companies.
As the magnitude of risks continues to increase in the power and utilities sector, internal audit departments are trying to manage the risks more effectively using the latest analytical capabilities.
Focusing on the critical risks was cited by the CAEs polled by PwC as the top improvement goal over the next 12 to 36 months. PwC found that 58 percent of utilities have developed a combined risk assurance map to help integrate their company’s risk assurance functions.
Many internal audit groups have traditionally relied on penetration testing to address security concerns, the report noted. But leading internal audit groups are now taking much more proactive measures by conducting maturity assessments in which they are evaluating people, processes and technology, while working directly with security and compliance personnel to build risk inventories and controls.
