How audit committees are leading amid evolving cyber risks
How audit committees are leading amid evolving cyber risks
Publish Date: 2026-02-24 06:08:00
Source Domain: kpmg.com
At a bare minimum, organizations should be complying with all applicable regulations. This past year saw regulatory developments in Canada and the EU that will create new reporting obligations and affect how organizations shape their cybersecurity programs. For example, the EU’s Network and Information Security Directive (NIS2) mandates cyber risk governance, risk management and reporting requirements for certain European organizations. It was slated to be fully in force in 2025, but rollout has been uneven across member nations.
In Canada, Bill C-8 was introduced in June 2025. If passed, it will apply to organizations operating in critical sectors such as finance, telecommunications, utilities and transportation, requiring them to develop and implement a cybersecurity program that must be submitted for annual review. It will also require in-scope organizations to report cybersecurity incidents to the Canadian Centre for Cyber Security (CCCS) within 72 hours, allow the government to issue legally binding orders for organizations to take specific measures related to cybersecurity and impose significant penalties for non-compliance with the Bill.
Audit committees must keep abreast of new regulations globally and satisfy themselves that management is taking the appropriate steps to monitor emerging regulations, evaluating whether the organization is in scope and complying where it is. Though most audit committees at mature organizations have cyber expertise among their membership, many could still benefit from having a formal, ongoing process for the audit committee to track new and changing regulations.
In this regard, communication between organizations, mostly through industry bodies, is an emerging source of information sharing. Through this cooperation, organizations can exchange intelligence on new threats, mitigations and regulations. Audit committees may wish to discuss with management whether this would be a useful avenue to pursue, if they are not…
