Cybersecurity Tops Audit Committee Priorities in 2025

In today’s fast-evolving business world, audit committees (ACs) face growing responsibilities amid a complex regulatory landscape and emerging risks. Cybersecurity has emerged as the top priority for ACs in 2025, reflecting the rising frequency of cyber breaches, nation-state attacks, and their severe impacts, according to the 2025 Deloitte Audit Committee Practices Report.

Why Cybersecurity Dominates AC Agendas

The 2025 Deloitte Audit Committee Practices Report highlights cybersecurity’s urgency: 31% of AC members rank it among their top three priorities, alongside enterprise risk management and talent. The report notes that ACs are increasingly focused on cybersecurity due to regulatory changes, notably the SEC’s Cybersecurity Rule, requiring disclosure of material cyber incidents and governance details. The SEC also emphasizes Internal Control over Financial Reporting (ICFR), linking cybersecurity to financial integrity.

Technology’s strategic role amplifies cybersecurity’s importance. Directors see advancing emerging technologies like AI and GenAI as a top priority, yet the 2025 Deloitte Audit Committee Practices Report identifies lagging tech implementation as a risk. With growing investments in tech and cybersecurity, ACs must balance innovation with risk management to address novel attack vectors.

Key Areas of AC Cybersecurity Oversight

While some boards delegate to tech committees, most cybersecurity oversight remains with ACs due to their expertise in internal controls. The 2025 Deloitte Audit Committee Practices Report outlines key focus areas:

• Expertise and Education: 31% of AC members say cybersecurity expertise enhances effectiveness. ACs are becoming “cyber literate” through education and collaboration with Chief Information Security Officers (CISOs).

• Proactive Risk Governance: ACs assess material cyber risks and stress-test incident response plans, ensuring robust resilience programs like business continuity are well-resourced and tested regularly.

• Robust Controls and Data Governance: ACs evaluate technology’s impact on financial reporting, especially with GenAI, ensuring effective risk management and governance processes.

• Disclosure and Transparency: ACs ensure clear messaging on tech and cyber risks, engaging auditors to assess technology’s role in audits for added assurance, as emphasized in the 2025 Deloitte Audit Committee Practices Report.

Navigating the Future

Cyber threats evolve rapidly, often requiring response within minutes. ACs must stay vigilant, prioritize education, and maintain open communication with management and auditors. By strengthening cybersecurity oversight, ACs protect organizations, ensure financial reporting integrity, and boost investor confidence for long-term success.