Cybersecurity: the Changing Role of the Audit Committee And

Home , Deloitte

Cybersecurity: The changing role of the Audit Committee and Internal Audit #DistinctivelyRiskAdvisoryAfrica Cybersecurity | The changing role of the Audit Committee and Internal Audit

1. Introduction

Among the most complex and rapidly evolving issues companies must contend with is cybersecurity. With the advent of mobile technology, cloud computing and social media, reports on major breaches of proprietary information and damage to organisational IT infrastructure have also become increasingly common, thus transforming the IT risk landscape at a rapid pace.

International media reports on high-profile •• Activism is also prevalent in cyberspace with sabotage and retail breaches and the major discovery denial of service attacks growing progressively frequent. In the of the Heartbleed security vulnerability past, they would be attributed to ‘hacktivist’ groups such as posing an extensive systemic challenge Anonymous; but increasingly attacks point to political to the secure storage and transmission of motivations. information via the Internet have shone a spotlight on cybersecurity issues. Based on the Global Risk Landscape 2014 published by the World Economic Forum, cyber attacks are one of the risks with Consequently, this has kept cybersecurity a high impact as well as high likelihood. Refer to figure 1 below. high priority on the agenda of Boards and Audit Committees.

•• Organised crime is monetising the cyberspace, exploiting vulnerabilities in computer systems to compromise and remotely control computers, recording key strokes, monitoring screen displays Fiscal crises Climate Change and manipulating the computer user into Water Crisis divulging sensitive data. 5.0 Unemployment and Biodiversity loss and Underemployment •• Cyberspace being borderless allows any ecosystem collapse Critical information Extreme weather events attacker to route their assaults through infrastructure breakdown

multiple countries and jurisdictions, Cyber Attacks Failure of financial Income Political and social instability complicating investigation and law mechanism or institution disparity enforcement. Weapons of mass destruction Global governance failure

Pandemic •• Companies run the risk of losing average Food Crisis Natural Catastrophes 4.56 substantial amounts of sensitive Antibiotic-resistant bacteria 4.5 Liquidity crises company information to malicious Data Fraud/theft State collapse Terrorist Attacks Man-made employees, who could also potentially environmental catastrophes Oil Price Shock remove it from company premises or Interstate Conflict introduce malicious software to corrupt company databases or sabotage network Economic and resource nationalisation operations. Corruption •• Corporate espionage by companies is Failure of critical infrastructure commonplace in cyberspace. Attacks 4.0 Decline of importance of US dollar often target sensitive intellectual Chronic Diseases Mismanaged urbanisation property and there have been multiple Organised crime and illicit trade instances of major firms with its security

compromised over many months and Impact 3.5 4.0 4.5 5.0 5.5 4.31 losing substantial amounts of sensitive average Likelihood data during these attacks. Figure 1. 2014 Global Risk Landscape (World Economic Forum)

01 Cybersecurity | The changing role of the Audit Committee and Internal Audit

2. What is the role of Internal Audit and the Audit Committee?

2.1 Three Lines of Defence Model The three lines of defence illustrated below Effective risk management is the product are not unique to data privacy and security, of multiple layers of risk defence. Internal but should be in place and operating at Audit should support the Board’s need to a robust level to deal with any critical risk to understand the effectiveness of the company. For most companies , cybersecurity controls. Companies information security and privacy are critical should institute and continually shore up risks because of its potential to cause three lines of defence: financial and reputational damage.

1. Management. Companies that are good Given recent high profile cyber attacks and at managing information security risks data losses, and the expectations of the typically assign responsibility for their SEC and other regulators, it is critical for security regimes to the highest levels of Internal Audit to understand cyber risks the company. Management has and be well prepared to address the ownership, responsibility and questions and concerns expressed by the accountability for assessing, controlling Audit Committee and Board. and mitigating risks.

2. Risk management and compliance Roles & Responsibilities functions. Risk management functions

facilitate and monitor the •• Incorporate risk-informed decision making implementation of effective risk into day-to-day operations and fully management practices by management integrate risk management into operational st and help risk owners in reporting 1 Line of defence processes Business and IT adequate risk-related information up •• Define risk appetite and escalate risks and down the company. outside of tolerance •• Mitigate risks, as appropriate 3. Internal Audit. The Internal Audit function provides objective assurance to the Board and executive management on •• Establish governance and oversight how effectively the company assesses and •• Set risk baselines, policies and standards manages its risks, including the manner in •• Implement tools and processes 2nd Line of defence •• Monitor and call for action, as appropriate which the first and second lines of Information & technology risk defence operate. It is imperative that this management functions •• Provide oversight, consultation, checks and balances, and enterprise-level policies and line of defence be at least as strong as the standards first two. Without a function that provides competent and objective assurance, a company faces real risks of its information • Independently review programme privacy practices becoming inadequate or effectiveness even obsolete. This is a role that Internal • Provide confirmation to the Board on 2nd Line of defence Audit is uniquely positioned to fill. But to risk management effectiveness Internal Audit do so, it must have the mandate and the • Meet requirements of SEC disclosure resources to match. obligations focused on cybersecurity risks

02 Cybersecurity | The changing role of the Audit Committee and Internal Audit

2.2 Organisational Roles and This position is sometimes held by a Chief Responsibilities for Cybersecurity Information Officer (CIO), or a Chief Security Audit Committee and Board of Directors– Officer (CSO) who is also responsible for physical Overseeing a successful cybersecurity security, but some companies may have a programme requires frequent and proactive dedicated Chief Information Security Officer (CISO) engagement from the Board of directors and who focuses solely on cyber threats. These Audit Committee. The Audit Committee, in executives will sometimes report directly to the its capacity of overseeing risk management Board, but in all cases, they can be an effective activities and monitoring management’s policies liaison with whom the Audit Committee and Board and procedures, plays a significant strategic role can communicate regarding risks and the in coordinating cyber risk initiatives and policies response to attacks. and confirming their efficacy. These Internal Audit –The Audit Committee should responsibilities include setting expectations confirm that the Internal Audit function regularly and accountability for management, as well as reviews controls pertaining to cybersecurity, assessing the adequacy of resources, funding is up-to-date on the latest developments and and focus for cybersecurity activities. The Audit includes related issues prominently and regularly Committee chair can be a particularly effective liaison with other groups in enforcing and on its agenda. communicating expectations regarding security External Auditor –The external auditor can and risk mitigation. often be a valuable source of information on Boards are devoting increased attention and cybersecurity issues. Many firms have practices resources to responding to cybersecurity issues. focused on evaluating and strengthening security Whether or not there is a dedicated risk controls and implementing programmes for committee on the Board, it is important to enterprise risk management. They are also confirm that there are directors with knowledge qualified to provide perspectives gained through and skills in security, IT governance and cyber working with a wide variety of companies in risk. Given the Audit Committee’s responsibility diverse industries. for risk oversight, it can be advantageous to External Specialists – It can be helpful to seek recruit committee members with cybersecurity the input of external specialists in assessing experience so that informed decisions are made cybersecurity. about the sufficiency of the efforts overseen. Companies can conduct annual external reviews Management – All members of management of security and privacy programmes, including should be fully aware of the company wide cyber incident response, breach notification, disaster strategy which should include plan of action and recovery and crisis communication plans. who will occupy key roles in the event of an attack Such efforts can be commissioned and reviewed or threat. Most companies have a senior by the Board’s risk committee or another management position related to information designated committee to confirm that identified security in place so that there is a clear voice gaps or weaknesses are addressed. directing cyber threat prevention, remediation and recovery plans, related educational activities Third-party security assessments can and the development of frameworks for effective also provide benchmarking relative to reporting. other companies of similar size or in the same industry.

03 Cybersecurity | The changing role of audit committee and internal audit

08 Cybersecurity | The changing role of the Audit Committee and Internal Audit

2.3 The Audit Committee’s role in •• Do we have trained and experienced staff who cybersecurity can forecast cyber risks? The extent of the Audit Committee’s involvement •• Is it known who is logging into the company’s in cybersecurity issues varies significantly by network, from where and if the information company and industry. In some companies, they are accessing is appropriate to their role? cybersecurity risk is tasked directly to the Audit Committee, while in others, there is a separate 2.4 Transforming Cyber Defences risk committee. Within the broader context of responsibility for risk oversight, Audit Committees are responsible Companies for which technology forms the for the oversight of financial reporting and backbone of their business often have a disclosure and more recently cybersecurity. dedicated cyber risk committee that focuses exclusively on cybersecurity. Cybersecurity is a business issue as it exceeds the boundaries of IT and cyber risk needs to be Regardless of the formal structure adopted, the managed with as much discipline as financial risk. rapid pace of technology and data growth and the attendant risks highlighted by recent security Both the technical nature of the threat and breaches demonstrate an increasing importance amount of attention cyber risk demands calls for in understanding cybersecurity as a substantive, primary Audit Committee involvement. Yet enterprise-wide business risk. companies have acknowledged a lack of expertise on cybersecurity issues. As a result, Audit Committees should be aware of audit committees are seeking not only education cybersecurity trends, regulatory developments and for themselves, but also an elevation of the major threats to the company, as the risks discussion amid C-level executives. associated with intrusions can be severe and pose systemic economic and business consequences These efforts include increasing engagement with that can significantly affect shareholders. the CIO and CISO, drawing on the expertise of the IT partner from the external audit firm, Engaging in regular dialogue with technology- encouraging CIOs and CISOs to participate in focused company leaders will help the peer-group information sharing and challenging committee better understand where attention management to produce metrics that the Audit should be concentrated. Some questions for Committee can use to evaluate cybersecurity Audit Committees to consider asking effectiveness. management regarding cybersecurity are:

•• What is the overall company-wide cyber strategy and plan for protecting assets? A comprehensive cybersecurity

•• How robust are the company’s incident strategy and plan also requires response and communication plans? appropriate culture and tone •• What are the company’s critical assets and at the top. associated risks to be secured? These encompass an awareness of the •• How are vulnerabilities identified? importance of security extending from the C-suite to the professionals in each function, •• How are risks disclosed? since breaches can occur at any level and in •• How are critical infrastructure and regulatory any department. requirements met? The CEO should make it clear that cybersecurity •• What controls are in place to monitor cloud and is a major corporate priority and should supplier networks, as well as software running on communicate that he or she is fully on Board company devices, such as mobile devices? with enforcing compliance with policies and •• What digital information is leaving the supporting efforts to strengthen infrastructure company, where is it going and how is it and combat threats. tracked?

05 Cybersecurity | The changing role of the Audit Committee and Internal Audit

“A company’s cybersecurity programme can be difficult to evaluate because Audit Committees do not know the key success factors and its indicators to measure it.“

Several practices that companies are Board members exceeding 50, there is f. Evaluating the company’s employing to enhance the Audit Committee’s often a lack of understanding of cybersecurity programmes. oversight of cybersecurity risk, leverage the context as a CIO is briefing the Board. A company’s cybersecurity programme recent broader strategic focus of the CISO and It is, therefore, beneficial for the Board can be difficult to evaluate because Audit CIO roles: to have a member with significant Committees do not know the key technology experience. success factors and its indicators to a. Increasing interaction with the IT measure it. The most important indicator department d. Engaging the expertise of the is the amount of time that elapses CIO and CISO should attend Audit external audit firm between the hacker’s penetration and Committee meetings and take the Audit External auditors employ a variety of the company’s detection. Detection and Committee through one “deep dive” professionals that include cybersecurity response time are among the most education session on cybersecurity experts. They are a great resource for important metrics that the company issues. The Audit Committee should providing an honest perspective on should track to ensure progression and also continue engaging with the CIO the company – the knowledge of the effectiveness of the techniques being and CISO. management team and how the employed. company is benchmarked. Some b. Sharing information with industry companies engage external audit counterparts firms to be “ethical hackers” without CIOs and CISOs benefit from sharing the knowledge of the CIO and/or CISO, information with their industry while others choose to notify these counterparts about cyber attack executives ahead of time. patterns and cyber defence strategies. For instance, providing first-hand e. Deploying Internal Audit experience of a cyber attack to industry Internal Audit plays a central role in peers would better inform and prepare helping the Audit Committee oversee them for the prevention of similar cybersecurity. The regular assessments attacks and in the process isolate a conducted by Internal Audit play an high-impact and high-likelihood risk important part in providing the Audit from crippling a company. Committee with a comprehensive appraisal of the company’s strengths c. Technology experts joining the and weaknesses. Internal Audit should Board. also be able to develop a road map for The lack of technology expertise is the future dealing with various cyber- an issue that has to be recognised in risk issues and scenarios. Boards today. With the average age of

06 Cybersecurity | The changing role of the Audit Committee and Internal Audit

3. Framework for Cyber Risk Management

The Cyber Risk Management Framework The framework’s core consists of five functions : can help focus the conversation on the Audit Committee, other members of the 1. Governance and leadership, Board and senior management on what 2. Organisational enablers, cybersecurity strategy and plans are in 3. Capabilities, place and its possible gaps. This can 4. Cyber lifecycle and potentially bridge the gap between the 5. Solution lifecycle seemingly technical world of cybersecurity These provide a high-level, strategic view of a company’s and how it translates into the governance management of cybersecurity risks and examine decisions that Boards and senior existing cybersecurity practices, guidelines and executives make. It also encourages standards. dialogue between companies in similar industries which have a shared interest in identifying and addressing vulnerabilities.

Business Value

1. Governance & Leadership

Executive Technology IT Risk Board Management Leadership Leadership

3. Capabilities 4. Cyber lifecycle Infrastructure Indentity & Access Protect, detect, respond Threat Management Security Management & recover

Workforce Application Security Data Protection Management 5. Solution lifecycle Third-Party Risk Analytics Crisis Management Design, build, implement Management & operate

2. Organisational Enablers

Policies & Risk Identification Stakeholder Talent & Culture Standards & Reporting Management

07 Cybersecurity | The changing role of the Audit Committee and Internal Audit

Cybersecurity strategy and plans should 1. Secure: Being secure means In summary, the model below has 3 take into account the past, present and focusing protection around the risk- objectives – secure, vigilant and resilient – future with regard to cyber risks. sensitive assets at the heart of a woven together with 5 design principles of: Consideration should be given to the company's mission. a. Incorporating security in the core design percentage of the available budget required 2. Vigilant: Being vigilant means for prevention efforts, immediate response b. Applying threat intelligence in the core establishing threat awareness to attacks and resiliency exercises. design throughout the company and developing the capacity to detect c. Sharing of intel and information among Throughout the past decade, most patterns of behaviour that may indicate, security practitioners companies’ cybersecurity programmes or even predict, compromise of critical have focused on strengthening prevention d. Automating processes to address the assets. capabilities based on established scarcity of skilled resources information assurance strategy: defence in- 3. Resilient: Being resilient means e. Enabling the power of combating crime depth. This approach advocates a multi- having the capacity to rapidly contain together layered approach to deploying security the damage and mobilise the diverse controls with the intent of providing resources needed to minimise impact redundancy in the event that a security – including direct costs and business control fails or a vulnerability is successfully disruption, as well as reputation and exploited in one of the layers. brand damage.

To be effective and well balanced, a cyber defence must have three key characteristics: secure, vigilant and resilient.

Secure Vigilant Resilient Enhance risk-prioritised controls to Detect violations & Establish the ability to protect against known & emerging anomalies through better quickly return to normal threats, & comply with industry situational awareness across operations & repair damage cybersecurity standards the environment to the business & regulations

Actionable threat intelligence Strategic organisational approach

08 Cybersecurity | The changing role of the Audit Committee and Internal Audit

Once the cyber risks have been identified, the 3 objectives within the cybersecurity plan can be used to map the programme and governance to mitigate or address those risks.

•• Cyber criminals •• Hacktivists (agenda driven) •• Nation states Who might attack? •• Insiders/partners •• Competitors •• Skilled individual hacker

•• Theft of IP/strategic plans •• Financial fraud What are they after, and what business •• Reputation damage risks do I need to mitigate? •• Business disruption •• Destruction of critical infrastructure •• Threats to health and safety

•• Spear phishing, drive by download etc. What tactics might they use? •• Software or hardware vulnerabilities •• Third-Party compromise

•• Governance and operating model Cyber Risk Programme and Governance •• Policies and standards •• Management processes and capabilites •• Risk reporting Secure •• Risk awareness and culture Are controls in place to guard against known and emerging threats? •• Perimeter defences •• Indentity management •• Vulnerability management •• Secure SDLC •• Asset managment •• Data protection

Vigilant •• Threat intelligence Can we detect malicious or unuathorised •• Security monitoring activity, including the unknown? •• Behavioural analysis •• Risk analytics

Resilient Can we act and recover quickly to •• Incident response •• Forensic reduce impact? •• Business continuity/disaster recovery •• Crisis management

09 Cybersecurity | The changing role of the Audit Committee and Internal Audit

3.1 Cyber Risk Appetite and Tolerance Management should develop an Risk appetite and tolerance must be a high understanding of cyber criminals, their priority on the Board agenda. It is a core objectives and how attacks might happen. consideration in an enterprise risk The following questions can be used to management approach. Risk appetite can develop an understanding: be defined as ‘the amount and type of risk that a company is willing to take in order to 1. Who might attack? meet its strategic objectives.’ 2. What are they after and what business risks do we need to mitigate? 3. What is the intruder’s arsenal? Every company possess 3.2 A representative Internal Audit different risk appetites Plan to address cyber risk depending on their sector, It is imperative that Internal Audit takes a leading role in determining whether culture and objectives. A a systematic and disciplined approach range of appetites exist for exists to evaluate and strengthen the effectiveness of cyber risk management. It a diverse portfolio of risks, should also determine if appropriate which may change over time cybersecurity capabilities (people, process and technology) are in place to according to the risk portfolio. protect against cyber threats.

While risk appetite is interpreted differently, there is a general consensus that effective communication of an appropriate risk appetite statement can help companies achieve their goals and sustain their operations.

10 Cybersecurity | The changing role of the Audit Committee and Internal Audit

In developing the Internal Audit plan for evaluating the information systems that a. Control Environment — Does the cybersecurity, the COSO Framework should are most likely to be targeted by attackers, Board understand the company's cyber be used as the framework for guiding the likely methods of attack and points of risk profile and are they informed of how Internal Audit’s approach. Managing cyber intended exploitation. In turn, appropriate the company is managing the evolving risk through a COSO lens enables the control activities can be established to cyber risks management faces? Board and senior executives to better address such risks. Through the COSO b. Risk Assessment — Has the company communicate their business objectives, cube, companies may view their cyber risk and its critical stakeholders evaluated its their definition of critical information profile through the components of internal operations, reporting and compliance systems and related risk tolerance levels. control to manage cyber risks in a secure, objectives and gathered information to This enables others within the company, vigilant, resilient manner. For example understand how cyber risk could impact including IT personnel, to perform a Figure 2 – The COSO Cube such objectives? detailed cyber risk analysis by c. Control Activities — Has the company developed control activities, including general control activities over technology that enable the company to manage cyber risk within the acceptable level of tolerance to the company? Have such control activities been deployed through formalised policies and procedures?

d. Information and Communication — Has the company identified information requirements to manage internal control over cyber risk? Has the company defined internal and external communication channels and protocols that support the functioning of internal control? How will the company respond to, manage and communicate a cyber risk event?

e. Monitoring Activities — How will the company select, develop and perform evaluations to ascertain the design and operating effectiveness of internal controls that address cyber risks? When deficiencies are identified, how are these deficiencies communicated and prioritised for corrective action? What is the company doing to monitor their cyber risk profile?

11 Cybersecurity | The changing role of the Audit Committee and Internal Audit

A cybersecurity assessment can drive a The fo llowing table illustrates the detailed the cyber risks. Another approach is to risk-based IT Internal Audit plan and audit cyber risk programme and governance allow some coverage of each area (Secure, frequency should correspond to the level derived from the three key characteristics Vigilant and Resilient) in each year. of risk identified and applicable regulatory (secure, vigilant and resilient) linked to the requirements/expectations. Internal Audit plan each year to address

2015 2016 2017

Cybersecurity risk and compliance management Secure development life cycle Security programme and talent management

•• Secure build and testing •• Compliance monitoring •• Security direction and strategy

•• Issue and corrective action planning •• Secure coding guidelines •• Security budget and finance management •• Regulatory and exam management •• Application role design/access •• Policy and standards management •• Risk and compliance assessment and management •• Security design/architecture •• Exception management •• Integrated requirements and control framework •• Security/risk requirements •• Talent strategy Secure

•• Information and asset classification, •• Evaluation and selection and inventory •• Account provisioning •• Contrast and service initiation •• Information records management •• Privileged user management

•• Ongoing monitoring •• Physical and environment security •• Access certification controls •• Service termination •• Access management and governance •• Physical media handling

Threat and vulnerability management Data management and protection Risk analytics

•• Incident response and forensics •• Data classification and inventory •• Information gathering and analysis around: •• Application security testing •• Breach notification and management • User, account, entity •• Threat modelling and intelligence •• Data loss prevention • Events/incidents •• Security event monitoring and logging •• Data security strategy

Vigilant • Fraud and anti-money laundering •• Penetration testing •• Data encryption and obfuscation • Operational loss •• Vulnerability management •• Records and mobile device management

Crisis management and resiliency Security operations Security awareness and training

•• Recover strategy, plans and procedures •• Change management

•• Testing and exercising •• Configuration management •• Security training •• Business impact analysis •• Security awareness •• Network defence •• Third-party responsibilities Resilient •• Business continuity planning •• Security operations management •• Security architecture •• Disaster recovery planning

SOX ( financially relevant systems only) Penetration and vulnerability testing BCP/DRP testing

12 Cybersecurity | The changing role of the Audit Committee and Internal Audit

4. Looking Ahead

As recently as five years ago, it was rare for a Board of directors to be closely involved in managing cybersecurity risks, but rapid advancements in technology, coupled with a corresponding increase in the sophistication of cyber criminals and cyber legislation, have made it essential for the Board and Audit Committee to be informed and proactive. New technologies continue to shape the physical and virtual borders of companies, which must frequently review and quickly adapt policies to address emerging issues.

Cybersecurity specialists are developing increasingly sophisticated approaches for preventing, detecting and responding to security breaches, but no single solution can address all the evolving challenges associated with cyber threats. It remains important to apply prudent and adaptable controls to respond to changes in the threat landscape and to have strong response and resiliency plans in place in the event of an attack.

Increasingly, cybersecurity is becoming a top-of-mind issue for most CEOs and Boards and they are becoming more pre-emptive in evaluating cybersecurity risk exposure as an enterprise-wide risk-management issue, not limiting it to an IT concern.

13 Cybersecurity | The changing role of the Audit Committee and Internal Audit

18 Cybersecurity| The changing role of Audit Committee and Internal Audit

For more information please contact:

Southern Africa

Navin Sing Derek Schraader Managing Director: Risk Advisory Africa Leader: Risk Advisory Africa Cyber Risk Services Mobile: +27 83 304 4225 Mobile: +27 79 499 9046 Email:[email protected] Email:[email protected]

Dean Chivers Rushdi Solomons Risk Advisory Africa Leader: Risk Advisory Africa Leader: Governance, Regulatory & Risk Internal Audit Mobile: +27 82 415 8253 Mobile: +27 74 141 4444 Email: [email protected] Email: [email protected]

Central Africa

Tricha Simon Rodney Dean Risk Advisory Regional Leader: Director: Risk Advisory Central Africa Central Africa Mobile: +263 772 263 016 Mobile: +263 772 234 932 Email:[email protected] Email:[email protected]

West Africa

Anthony Olukoju Temitope Aladenusi Risk Advisory Regional Leader: Director: Risk Advisory West Africa West Africa Mobile: +234 805 901 6630 Mobile: +234 805 209 0501 Email:[email protected] Email:[email protected]

East Africa

Julie Nyangaya William Oelofse Risk Advisory Regional Leader: Director: Risk Advisory East Africa East Africa Mobile: +254 71 785 0555 Mobile: +254 720 111 888 Email:[email protected] Email:[email protected] Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL), its network of member firms and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 225 000 professionals are committed to making an impact that matters.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.