SEC Cybersecurity Disclosure Guidance Is Quickly Becoming a Requirement
|By Grant, C Terry|
As companies turn to digital technologies for business solutions, the risk of a security breach continues to rise. For the last 11 years, the security of information technology and data has been rated as a top technology initiative in surveys conducted and published by the AICPA. In addition to concerns about the loss of data and sensitive information, the AICPA surveys identify controls for mobile devices and cloud computing as ongoing concerns.
In the fall of 2011, the
Nature of Cyber Attacks
* unauthorized access to sensitive data;
* industrial espionage;
* sabotage of hardware and software;
* infection of hardware and software with malicious software;
* theft of computer time and other denial of service attacks; and
* theft of mobile devices, such as laptops, notebooks, and cell phones.
Specific SEC Disclosures
* Cybersecurity risks and costs associated with a registrant's operations
* Cybersecurity risks arising from outsourcing activities
* Cybersecurity incidents that have occurred during the past year and that are individually or collectively material in nature
* Cybersecurity risks that may go undetected for an extended period
* Cybersecurity risks that give rise to relevant insurance coverage.
In addition to these potential risks, actual cyber attacks should be disclosed as to the nature, occurrence, and the potential cost of the attack, as well as the related consequences of the attack. Disclosing information about prior attacks can often help users understand the risk the company is facing and how the company is remediating past security breaches.
Potential and actual cyber attacks present unique risks and costs to companies. Costs for actual security breaches can often be determined, but costs of potential breaches are very difficult to estimate. The
* Remedial costs associated with a loss of data and information and the loss of business after an attack
* Costs of cybersecurity
* Loss of revenues due to a loss of data or customers
* Regulatory fines
* Litigation costs
* Reputational damage that can lead to loss of customers and reduced investor confidence.
Six Companies Attracted SEC Attention and Letters
For obvious reasons, companies are reluctant to disclose the details of cyber attacks. Security breaches often harm a company's reputation, spawn litigation, and expose vulnerabilities to competitors. In early 2012, the
Internal control audits are governed by Auditing Standard (AS) 5, An Audit of Internal Control over Financial Reporting that Is Integrated with an Audit of Financial Statements. The standard requires auditors to use a "top-down approach" that begins at the financial statement level to identify controls that present a "reasonable possibility" of material financial statement misstatement. Interestingly, the
Disclosures in the 2012 annual reports of five of the six companies (all except
In spite of the disclosures made by these six companies, the
Practical Guidance on Disclosures
Disclosures might also be needed as part of management's assessment of internal controls. If cybersecurity risks could affect a company's information system and impact the integrity of financial reporting, management should include this as an internal control deficiency and seek remedies. In addition, disclosures should be included in the company's "description of business" section if the cyber attack affects products or services, and in the company's "legal proceedings" section if material litigation is pending.
Cyber attacks occurring after the balance sheet date but before the financial statements are issued should be considered a subsequent event. If material, the nature of the attack and related potential cost should be disclosed.
Both internal and external auditors are involved with the adequacy of existing cybersecurity controls. The process of evaluating security controls has become more complicated, necessitating expanded use of IT equipment. The Computer Security Handbook notes that today's auditors may need special training to understand and test security controls in a digital system (
Internal auditors need applicable skills in order to be able to analyze the risks associated with data security, perform routine and regular security audits, help select security systems, evaluate whether security goals have been met, and monitor compliance with security procedures. External auditors must have the special technical skills necessary to ensure that financial statements are fairly and accurately presented. From a security perspective, external auditors should have necessary skills to identify sources of computer security information, understand the client's computer security environment, identify critical controls within the system, conduct an actual security review with appropriate testing, report the audit findings to management and include recommendations for reducing and eliminating material weaknesses in the client's security environment, and identify both strength and weaknesses in a client's security system and test strengths for consistency and weaknesses to determine if monetary losses have been incurred.
Auditors should not assume that cyber attacks are limited to high-tech companies. All businesses could be at risk of having customer credit card numbers and other personal information stolen. Auditors should consider the
When in doubt, auditors are advised to seek the help of an external specialist. Information system auditors and security experts can be a valuable source of information on security risks and remedial modifications to internal control systems that can help bolster them and help companies comply with the expanded cybersecurity disclosures expected by the
Gerry H Grant, PhD, CPA, is an assistant professor of accounting at the
|Copyright:||(c) 2014 New York State Society of Certified Public Accountants|
Hubbard Street Dance Chicago holds Season 36 Spotlight Ball, honoring Mikhail Baryshnikov, at the Fairmont Chicago Millennium Park
Health/Employee Benefits News
Life Insurance News