The Securities and Exchange Commission recently issued guidance on disclosures by public companies of the cybersecurity risks they are facing and what they’re doing to address those risks. Accountants can play a role in helping companies by providing assurance and attestation services to make sure they’re taking steps to mitigate the risks.

The SEC’s 2018 Guidance on Public Company Cybersecurity Disclosures indicates the growing concerns over cybersecurity incidents such as data breaches, and what companies need to do about publicly disclosing them (see SEC wants cybersecurity disclosures). The 2018 guidance released last month includes two new areas: cybersecurity policies and procedures, and insider trading prohibitions. The guidance spells out the rules of disclosure, including ensuring fair disclosure according to the Reg FD requirements, along with the factors that public companies need to consider to determine whether material information has been compromised. The 2018 guidance stresses the importance of materiality when preparing disclosures and lists five elements of materiality to consider.

Experts from Deloitte are recommending public companies also consider taking an additional five steps:

1. Assess current policies and procedures related to cyber risks and incidents.

2. Align cyber risk with operational risk framework, and develop shared understanding on materiality considerations.

3. Understand disclosure obligations under federal and state laws, and establish and maintain appropriate and effective disclosure controls for cybersecurity risks and incidents.

4. Examine and update insider trading policies and procedures.

5. Raise C-suite and board awareness on SEC guidance and company obligations, and assess and test incident management processes, including through cyber war gaming.

“There are really two core aspects of the guidance that the SEC has really emphasized,” said Guarav Kumar, a principal at Deloitte Risk and Financial Advisory. “One is the importance of establishing and maintaining comprehensive cybersecurity policies and procedures. The policies should clearly define what is expected and procedures that put those policies into action, the controls within an organization and the cybersecurity risk management program. Having comprehensive processes and controls established within the organization as part of the overall risk management program for cyber, and getting into a periodic cadence of evaluating the effectiveness of those processes and controls to help management identify the material cybersecurity risks and incidents and be able to disclose them appropriately, is one of the core aspects of the enhanced guidance that the SEC is really trying to emphasize in this go-around.”

Another aspect of the guidance relates to insider trading prohibitions. “What that really gets into is trying to enforce stricter rules, or having management put in place additional checks and balances, procedures and controls, to prevent key company executives that would be privy to any material nonpublic information in the context of cybersecurity to actually act and trade on securities using that information,” said Kumar. “Here the SEC is really enforcing that management should become aware of the material cybersecurity risks and incidents that have taken place internally within the organization. Correspondingly, they should evaluate the effectiveness of the code of ethics and the existing insider trading policies to really prevent and deter trading based on that sensitive information that the company executives have.”

Jeffrey Schaeffer, managing director of Deloitte Risk and Financial Advisory, sees the SEC guidance as especially timely and in line with recommendations from the New York Department of Financial Services. He and Kumar co-lead a Deloitte service offering based on the AICPA’s Cybersecurity Risk Management Reporting Framework, also known as SOC for Cybersecurity. “When you think about providing assurances specific to a company’s cybersecurity program and the related controls, we’re working with a number of clients to help them prepare for these future attestations,” he said.

Kumar noted the SEC guidance is not pushing CPA firms to provide independent attestation on the overall effectiveness of a company’s cybersecurity risk management program, processes and controls, but they can still help clients with such services. “I think the SEC guidance is more geared toward management disclosing fairly material cybersecurity risks and incidents they did become aware of,” he said. “What the SEC is really challenging here is what process has management gone through to get to the point where they have a full understanding and appreciation of their material cybersecurity risks and incidents. A key component of those disclosure controls would be conducting proactive risk assessments, understanding your company’s cybersecurity control framework, understanding the policies, procedures and controls in place, and management periodically evaluating the effectiveness of those controls. As part of their evaluation process, they can engage accounting firms to assist with that process. Under certain guidelines, under the appropriate independence rules and guidelines that currently exist today for CPA and accounting firms, and on a consulting basis, accounting firms can certainly provide advice and recommendations.”

If a CPA firm attests to a company’s cybersecurity, does that potentially expose the firm to liability in case there is a data breach after providing assurance?

“I think it’s very important for everyone in the marketplace to really understand what the SOC for cybersecurity is and what it isn’t,” said Kumar. “What this reporting framework does acknowledge is that any organization that operates in the cybersecurity space will experience one or more security events at any point in time, regardless of the maturity of the organization’s cybersecurity risk management program. That’s why this attestation reporting framework is really focused on reasonable assurance on the effectiveness of an entity’s cybersecurity risk management program and not absolute assurance. It does recognize that because of certain inherent limitations — whether it be engagement with vendors or business partners, inherent limitations with technology systems, or inherent limitations because you have hackers and activists out there that are constantly innovating to find new ways to break into an organization’s defenses — some of these preventative cybersecurity controls that an organization has within its risk management program could potentially break down from time to time. That’s why the framework also emphasizes evaluating the effectiveness of the company’s vigilant processes on how it actually detects cybersecurity breaches. In those incidences, once it detects a breach, how does it mitigate the risk and recover from those breaches in a timely fashion?”

The guidance clarifies previous guidance from the SEC on cybersecurity in 2011. “It emphasizes the need and importance for organizations to appropriately disclose their material cybersecurity risks and incidents,” said Kumar. “That’s why there is now an emphasis on the establishment of comprehensive policies and procedures, and also management going through a proactive process of evaluating the effectiveness of those policies and procedures so that you can disclose relevant information to investors, analysts and even the broad marketplace. When you look at accounting profession, a lot of the Big Four firms have a multidisciplinary practice from a core competency perspective, which includes individuals with deep cybersecurity technical expertise, which is very important when evaluating these processes and controls. At the same time they also have the internal control experts who know how to evaluate controls under the professional attestation standards. When you start to think about accounting firms playing a role in terms of helping management evaluate the effectiveness of controls, it really will bring together a complementary multidisciplinary suite of core skill sets to the table to ensure that the right information is being evaluated and the appropriate relevant information is being communicated all the way up across all channels.”

Schaeffer sees similar guidance on cybersecurity coming from other sources besides the SEC and the AICPA, including the New York Department of Financial Services and the Society for Worldwide Interbank Financial Telecommunication. “There’s a real emphasis on the C suite, the board and the audit committee, really taking it all the way up the ladder, and not just making this an IT issue or an information security issue,” he said. “That’s certainly one of the changes that we’re seeing over the last year or so.”

SEC building with official seal
Image: Bloomberg

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access