top of page

Cybersecurity difficulties: defense and disclosure

Cybersecurity threats continue to be a key worry for management and boards, as well as investors and other company stakeholders. The risk curve continues to rise as data breaches, ransomware, malware, and other threats increase.

As data breaches become more ubiquitous and threaten firm shutdowns, there is a pressing need for organizations and auditors to recognize and mitigate these risks.

In December, at the annual AICPA CIMA Conference on Current Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board developments, a panel of experts discussed the significance of cybersecurity risks, the response of management and boards, and the incorporation of proposed disclosure requirements into cyber-related responsibilities.

Charles Seets, principal, Americas assurance at EY, referred to cyber risk as "the risk of this decade."

"When you think about cyber, make sure you think of it as the risk that can shut you down," he advised. "It can stop [auditors] from auditing, it can stop [companies] from producing products or services, and it can shut the lights off if bad actors get into our networks."

Seets highlighted January celebrated the 40th anniversary of the internet's creation, but security is still trying to catch-up. There are an increasing number of digital applications that were never anticipated, creating a considerably bigger attack surface than originally anticipated.

Pedro Cordero, founder and principal of Hacking the Cyber Threat and a retired FBI specialist in cyber and counterterrorism, stated that breaches cost businesses an average of $9.5 million. This includes lost revenues and cash flows, increased costs, lost customers, lost network infrastructure, technology upgrades, loss of protected customer and staff data, and reputational risk.

There are three things he mentioned that keep him awake at night:

- Attacks against essential infrastructure.  The ransomware attack on Colonial Pipeline in May 2021 rendered its digital systems inoperable for days, preventing consumers and airlines on the East Coast from purchasing gas. It was deemed a threat to national security, but it might have been considerably worse if the oil-transporting pipeline's operational technology had been compromised.

- Lack of cyber experts. As of December 2022, there were 3.5 million cyber job opportunities worldwide, with 770,000 in the United States, according to a number quoted by Cordero. Consequently, businesses may need to cultivate and train talent organically.

- Increasing sophistication of cyberattacks that can remain undiscovered for an extended length of time. Russian hacker attacks on U.S. federal government agency servers are one example.

David Hirsch, chief of the Crypto Assets and Cyber Unit within the SEC's Division of Enforcement, advised businesses to determine a scale of cyber vulnerabilities and hazards they face. They are less likely to be overwhelmed by the magnitude of the issue if they narrow the scope of the analysis to specific potential business risks and experiences and then develop a program to address them.

Hirsch emphasized the significance of an enterprise-wide approach to cybersecurity, as opposed to a small number of technical experts making the decisions (and disclosures). Applying accountants' expertise of systems, access controls, and processes to cyber concepts might be beneficial.

Cordero recommended businesses to implement a comprehensive cyber risk management program that encompasses data, including cloud usage, networks, and operational technologies. Each area must have distinct "intrusion vectors." Using internal auditors to evaluate cyber risk management programs and provide additional reporting verification, he advised management to implement a "trust-but-verify" function in regards to what their chief information officer or third-party cybersecurity vendors are reporting, and to use internal auditors to assess cyber risk management programs.

In order to fulfill their oversight responsibilities for cyber risk management, boards and executive management must develop cybersecurity competence, especially in light of forthcoming laws. Cordero suggested fundamental cyber leadership training for executives and business unit teams, monthly cyber training for professional staff, and ongoing security awareness training throughout the year for all employees. In addition, he urged that businesses do an annual audit of their cyber risk management systems and allocate the necessary funds to rectify any gaps.

KPMG noted in a recent report that technology, media, and telecommunications companies are preparing for an increase in cyberattacks in the coming year because they are particularly susceptible to losses (e.g., intellectual property, customer records, networks, reputation, and profits) and are already under intense public scrutiny. The research identifies the following activities boards can take to prevent cyber threats:

- Monitor management's cybersecurity preparedness, including the identification of risks and opportunities, the implementation of dashboard reporting, and the evaluation of personnel.

- Keep an eye on regulatory actions and place a greater emphasis on new financial reporting requirements and audit committee monitoring, as well as identifying who inside the organization will oversee compliance.

- Assess all potential data security vulnerabilities. Recognize that cybersecurity falls under data governance and data ethics.

Existing SEC regulations compel corporations that experience a cyber incident to disclose the financial implications and anticipated future effects in a timely manner. In March 2022, the agency proposed revised rules mandating greater standard cybersecurity disclosures for all public companies, including the notification of material incidents within four business days of their occurrence. The suggested regulations are still being reviewed.

The purpose of the plan, according to Hirsch, is to standardize the comprehensive disclosure of cyber incidents. The SEC predicts that corporations will be less hesitant to disclose information when others in their field, including competitors, disclose information more frequently.

The proposed guidelines stress materiality, yet materialitydepends on specific circumstances.

Hirsch stated, "Quantitative disclosure is appealing because we like to measure things." Companies must consider both quantitative and qualitative disclosures, including the direct impact and scale of a cyber attack as well as their connection. He used the illustration of the theft of a single company laptop not being quantitatively significant, unless the laptop belonged to the chief executive officer, the holder of a firm patent, or had the private key to the company's crypto assets.

Investors want accurate and timely disclosures to accurately price risks within and across industries. Investors must be able to assess the risks and the organization's readiness to respond to a cyber incident based on the level of detail provided by companies.

Hirsch highlighted a 2021 SEC case in which the agency punished an educational software corporation that was reportedly aware of a data breach including the loss of millions of student records containing protected personal information. The corporation reportedly disclosed the incident as if it were hypothetical and implied it had in place processes that were not in place.

It is essential to establish an enterprise-wide approach so that those making disclosures are aware of the risk profile and strategic events of the organization. Companies must exercise caution when disclosing sensitive customer or vendor information or revealing company strengths and shortcomings connected to cybersecurity preparedness, as doing so can make them more exposed.

Hirsch stated, "there is some internal tension with enforcement related to cybersecurity events." He highlighted that authorities are responsible to safeguard investors and ensure cyber events are revealed to the public for market protection, but there is a risk of "revictimizing the entity that just suffered a significant impact of an attack."



bottom of page