Cybersecurity Risk Management Oversight

Cindy Fornelli is Executive Director, Catherine Ide is Managing Director of Professional Practice and Member Services, and Chris Alabi is a Professional Practice Fellow at the Center for Audit Quality. This post is based on a CAQ publication by Ms. Fornelli, Ms. Ide, and Mr. Alabi.

Companies are facing not only increasing cyber threats but also new laws and regulations for managing and reporting on data security and cybersecurity risks. Boards of directors face an enormous challenge: to oversee how their companies manage cybersecurity risk. As boards tackle this oversight challenge, they have a valuable resource in Certified Public Accountants (CPAs) and in the public company auditing profession.

CPAs bring to bear core values—including independence, objectivity, and skepticism—as well as deep expertise in providing independent assurance services in both the financial statement audit and a variety of other subject matters. CPA firms have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms. [1]

The questions are grouped under four key areas:

  1. Understanding how the financial statement auditor considers cybersecurity risk
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures
  3. Understanding management’s approach to cybersecurity risk management
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management

This post provides questions board members charged with cybersecurity risk oversight can use as they discuss cybersecurity risks and disclosures with management and CPA firms.

This post is not meant to provide an all-inclusive list of questions or to be seen as a checklist; rather, it provides examples of the types of questions board members may ask of management and the financial statement auditor. The dialogue that these questions spark can help clarify the financial statement auditor’s responsibility for cybersecurity risk considerations in the context of the financial statement audit and, if applicable, the audit of internal control over financial reporting (ICFR). This dialogue can be a way to help board members develop their understanding of how the company is managing its cybersecurity risks.

Additionally, this post may help board members with cybersecurity risk oversight learn more about other incremental offerings from CPA firms. One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). [2]

The framework enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives. With this voluntary, market-driven framework, companies can also communicate pertinent information regarding their cybersecurity risk management efforts and educate stakeholders about the systems, processes, and controls that are in place to detect, prevent, and respond to breaches.

I. Understanding How the Financial Statement Auditor Considers Cybersecurity Risk

The Sarbanes-Oxley Act of 2002 (SOX) added a requirement, applicable to most public companies, that management annually assess the effectiveness of the company’s ICFR and report the results to the public. In addition, SOX requires the audit committees of most large public companies to engage independent auditors to audit the effectiveness of their company’s ICFR.

This post will outline how the financial statement auditor considers cybersecurity in two key contexts: (1) the audits of financial statements and, if applicable, ICFR; and (2) other disclosures. The following are questions that board members with cybersecurity risk oversight may use when discussing roles and responsibilities of the financial statement auditor related to cybersecurity risks.

Questions

  1. How does the financial statement auditor’s approach to identifying and assessing risks of material misstatement for the financial statement and ICFR audits consider certain cybersecurity risks?
  2. If, as part of understanding how the company uses information technology (IT) in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
  3. Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
  4. What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
  5. In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?

II. Understanding the Role of Management and Responsibilities of the Financial Statement Auditor Related to Cybersecurity Disclosures

In September 2017, Securities and Exchange Commission (SEC) Chairman Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.” [3]

The SEC is focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Investor groups have also asked company boards to strive for transparency in reporting efforts to prevent and mitigate cyber threats. [4]

In 2011, the SEC’s Division of Corporation Finance (Division) issued disclosure guidance. Under that guidance, a company may determine it is necessary to disclose cybersecurity risks in various places throughout its Form 10-K (e.g., risk factors, management’s discussion and analysis [MD&A], legal proceedings, business description, and/or financial statements). [5] While the 2011 SEC staff guidance remains applicable, in February 2018, the SEC updated its disclosure guidance to reinforce and expand on the 2011 guidance. The new guidance addresses two topics not developed in 2011 guidance—namely, the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context. [6] In the 2018 guidance the SEC emphasized the importance of ensuring that periodic reports such as the Form 10-Q continue to provide timely and ongoing information on material cybersecurity risks and incidents. The SEC also emphasized that companies must maintain disclosure controls and procedures, and management must evaluate their effectiveness.

The SEC staff has communicated publicly that it intends to focus more on companies’ disclosures about cyber incidents and their cybersecurity programs. The following are questions that board members with cybersecurity risk oversight may use to clarify management’s role and the auditor’s responsibilities related to cybersecurity disclosures.

Questions

The Role of Management

  1. In complying with the current SEC guidance, how has management considered cybersecurity risks in its ability to record, process, summarize, and report on information required to be disclosed in its SEC filings?
  2. What disclosure controls and procedures are in place to help ensure that the disclosures comply with the SEC’s guidance regarding the importance of a company being able to make accurate and timely disclosures of material cyber events? [7]
  3. Have the design and operating effectiveness of the disclosure controls and procedures been evaluated to ensure they appropriately record, process, summarize, and report on information required to be disclosed in the company’s SEC filings?
  4. How is management considering the current SEC guidance with respect to cybersecurity on risk factors, MD&A, and financial statement disclosures?
  5. In the event of a cybersecurity breach, what processes and controls are in place to help ensure that appropriate levels of management and board members with cybersecurity risk oversight are involved in the review of the related disclosures, if appropriate?
  6. Has the company considered its insider trading policies in the event of a material cyber incident? Are appropriate policies and procedures in place to guard against company executives and other insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure?

Questions

The Role of the Financial Statement Auditor

  1. What does the financial statement auditor consider related to cybersecurity disclosures included in the Form 10-K or other documents that include the audited financial statements?
  2. How do those considerations differ when cybersecurity related information is included in another company document (e.g., a press release)?
  3. If the company had a material contingent liability for an actual cyber incident, what is the financial statement auditor’s responsibility with respect to the company’s assessment of any related financial statement disclosure(s)?
  4. What is the financial statement auditor’s responsibility if a cyber incident material to the financial statements is discovered after the balance sheet date but before the auditor’s report on the financial statements is issued?

III. Understanding Management’s Approach to Cybersecurity Risk Management

A company’s overall IT environment includes systems, networks, and related data that address not only financial reporting needs but also operational and compliance needs, all of which are susceptible to a cyber event. Consequently, C-suite executives and board members in a cybersecurity risk oversight role are increasing their oversight of management’s development, implementation and monitoring of a comprehensive enterprise-wide cybersecurity risk management program.

The SEC has stated that disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility.

The following are broader cybersecurity-related questions (i.e., not specific to financial reporting) that board members in their oversight roles can use to better understand a company’s cybersecurity risk management program.

In 2017, the National Association of Corporate Directors (NACD) updated its NACD Director’s Handbook on Cyber-Risk Oversight. The publication recommends strategies for bringing perspectives on cybersecurity matters into the boardroom, including “leveraging the board’s existing independent advisors, such as external auditors and outside counsel.” It also includes additional questions about cybersecurity (see appendix A of the complete publication) for the board to ask management, and it identifies five principles that boards should consider as they seek to enhance their oversight of cyber risks. [8]

  1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risk as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
  4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  5. Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

Questions

  1. What framework, if any, does management use in designing a cybersecurity risk management program (e.g., NIST, ISO/IEC 27001/27002, SEC cybersecurity guidelines, AICPA Trust Services Criteria)?
  2. What framework, if any, does management use in communicating pertinent information about its cybersecurity management program?
  3. What processes and programs are in place to periodically evaluate the cybersecurity risk management program and related controls?
  4. What cybersecurity policies, processes, and controls are in place to detect, respond to, mitigate, and recover from—on a timely basis—cybersecurity events that are not prevented?
  5. In the event of a cybersecurity breach, what controls are in place to help ensure that the IT department and appropriate senior management (including board members charged with governance) are informed and engaged on a timely basis—and that other appropriate responses and communications take place?
  6. What policies, processes and controls are in place to address the impact to the company of a cybersecurity breach at significant/relevant vendors and business partners with whom the company shares sensitive information? Do those policies include risk identification and mitigation procedures?
  7. Has the company conducted a cyber event simulation as part of its approach to enterprise risk management?
  8. Has the company considered cost mitigation/risk transfer options in the form of cyber insurance coverage in the event of a cybersecurity breach?
  9. Does the company have adequate staff with appropriate skills to design and operate an effective cybersecurity risk management program?

IV. Understanding How CPA Firms Can Assist Boards of Directors in Their Oversight of Cybersecurity Risk Management

The issues and challenges of cybersecurity are evolving rapidly. Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, CPAs are in a strong position to play an important role in informing the advancement of these practices. The CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.

The questions below aim to foster a dialogue between auditors and those board members in a cybersecurity risk oversight role about identifying incremental offerings that CPA firms may provide to companies.

Questions

  1. Since the financial statement auditor’s focus is on IT risks that affect financial reporting, including disclosures and ICFR, what additional offerings can CPA firms with cybersecurity expertise provide to assist board members in executing their broader oversight responsibilities related to cybersecurity risks?
  2. The AICPA recently issued a cybersecurity risk management reporting framework. How can this framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
  3. How is the AICPA cybersecurity risk management reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program and to determine whether controls within the program were effective to achieve the company’s cybersecurity objectives?
  4. What technical expertise do CPA firms possess that qualify them to perform a readiness engagement and/ or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
  5. The SOC for Cybersecurity examination (see sidebar on page 6) cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
  6. What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
  7. What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
  8. What other types of engagements are available to help board members with cybersecurity risk oversight?

Conclusion

With the increased focus by regulators and investors on cybersecurity risk management and disclosures, company management and board members in their oversight roles are making enterprise-wide cybersecurity risk management a priority. While not an exhaustive list, the questions in this post can help foster dialogue among board members responsible for cybersecurity risk oversight, company management, and auditors; they can also help clarify roles and responsibilities as well as actions that may be considered. This post also aims to provide information about how those charged with cybersecurity risk oversight can leverage existing independent advisors—such as CPA firms—to help fulfill their fiduciary responsibilities.

Information Sharing

Distinguishing Between SOC 2 Examinations and SOC for Cybersecurity Examinations

The term system and organization controls (SOC), as defined by the AICPA, refers to the suite of services CPA practitioners may provide that relate to assurance over system-level controls of a service organization and system- or entity-level controls of other organizations. The AICPA’s cybersecurity risk management examination discussed in this tool is also known as SOC for Cybersecurity.

A SOC 2—SOC for Service Organizations examination is a separate and distinct offering. It may be used, for example, to report on the effectiveness of controls within a specific system occurring at an organization that provides outsourcing  services to user entities.

To learn more about the difference between these two services, see the AICPA’s 2017 whitepaper: SOC 2® Examinations and SOC for Cybersecurity Examinations: Understanding the Key Distinctions. [9]

The complete publication, including Appendix, is available here.

Endnotes

1See Martin Whitworth, “Information Security Consulting Services, Q1 2016,” The Forrester Wave (January 2016).(go back)

2See AICPA, “SOC for Cybersecurity” web page.(go back)

3See SEC Chairman Jay Clayton, “Statement on Cybersecurity” (SEC, Washington DC, September 20, 2017).(go back)

4Council of Institutional Investors, “Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards” (April 2016).(go back)

5See “CF Disclosure Guidance: Topic No. 2” (SEC, Washington DC, October 13, 2011).(go back)

6See “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (SEC, Washington DC, February 20, 2018).(go back)

7See SEC, “Commission Statement,” 10-11: “In determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company’s operations. The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities.”(go back)

8See NACD, Director’s Handbook on Cyber-Risk Oversight, 2017 ed. (Washington, DC: NACD, 2017), 4. Used with permission from NACD.(go back)

9The white paper is available at the AICPA website.(go back)

Both comments and trackbacks are currently closed.