The Division of Corporation Finance, a part of the Securities and Exchange Commission, has issued guidance on disclosure obligations related to cyber security risks and incidents. And although public companies aren’t yet required to disclose this information to shareholders, it’s just a matter of time, says Brittany Teare, IT advisory manager with Weaver.
“Right now, this is just guidance in the best interest for your shareholders, but that will likely change. It could become a requirement, probably sooner rather than later,” says Teare.
Just as the Senate headed for its August recess, efforts were made to pass cyber legislation. Although the bill didn’t pass, more regulation surrounding cyber risks and security is certainly coming.
Smart Business spoke with Teare about what the guidance entails and how businesses can measure and guard against cyber risks.
Have the SEC reporting requirements for cyber security changed with this guidance?
The new guidance takes the existing requirements that public companies follow and expands upon them. There’s no mandatory piece yet that results in a direct impact on a company if it doesn’t disclose information on cyber incidents.
Basically, the guidance states that if cyber security risks and cyber incidents have a material effect on your shareholders — if it could affect how financial information is reported — you have to report them.
How can you tell when cyber security risks are going to materially impact your company?
The guidance addresses some of the possible risks and whether they should be voluntarily reported to shareholders. If you don’t have cyber security controls around your key financial systems, for example, then the way you record or report your data can be easily manipulated or altered. Even if a cyber breach has not yet occurred, it is very likely.
Cyber security itself is a gray area. Employers typically know that network and perimeter security, access and change controls should be in place, but executives may not consider disclosing vulnerabilities. CEOs and CFOs are used to looking at the balance sheet and seeing line items for hardware and other things they can touch. It can be challenging to consider the likelihood and risk that the organization could be breached and the ways it could happen. Addressing weaknesses is something that companies need to continue to do.
What is your advice to CEOs about quantifying data and seeing vulnerabilities?
A starting point is to designate a person or group of people responsible for cyber security. These people should not only understand where the SEC is at and where requirements are potentially heading with this guidance, but should also identify risks to the specific organization.
There is a central entry point in any network, but key people need to know where an attacker will head and what the most sensitive data is. If an attacker can get to the most sensitive data in a network, this could add up to a huge loss. If the company does not store much of this type of information, then an attack could involve a company’s reputation, which is much more difficult to value.
Another challenge is improving communication from the CIO or IT manager. Often, IT will say, ‘We need X dollars for new equipment, applications and hardware that are going to help make our organization more secure.’ It’s usually a considerable amount of money and can be millions of dollars in larger organizations. When management hears that number, they want to know what the return on that investment is going to be. IT typically struggles with quantifying that return.
A CIO needs to be able to tell other executives, ‘If this firewall, application or system is not installed, a breach would cost us X dollars, or the company could lose X dollars per day,’ for example. Not everything can be quantified, such as a company’s reputation, but this gives CIOs a place to start.
Is cyber security a big factor for investors?
Yes, and it is becoming more so as the public realizes the prevalence of cyber attacks. Shareholders and employers alike are justifiably concerned about this because some of the most secure companies in the world have been breached in the recent past. For example, RSA, which provides security management solutions such as strong two-factor authentication for many well-known organizations, was recently breached. If a large company that specializes in security can be breached, then small and mid-market businesses are susceptible.
What are some steps businesses should take to protect their data and reputation?
There are some key, high-level steps that companies should consider:
- Take inventory of the data systems and gain an understanding of where critical data is located. Then, work to ensure that there is an appropriate amount of security on those areas.
- Use complex, strong passwords to help protect the network, systems and data, and regularly change them. Have the system lock out users after a certain number of failed attempts and log all such activity.
- Most important, heavily monitor the networks and all systems. Check who is logging in and from where, who is successfully entering and who is failing. Then set a baseline to understand any abnormalities.
- Use the principle of least privilege, especially for critical accounts and functions. This ensures that no single employee has all access; instead, access is tailored to the job function. If there is a breach, it prevents those accounts from being abused for something they shouldn’t be used for in the first place.
These simple steps are often overlooked by many companies. There is much more that companies can do, but first take small steps to implement key, basic controls. Then, if a breach occurs, the business can more easily identify what and how it happened.
Brittany Teare is an IT advisory manager with Weaver. Reach her at (972) 448-9299 or [email protected].
Insights Accounting is brought to you by Weaver
