The Division of Corporation Finance, a part of the Securities and Exchange Commission, issued guidance on disclosure obligations related to cybersecurity risks and incidents a few years ago. Public companies aren’t yet required to disclose this information to shareholders, but they could be at some point, says Brittany Teare, IT advisory manager at Weaver.
“Right now, this is guidance that is in the best interest for your shareholders, but that will likely change. It could become a requirement sooner rather than later,” she says.
Smart Business spoke with Teare about the guidance and how businesses can measure and guard against cyberrisks.
What are the SEC reporting requirements for cybersecurity under this guidance?
The guidance expands upon the existing requirements that public companies follow, but there’s no mandatory piece yet that results in a direct impact if a company doesn’t disclose information.
Basically, the guidance states that if cybersecurity risks and cyber incidents have a material effect on your shareholders — if it could affect how financial information is reported — you have to report them.
How do you know when cybersecurity risks materially impact your company?
The guidance addresses some possible risks and whether they should be voluntarily reported to shareholders. If you don’t have cybersecurity controls around your key financial systems, for example, then the way you record or report your data can be easily manipulated or altered. Even if a cyber breach has not yet occurred, it is very likely.
Cybersecurity is a gray area. Employers typically know that network and perimeter security, access and change controls should be in place, but executives may not consider disclosing vulnerabilities. CEOs and CFOs typically look at balance sheets and see line items for hardware and other things they can touch, but it can be challenging to consider the ways a breach can happen.
How would you advise CEOs to quantify data and see vulnerabilities?
First, designate a person or group of people to be responsible for cybersecurity. They should not only understand SEC requirements and where they are potentially heading, but also must identify specific risks.
There is a central entry point in any network, so key people need to know where the sensitive data is because if an attacker gets there, it could add up to a huge loss. If the company does not store much sensitive information, an attack could impact its reputation, which is more difficult to value.
Another challenge is improving communication from the CIO or IT manager. Often, IT will say, ‘We need X dollars for new equipment, applications and hardware that are going to help make our organization more secure.’ When management hears this number, which can be millions in larger organizations, they want to know the ROI. However, IT personnel typically struggle to quantify that.
A CIO needs to be able to tell other executives, ‘If this firewall, application or system is not installed, a breach would cost us X dollars, or the company could lose X dollars per day,’ for example. Not everything can be quantified, but this gives CIOs a starting point.
What will protect your data and reputation?
Some key, high-level steps to consider are:
• Take inventory of the data systems and gain an understanding of where critical data is located. Then, work to ensure that there is an appropriate amount of security in those areas.
• Use complex, strong passwords to protect the network, systems and data, and regularly change them. Have the system lock out users after a certain number of failed attempts and log all such activity.
• Heavily monitor networks and systems. Check who is logging in and from where, who is successfully entering and who is failing. Then, set a baseline to understand any abnormalities.
• Use the principle of least privilege, especially for critical accounts and functions. This ensures that no single employee has all access; rather, access is tailored to the job function.
There is more companies can do. But by implementing key, basic controls, if a breach occurs, the business can more easily identify what happened and how.
Brittany Teare is IT advisory manager at Weaver. Reach her at (972) 448-9299 or email@example.com.
Website: More information about the SEC guidance.
Insights Accounting is brought to you by Weaver