The Division of Corporation Finance, a part of the Securities and Exchange Commission, issued guidance on disclosure obligations related to cybersecurity risks and incidents a few years ago. Public companies aren’t yet required to disclose this information to shareholders, but they could be at some point, says Brittany Teare, IT advisory manager at Weaver.
“Right now, this is guidance that is in the best interest for your shareholders, but that will likely change. It could become a requirement sooner rather than later,” she says.
Smart Business spoke with Teare about the guidance and how businesses can measure and guard against cyberrisks.
What are the SEC reporting requirements for cybersecurity under this guidance?
The guidance expands upon the existing requirements that public companies follow, but there’s no mandatory piece yet that results in a direct impact if a company doesn’t disclose information.
Basically, the guidance states that if cybersecurity risks and cyber incidents have a material effect on your shareholders — if it could affect how financial information is reported — you have to report them.
How do you know when cybersecurity risks materially impact your company?
The guidance addresses some possible risks and whether they should be voluntarily reported to shareholders. If you don’t have cybersecurity controls around your key financial systems, for example, then the way you record or report your data can be easily manipulated or altered. Even if a cyber breach has not yet occurred, it is very likely.
Cybersecurity is a gray area. Employers typically know that network and perimeter security, access and change controls should be in place, but executives may not consider disclosing vulnerabilities. CEOs and CFOs typically look at balance sheets and see line items for hardware and other things they can touch, but it can be challenging to consider the ways a breach can happen.
How would you advise CEOs to quantify data and see vulnerabilities?
First, designate a person or group of people to be responsible for cybersecurity. They should not only understand SEC requirements and where they are potentially heading, but also must identify specific risks.
There is a central entry point in any network, so key people need to know where the sensitive data is because if an attacker gets there, it could add up to a huge loss. If the company does not store much sensitive information, an attack could impact its reputation, which is more difficult to value.
Another challenge is improving communication from the CIO or IT manager. Often, IT will say, ‘We need X dollars for new equipment, applications and hardware that are going to help make our organization more secure.’ When management hears this number, which can be millions in larger organizations, they want to know the ROI. However, IT personnel typically struggle to quantify that.
A CIO needs to be able to tell other executives, ‘If this firewall, application or system is not installed, a breach would cost us X dollars, or the company could lose X dollars per day,’ for example. Not everything can be quantified, but this gives CIOs a starting point.
What will protect your data and reputation?
Some key, high-level steps to consider are:
• Take inventory of the data systems and gain an understanding of where critical data is located. Then, work to ensure that there is an appropriate amount of security in those areas.
• Use complex, strong passwords to protect the network, systems and data, and regularly change them. Have the system lock out users after a certain number of failed attempts and log all such activity.
• Heavily monitor networks and systems. Check who is logging in and from where, who is successfully entering and who is failing. Then, set a baseline to understand any abnormalities.
• Use the principle of least privilege, especially for critical accounts and functions. This ensures that no single employee has all access; rather, access is tailored to the job function.
There is more companies can do. But by implementing key, basic controls, if a breach occurs, the business can more easily identify what happened and how.
Brittany Teare is IT advisory manager at Weaver. Reach her at (972) 448-9299 or firstname.lastname@example.org.
Website: More information about the SEC guidance.
Insights Accounting is brought to you by Weaver
In August 2012, the Securities and Exchange Commission (SEC) issued a final rule regarding the conflict minerals disclosures mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Act). Public companies will be required to disclose whether they use conflict minerals such as tantalum, tin, tungsten and gold in their manufactured products — and whether the minerals originated from one of the “covered countries” defined by the Act.
“This rule could be very broad reaching, with the SEC estimating approximately 6,000 issuers will be required to provide new disclosures under the rule. Many private companies may also be impacted,” says Dale Jensen, partner-in-charge of Weaver’s SEC practice.
Smart Business spoke with Jensen about how to prepare for compliance.
Why do companies need to be concerned with supply chains now?
Hundreds of products contain conflict minerals, from cell phones and laptop computers to jewelry, golf clubs, drill bits and hearing aids. The SEC estimates that thousands of public companies will have to provide the new disclosures, and many private companies that are part of the impacted public companies’ supply chains may also be affected. Additionally, they estimate the initial compliance costs to be $3 to $4 billion, with subsequent costs of more than $200 million annually.
Who is impacted by this new rule?
Public companies, foreign private issuers, emerging growth companies and smaller companies must all comply. Packaging essential to the product’s function, such as a tin can, is also covered, but materials purchased or inventoried before Jan. 31, 2013, should be outside the rule’s scope.
Retailers are not required to report on products bought or resold, only manufactured or contracted to manufacture. When contracting, the retailer’s degree of influence determines compliance, though it doesn’t need to be substantial.
What’s involved with complying?
First, a company should determine whether any products it manufactures or contracts to be manufactured contain conflict minerals necessary to functionality or production. If the minerals are necessary, but they didn’t come from covered countries or are from scrap or recycled sources, the company’s inquiry method and conclusion has to be annually disclosed on SEC Form SD. This information must also be posted on the company’s website.
However, if there’s reason to believe the minerals originated from covered countries, their origin is unknown, or they may not be from scrap or recycled sources, the company must perform due diligence on the source and chain of custody of the minerals.
After due diligence, if the issuer determines that its conflict minerals are from a covered country and not from scrap or recycled sources, the company will be required to file a Conflict Minerals Report as an exhibit to Form SD. An independent audit of the Conflict Minerals Report is required. The SEC estimates that 75 percent of companies subject to the Act will need to develop a Conflict Minerals Report and have it audited.
What is the timing for compliance?
The first filing isn’t due until May 2014 for the 2013 calendar year, but complying may require substantial preparation for public companies. Companies will also need to file a new Form SD annually by May 31.
What are some next steps for companies?
Management must determine whether the new rule impacts the company, prepare cost estimates for compliance and put a plan in place. Companies should identify products that may contain conflict minerals as soon as possible, keeping in mind that they must comply even if the product contains only small traces of a mineral. Companies should be prepared to report results on a product-by-product basis. Finally, they should work with advisers to develop policies and procedures for supply chain vetting, filing Form SD, and if needed, conducting due diligence and preparing and auditing Conflict Minerals Reports.
Dale Jensen, CPA, CFE, is partner-in-charge, SEC Practice, at Weaver. Reach him at (972) 448-9283 or Dale.Jensen@WeaverLLP.com.
Blog: To stay current on audit, tax and advisory issues that may impact your business, visit Weaver’s blog.
Insights Accounting is brought to you by Weaver