As companies turn to digital technologies for business solutions, the risk of a security breach continues to rise. For the last 11 years, the security of information technology and data has been rated as a top technology initiative in surveys conducted and published by the AICPA. In addition to concerns about the loss of data and sensitive information, the AICPA surveys identify controls for mobile devices and cloud computing as ongoing concerns.
In the fall of 2011, the SEC issued enhanced financial statement disclosure guidance that has led to a higher level of cybersecurity awareness, monitoring, and scrutiny by SEC registrants ("CF Disclosure Guidance: Topic 2," Oct. 13, 2011). The guidance, issued by the SEC'sDivision of Corporation Finance, is in response to more frequent and severe cybersecurity incidents experienced by SEC registrants. The required new disclosure obligations focus on cybersecurity risks and actual cyber attack incidents.
Nature of Cyber Attacks
The SEC guidance states that cyber attacks can be deliberate or can result from unintended events, and they can be carried out by outside hackers or by internal agents (e.g., employees, contractors, vendors). Attacks can be executed in a variety of ways to achieve different objectives. Examples of specific attacks mentioned by riie SEC include-
* unauthorized access to sensitive data;
* industrial espionage;
* sabotage of hardware and software;
* infection of hardware and software with malicious software;
* theft of computer time and other denial of service attacks; and
* theft of mobile devices, such as laptops, notebooks, and cell phones.
Specific SEC Disclosures
The SEC guidance is consistent with other disclosure requirements mandated by federal securities laws associated with any significant business risk. But the risks associated with cybersecurity go beyond generic risks that could apply to all SEC registrants. The new guidance suggests disclosures should focus on the unique facts and circumstances related to specific, material cybersecurity risk factors. For example, SEC financial statement disclosure obligations can arise from the following:
* Cybersecurity risks and costs associated with a registrant's operations
* Cybersecurity risks arising from outsourcing activities
* Cybersecurity incidents that have occurred during the past year and that are individually or collectively material in nature
* Cybersecurity risks that may go undetected for an extended period
* Cybersecurity risks that give rise to relevant insurance coverage.
In addition to these potential risks, actual cyber attacks should be disclosed as to the nature, occurrence, and the potential cost of the attack, as well as the related consequences of the attack. Disclosing information about prior attacks can often help users understand the risk the company is facing and how the company is remediating past security breaches.
Potential and actual cyber attacks present unique risks and costs to companies. Costs for actual security breaches can often be determined, but costs of potential breaches are very difficult to estimate. The SEC offered guidance on costs that should be considered, indicating that cyber attacks can expose companies to the following:
* Remedial costs associated with a loss of data and information and the loss of business after an attack
* Costs of cybersecurity
* Loss of revenues due to a loss of data or customers
* Regulatory fines
* Litigation costs
* Reputational damage that can lead to loss of customers and reduced investor confidence.
The SEC disclosure guidance acknowledges that registrants have been devoting additional resources to cybersecurity. These include hiring additional IT security personnel, training existing internal agents, upgrading IT hardware and software, and hiring IT security consultants.
Read full article at:
