Now that the Securities and Exchange Commission (SEC) has adopted rules on cybersecurity risk management, strategy, governance, and incident disclosure, accountants are preparing for their implementation, Accounting Today reported.
The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant, according to the SEC. The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. The rules also require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
Donny Shimamoto, founder and managing director of accounting advisory firm Intraprise TechKnowlogies, and Rachel DiDio, an advisory partner with PKF O'Connor Davies and a former inspector at the Public Company Accounting Oversight Board (PCAOB), both noted that the SEC has had cybersecurity reporting requirements since at least 2011. The new rules are likely in response to the rise in data breaches and other incidents.
The rules are “essentially forcing these companies to be more proactive in not having a breach and therefore not having those additional financial ramifications which could be material," Shimamoto told Accounting Today. “We've got policies and procedures in place, but now that this rule is final, it will require them to say, 'Does it meet these requirements?' and take a fresh look at their risk management procedures and policies," said DiDio.
Tom DeMayo, who leads the cybersecurity and privacy advisory group at PKF O'Connor Davies, told Accounting Today that the difference now is the level of formality required. The company must now define the risk management program, which means identifying and assessing risks to determine what controls are appropriate, he said. But some companies may not have a formalized cybersecurity program already in place.
"It will depend on where they are currently. There's a lot they can do with what they have, like firewalls and viruses, but it is more going to be the formality of it, the additional oversight of it, from the board and senior management,” he said. “You do have a lot of already established committees that take responsibility for the oversight component, so cyber has been on their mind, I just think it adds the specific expectation of formality."
One provision of the new rule requires companies to report cybersecurity incidents no more than four days after determining the event was material.
Avani Desai, the CEO of Schellman and a cybersecurity and IT attest specialist, told Accounting Today that four days is "not a lot of time," given how much effort it can take to significantly assess the impact of an incident.
"I think it's going to be very difficult in four days to clearly identify if you've had a true breach. … How do you know that someone has come into the system, and how do you know if they have stolen something; we don't know and four days may not be enough time for that. If it's a Saturday or a Friday, you may not have someone to come in and help identify if it is a true breach. I think that is going to be the biggest part," she said.
For his part, DeMayo said that he thought the four-day rule seemed to be "a little subjective" for when that countdown begins.
Last year, after the final rule was adopted, the American Bankers Association and other associations raised concerns that the rule could potentially harm investors by prematurely publicizing a company’s vulnerabilities.
The level of detail demanded by the SEC has actually decreased between the initial exposure draft and the final rule due to this very concern, DeMayo told Accounting Today. He added that there are ways to make disclosures that comply with the final rules without increasing one's risk profile.
One consistent prediction among the sources interviewed was that the rule will drive more demand for accounting services.
"I think there are definitely [potential] new services. If you have a public company client, you should be talking to them about this," said Desai.
"It will create interest because we have a specific rule with specific provisions which will trigger entities to take a step back and think of their risk assessment programs, their governance, how they are testing, how they are validating—which could trigger new business," said DiDio.
Compliance with the rule does not mean safe, Shimamoto warned.
“When you look at these breaches, a lot of times they are in compliance, but they're not following best practices, and that gap needs to be discussed,” he said.
To learn more about cybersecurity issues, attend the Foundation for Accounting Education's Cybersecurity 101 for CPAs Webinar on Oct. 27.