How Should an Organization Respond to a Cybersecurity Incident?
Once a security breach has been identified, companies should respond quickly to secure the impacted systems and fix any vulnerabilities while ensuring there are no other attacks in progress or vulnerabilities that could be exploited.
The Federal Trade Commission (FTC) outlines steps companies should take to respond to an incident in their online guide.
Once an incident has been deemed material, report it. The front-line IT team, officers, directors, and anyone else aware of a cybersecurity incident should report it prior to the offer and sale of securities.
This is to help those trading around the time the incident was discovered avoid an insider trading charge.
Senior management should disclose a material cybersecurity incident as soon as possible.
Who Should Be Told?
The front-line IT team should inform people in senior management responsible for deciding whether to make a public disclosure.
This could include members of the board and audit committee, the CEO, CFO, Chief Information Officer (CIO), and Chief Information Security Officer (CISO).
What Should Be Included in an SEC Cybersecurity Incident Disclosure?
Management should evaluate the significance associated with cyber-risks and incidents in their disclosures.
Cybersecurity disclosures should describe the following:
- The company’s judgements about materiality
- What senior management and the board knew and when they knew it
- How materiality was assessed in light of relevant facts
- Circumstances of the incident(s), including prior breaches
What Are Best Practices for Keeping Accurate Cybersecurity Disclosure Controls and Procedures?
Do your organization’s policies, procedures, and controls give senior management the information they need to assess materiality and disclosure implications, including remediation?
The SEC recommends that companies annually assess compliance with cybersecurity disclosure controls as part of the SOX 404(a) assessment.
Management should consider the following best practices:
- Assess whether IT general controls (ITGC) address the risk of failure to make necessary changes to programs or systems
- Ensure that relevant information about cybersecurity risks is processed and reported up the corporate ladder so senior management can make disclosure decisions and certifications
- Confirm IT risk assessment identifies cybersecurity risks and inventories the company’s sensitive data
- Describe the board’s oversight role with respect to cybersecurity risk management and assess cyber expertise
- Annually train the front-line IT team to understand materiality and communicate with the CEO, CFO, and board to avoid insider trading issues and inaccurate disclosures
The Role of an Internal or External Auditor
The auditor focuses on the IT risks impacting financial reporting. They assess the ITGCs design and operating effectiveness to ensure the effective operation of automated controls, and completeness and accuracy of key reports or information provided by the entity (IPE).
A cybersecurity incident could happen without being identified or disclosed to the audit engagement team. The auditor should assess the nature and extent of the breach, including what was stolen, altered, or destroyed. The auditor should consider the effect of the breach on the company’s operations, and potential financial implications.
The auditor should assess whether the incident resulted from a deficiency in internal controls over financial reporting (ICFR), such as excessive user access, deficient change management controls, or an unpatched system, and whether remediation of any control breakdown has taken place.
The auditor should revise the risk assessment and document the relevant considerations of the cybersecurity incident on the audit.
The auditor should discuss with management and the audit committee the nature and type of disclosures the company is considering in its financial statements or notes to those statements. The auditor should also ensure the audit committee was adequately informed as soon as practical.
We’re Here to Help
For guidance on cybersecurity disclosure controls and procedures or SEC cybersecurity requirements, contact your Moss Adams professional.
You can also visit our IT Consulting Services for additional resources.