New cybersecurity disclosure rules from the Securities and Exchange Commission will require accountants to work with their clients to ensure they'll be ready for its implementation, whether that means simply reassessing current protocols or building out an entire security infrastructure.
The new rules, approved late last month (
The new rules also require entities to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including those from previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Registrants are also required to describe the board of directors' oversight of risks from cybersecurity threats, and management's role and expertise in assessing and managing material risks from cybersecurity threats.
Donny Shimamoto, founder and managing director of accounting advisory firm Intraprise TechKnowlogies, noted that the SEC has had cybersecurity reporting requirements for years now, and characterized the new rules as an acceleration of the ones already there. This acceleration, he said, is likely in response to the rise in data breaches and other incidents.
"I see that as sort of a way of stemming some of that, and also recognizing that the cost of a breach is becoming incrementally more expensive as well. It's essentially forcing these companies to be more proactive in not having a breach and therefore not having those additional financial ramifications which could be material," he said.
Rachel DiDio, an advisory partner with Top 100 Firm PKF O'Connor Davies and a former inspector at the Public Company Accounting Oversight Board, raised a similar point, noting that the SEC has been interested in cybersecurity since at least 2011, when it first came out with guidance, and has remained active on the issue.
What the SEC is trying to do with these rules, she said, is to create consistency between companies by standardizing disclosures across the issuer population, which right now has a wide variety of different practices and procedures regarding this area.
"The SEC brought something out in 2011… So I think for most companies this has been on their radar. We've got policies and procedures in place, but now that this rule is final, it will require them to say, 'Does it meet these requirements?' and take a fresh look at their risk management procedures and policies," she said.
In this respect, the new rules will force entities to have the kinds of conversations they have been trying to have in the first place. Risk management, she said, is a continuous process, but too many take a "set it and forget it" mindset that does not keep up with changing risk patterns.
Tom DeMayo, who leads the cybersecurity and privacy advisory group at PKF O'Connor Davies, said that what makes things different this time is the level of formality required. The company must now define the risk management program, which means identifying and assessing risks to determine what controls are appropriate. If a company has already been doing this through a formalized cybersecurity program, then great. But if not, that entity will have a lot of catching up to do.
"It will depend on where they are currently. There's a lot they can do with what they have, like firewalls and viruses, but it is more going to be the formality of it, the additional oversight of it, from the board and senior management. … I think it has been on the radar. You do have a lot of already established committees that take responsibility for the oversight component, so cyber has been on their mind, I just think it adds the specific expectation of formality," he said.
The four-day rule
One of the trickier provisions of the new rule is the requirement that companies report cybersecurity incidents no more than four days after determining the event was material.
Avani Desai, the CEO of Top 100 Firm Schellman and herself a cybersecurity and IT attest specialist, was blunt in saying that four days is "not a lot of time," given the amount of effort it can take to truly assess the impact of an incident. She said it is not a casual thing, necessarily, to determine the materiality of a cyber incident, given the multiple dimensions one must consider beyond fines and penalties, such as reputational damage or stock price dips. A big issue is that many companies lack the internal data to do a thorough assessment.
"The likelihood, the probability, is that we don't have any of that data. We don't have enough data to say what materiality is. I think this is going to be such a challenge for organizations out there [to] determine what the financial impact is going to be if it's not immediate. What's the time period going to be? And how will it affect us financially? We just don't know," she said.
Further, it is not going to be easy to determine when the four-day period actually begins, as the true nature of a breach may not be immediately apparent, with Desai noting that some malware can lie dormant for months.
"I think it's going to be very difficult in four days to clearly identify if you've had a true breach … . How do you know that someone has come into the system, and how do you know if they have stolen something, we don't know and four days may not be enough time for that. If it's a Saturday or a Friday, you may not have someone to come in and help identify if it is a true breach. I think that is going to be the biggest part," she said.
Because of this, she predicted companies will sometimes take longer to identify whether something has been a true incident so as to avoid starting the four-day countdown for as long as it takes to perform their due diligence.
DeMayo, the PKF O'Connor Davies cybersecurity leader, said he thought the four-day rule seemed "a little subjective" for when that countdown begins. Like Desai, he anticipated that people will try to control when the four-day timer begins, perhaps by dragging out materiality determinations. But he noted that the SEC likely is aware of this possibility and will probably assess the reasonability of these waiting periods.
"I think if the SEC or any prudential individual were to look at it, the question will be was it reasonable. Did they wait years to determine materiality where a lot of reporting went on before the disclosure came, or were they relatively timely with their response once it became clear they were going to have a material impact?" he said, adding that sometimes the reasonableness will be obvious. "If you're an e-commerce company and have transactions every second, but then you're down for days and days, this is a clear indicator it is material."
Dangerous disclosures?
Certain critics, such as the
Shimamoto, of IntrapriseTechKnowlogies, called this an interesting position, but not one he agreed with. He noted that companies tend to lock down after a breach and be extra-cautious on security.
"I say the best time to do business is not immediately after but soon after they had a cyber breach because everyone has come in — forensics, regulators — and looked and usually have locked everything down and [are] in the best position they have ever been in terms of cybersecurity — if they made additional investments into things more proactive and preventative," he said.
DeMayo, the PKF O'Connor Davies cybersecurity leader, said the level of detail demanded by the SEC has actually decreased between the initial exposure draft and the final rule due to this very concern. He added that there are ways to make disclosures that comply with the final rules without increasing one's risk profile.
"It [is described] at a higher level. You won't sit there and disclose your technologies in play and the specific software. It will need to be specific enough so the stakeholder is comforted, but you also don't have to disclose where you will put yourself at risk," he said.
Schellman's Desai said it is possible to increase one's cyber risk through these disclosures if they are done improperly and if one is already vulnerable.
"If a company has been breached once, it can be breached again. They're looking for vulnerabilities within an organization, so if you come out and say, 'We don't have a strong cybersecurity policy and don't have any expertise,' I think that will increase your risk of vulnerabilities," she said.
But she added that companies do not need to necessarily do this. They can also give a more heuristic overview of their cybersecurity situation without increasing their cyber risk. She pointed to the controls frameworks from the National Institute of Standards and Technology as a good place to start.
Getting clients on board
While many things about this rule remain uncertain, one consistent prediction was it will drive more demand for accounting services. Schellman's Desai said this potential is across the board. Clients will likely want to engage accountants to assess their cybersecurity program, which can include readiness evaluations or penetration testing or other services. She noted that companies will likely also want to engage accountants to make material assessments, especially those in the forensics field.
"I think there are definitely [potential] new services. If you have a public company client, you should be talking to them about this," she said.
Didio, the PKF O'Connor Davies audit partner, made a similar prediction, saying that companies will need the guidance of their accountants to successfully navigate this new regulation.
"It will create interest because we have a specific rule with specific provisions which will trigger entities to take a step back and think of their risk assessment programs, their governance, how they are testing, how they are validating — which could trigger new business," she said.
Shimamoto, from Intraprise TechKnowlogies, though, noted that even if a client has covered every single base of this new rule, they cannot get complacent. Compliant does not mean safe.
"We say, 'Oh, people are in compliance.' When you look at these breaches, a lot of times they are in compliance but they're not following best practices and that gap needs to be discussed," he said.