New Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules (Final Rules) adopted by the U.S. Securities and Exchange Commission (SEC) become effective Sept. 5, 2023.
Cybersecurity is CONFUSING!
Firms’ Responsibility: “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”
Cybersecurity incidents are required to be disclosed in order to make “other disclosures…. NOT MISLEADING”
Audit function must ask: What is the AUDITOR’s ROLE??
SEC’s New Rules:
public companies should immediately review disclosure controls
Prepare procedures and processes to ensure that cybersecurity incidents are promptly reported to appropriate personnel who are responsible.
SEC has issued amendments to require current disclosure about material cybersecurity incidents.
JOBS & $$$
SEC’s New Rules:
SEC now require periodic disclosures on:
Registrant’s processes to assess, identify, and manage material cybersecurity risks
Management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks
What does it all mean??
JOBS and $$$ for accountants
JOBS & $$$
Internal Reporting vs. External Disclosure
Internal reporting requires a defined reporting path for cyber security incidents.
Ad-Hoc (low maturity) firms usually do not have a clear policy on how cybersecurity incidents should be reported within the firm.
Other issues:
Fear of reprimand
Lack of understanding
“So what…?”
Internal Reporting vs. External Disclosure
External disclosure must be based on INTERNAL REPORTING.
Internal reporting requires a defined reporting path for cyber security incidents.
Ad-Hoc (low maturity) firms usually do not have a clear policy on how cybersecurity incidents should be reported within the firm.
Other issues:
Fear of reprimand
Lack of reporting path
Lack of understanding
“So what…?”
Disclosure Items
External Motivated Internal Reporting
External disclosure requirements can:
motivate firms to strengthen internal reporting structures
Require internal audit function to prepare audits on disclosure items
Motivate Board of Directors to investigate cybersecurity risks and incidents.
“must be filed within X business days” can enhance internal reporting efficiency
*** However, this can also lead to false representation of facts
Encourage management involvement on cybersecurity issues.
External Motivated Internal Reporting Items
Risk Management and Strategy (S-K Item 106(b)
Cybersecurity risk assessment
Threat (what is at risk) identification
Potential (and likelihood) of impact on business strategy, operations, and financial conditions.
Governance (S-K Item 106(c); form 20-F)
Board’s prerogative: Risk management
Board must provide oversight on risks from cybersecurity threats.
Define and describe MANAGEMENT’s role in assessing and managing material risks.
External Motivated Internal Reporting Items
Material Cybersecurity Incidents (8-k, Item 1.05)
must disclose ANY cybersecurity incidents that is determined to be material.
describe its nature, scope, timing
impact or reasonably likely impact
must be filed within four business days.
(can be delayed if disclosure lead to national security or public safety)
Must amend prior disclosure if previously unavailable.
Form 6-k: must disclose material cybersecurity incidents in FOREIGN JURISDICTION.
Your Research Note:
Prepare from Internal Audit perspective, (as motivated by external requirements)
Focus the following items:
Board Responsibility (what should the board do?)
Risk Management (What is at risk? What are the potential impacts of future incidents? What are the risk handling strategy?)
Management Involvement (what management should do? CIO? CISO?
Reporting Structure
Cybersecurity Awareness
Incident Response Preparation
Preparing for the Final Draft.
On 11/14 Individual Workshop Consultation is available.
a short workshop on preparing outline will be available.
Research Note #4 (due on the first presentation date) should include:
Cover page of your report
Outlines of your final report (main heading, sub headings)
Clean up and organize your research notes #1, #2, and #3 into the outlines.
Final Report is DUE on 12/12!
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more