The SEC is changing the rules for SOX s302 certifications to include cyber risks
You may know that the SEC just published new guidance on the disclosures they are required to make related to cybersecurity.
Here’s a report in the Journal of Accountancy.
But did you realize that the SOX s302 certification now has to address whether disclosure controls are adequate in ensuring that the proper disclosures are made?
Have a look at the SEC guidance.
Here is an extract with the key points highlighted:
Cybersecurity risk management policies and procedures are key elements of enterprisewide risk management, including as it relates to compliance with the federal securities laws. We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.
Pursuant to Exchange Act Rules 13a-15 and 15d-15, companies must maintain disclosure controls and procedures, and management must evaluate their effectiveness. These rules define “disclosure controls and procedures” as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is (1) “recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms,” and (2) “accumulated and communicated to the company’s management … as appropriate to allow timely decisions regarding required disclosure.”
A company’s disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses. Information also must be evaluated in the context of the disclosure requirement of Exchange Act Rule 12b-20.54 When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.
Exchange Act Rules 13a-14 and 15d-1455 require a company’s principal executive officer and principal financial officer to make certifications regarding the design and effectiveness of disclosure controls and procedures,56 and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of disclosure controls and procedures. These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.
Are you ready for this?
Are your disclosure controls up to the task?
When your CEO and CFO sign the certifications and say that they have not only caused all material information to be made known to them but also assessed and found sufficient the company’s disclosure controls, do they have a reasonable and defensible basis for those assertions?
Love to hear where you are on this.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
So the SEC wants to know if I have a cybersecurity risk, but doesn’t me to tell them, because then the bad guys will how to break in. But they want to know if it’s going to affect the investing public. But they only want to know I think they should know.
The new guidance doesn’t goes into enough specifics to be useful.
Three predictions:
1. Much needed resources will be diverted from actually improving cybersecurity to the development of fancy looking reports showing how effective the cybersecurity program is.. with a footnote stating that effective cybersecurity is not possible.
2. The Big 4 will have a new way to increase billable hours at the next, “Here’s what we think the SEC wants” audit. Bonus, lots of control deficiencies, for problems you are already aware of.
3. The very cookie cutter template of the cybersecurity risk section of your 10K will start looking more doomsday-ish. “We’ve been forced to tell you since 2011 that Cybersecurity is a big deal. However, the SEC is now asking us to tell you it’s REALLY big! ZOMG!! ”
-James