Cyber and SOX

In addition to the training I lead on SOX, I also mentor a few individuals and their organizations. One called to tell me that their external auditor had insisted that they upgrade their SOX scope to include far more on cybersecurity.

He had previously attended my class and knew to push back, requiring the auditor to explain why this was necessary since the company’s assessment (agreed by the auditor in prior years) was that the risk of a material error or omission from a breach was less than reasonably possible.

The auditor said that it was a requirement from the PCAOB!

Now I was 99% certain this was incorrect, so I had the caller tell the auditor to show him where the PCAOB had made this requirement.

The auditor gave him a link to an announcement by the PCAOB that they were going to host a roundtable on cyber!

The company was able to persuade the auditor that nothing had changed. The risk assessment they had performed was adequate and no change in scope was required.

XX

That is the key: you only need to include controls in scope to address the risk of a material error or omission in the filed financial statements.

While cyber is a serious risk to the business, it is unusual for it to be a significant risk to the integrity of the filed financial statements.

In the SOX context, ‘significant’ means that there is at least a reasonable possibility of a material misstatement.

In almost every case, business controls would detect such a misstatement – and hackers don’t usually try to change your financials!

XX

But there is more to the issue of cyber and SOX.

That more is not well understood by a lot of people.

Take an article by Will Cryer of AuditBoard. Will may be a former IT auditor with EY, but his piece, What is SOX Cybersecurity Compliance, reflects an imperfect appreciation of the regulations.

Let’s start with his opening paragraph:

When most people think of the Sarbanes-Oxley (SOX) Act, they think of protecting investors from fraudulent financial reporting with accounting and finance controls. With the increasing role of technology today, the risks to financial reporting posed by cybersecurity threats are greater than ever. According to the latest FBI Internet Crime Report for 2020, $4.2B in losses were reported in 2020 (up from $1.4B in 2017). The latest Gartner Hot Spots report lists cyber vulnerabilities as one of the most critical risk areas for auditors to address.

1. SOX §404 (the section of the Act dealing with the system of internal control over the integrity of the filed financial statements) is about more than fraud. If it was only about fraud, we could cut back the scope of the SOX program significantly. No, it is about filing financial statements free from material error of any kind.
2. Even if there has been a massive loss, the financial statements are typically correct. They reflect that loss. Therefore, there is no SOX §404 issue.
3. Where there is a significant risk of loss, that is an operational business rather than a §404 issue and certainly merits attention – but first you need to perform an objective risk assessment in coordination with business leaders to determine the level of risk and what actions are necessary to reduce it to acceptable levels.

The main point that merits our attention is when the article says:

SOX cybersecurity compliance generally refers to a public company implementing strong internal control processes over the IT infrastructure and applications that house the financial information that flows into its financial reports in order to enable them to make timely disclosures to the public if a breach were to occur.

The “timely disclosures to the public if a breach were to occur” are an issue under a separate section of SOX: §302.

The AuditBoard excerpts from an excellent publication by the staff of the SEC (notably, not PCAOB) that they describe as “interpretive guidance”.

I strongly recommending reading their Commission Statement and Guidance on Public Company Cybersecurity Disclosures and leaving the rest of the AuditBoard piece behind us.

The SEC and its staff are concerned with the timeliness and quality of information provided to investors and others that rely on the reports filed with them. They say:

Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.

In this case, ‘material’ means that the information might influence the decisions of the reasonable investor. As the SEC says:

The Commission considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.

Note that this refers not only to the timely disclosure of breaches and their effects, but also of the presence of the risk of material incidents. The SEC guidance continues, later, with a section on Risk Factors. (By the way, at some point the SEC should explicitly require companies not only to disclose the presence of a risk, but to provide some indication of the potential magnitudes and likelihoods of incidents. This is generally not revealed in the Risk Factors section of a company’s filings.)

The SEC refers to the requirements of §302 of the Sarbanes-Oxley Act when it says:

Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.

Section 302 requires that the organization’s CEO and CFO certify, as part of the quarterly and annual reports, that they have adequate disclosure controls: the controls relied upon to ensure that all the required disclosures are made. Disclosure controls include but are not limited to the system of internal control over financial reporting (those required by §404).

XX

Notably, the SEC also explains that they are concerned about directors and officers (and others, as explained in guidance) trade in the company’s securities with knowledge of material breaches that have not been disclosed:

Additionally, directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company. Public companies should have policies and procedures in place to (1) guard against directors, officers, and other corporate insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident, and (2) help ensure that the company makes timely disclosure of any related material nonpublic information.9 In addition, we believe that companies are well served by considering the ramifications of directors, officers, and other corporate insiders trading in advance of disclosures regarding cyber incidents that prove to be material.

XX

Cybersecurity is top-of-mind for many, but it needs to be understood before racing to fund it:

1. The pressing issue is the potential business impact. There should be an objective risk assessment of how a breach could affect the business and the likelihood that it could be significant.
2. The risk assessment should be made by the business and CIO/CISO in partnership, not just by the CISO.
3. The level of risk should be evaluated and communicated in terms of the business impact, not in terms of the so-called ‘risk to information assets’.
4. The level of risk is a range and not a point: a range of potential impacts, each with its own likelihood.
5. There should be controls that provide reasonable assurance that breaches that have, singly or in combination, a material impact on operations are brought to the attention of top management and the board promptly, and then quickly disclosed to investors and other interested parties.
6. There should also be controls that ensure that when there is at least a reasonable possibility of a material breach, that risk is communicated (in business terms) to top management and the board and then to investors, et al.
7. Controls are required to ensure that trades are not made by insiders with material non-public information about material breaches or the potential for material breaches.
8. When if comes to SOX and internal control over financial reporting, include in scope those controls that are relied upon to prevent or detect a material error or omission in the filed financial statements due to a breach or combination of breaches.

XX

I am hopeful that this obsession with cyber by individuals and organizations (consultants and vendors, for the most part) that don’t understand it will fade in time.

What do you think?

Advertisement