United States: Center For Audit Quality Issues Tool For Board Oversight Of Cybersecurity Risk

Last Updated: April 19 2018
Article by Cydney Posner

The Center for Audit Quality has just issued Cybersecurity Risk Management Oversight: A Tool for Board Members. The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures. The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting (ICFR), and to help the board understand how the company is managing its cybersecurity risks.

The Center for Audit Quality has just issued Cybersecurity Risk Management Oversight: A Tool for Board Members. The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures. The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting (ICFR), and to help the board understand how the company is managing its cybersecurity risks.

The publication is organized in four parts and provides important and sometimes quite specific and detailed questions for audit committees and other board members with cybersecurity oversight responsibility to ask the auditors and management.

The first topic, Understanding how the financial statement auditor considers cybersecurity risk, is designed to help board members who have responsibility for cybersecurity risk oversight to understand the roles and responsibilities of the financial statement auditor related to cybersecurity risks. The CAQ suggests that these directors ask the auditor about how the auditor's approach to identifying and assessing financial statement and ICFR risks takes cybersecurity risks into account, how the auditor addresses cybersecurity risks identified in the audit process, why the ICFR audit does not address all of the company's enterprise-wide cybersecurity risks and controls, the impact of a cybersecurity breach on the auditor's assessment of ICFR and what the auditor's audit response would be to a cybersecurity breach that resulted in a potential material contingent liability.

In the second topic, Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures, the CAQ addresses the renewed focus of the SEC, particularly in the 2018 guidance, and others on cybersecurity disclosure in light of the increasing importance of cybersecurity and the increasing incidence of cyber threats and breaches. The CAQ notes in particular SEC Chair Jay Clayton's advice that Corp Fin will be monitoring cybersecurity disclosures as part of its selective filing reviews. In addition, in its guidance, the SEC advised companies to examine the adequacy of their disclosure controls and procedures with respect to cybersecurity. (See this Cooley Alert and this PubCo post.)

With regard to questions to management regarding cybersecurity disclosures, the CAQ focuses primarily on disclosure controls, including how management has considered cybersecurity risks in the company's ability to record, process, summarize and report on information required to be disclosed in its SEC filings; what disclosure controls and procedures are in place to facilitate accurate and timely cybersecurity disclosures; whether the design and operating effectiveness of the disclosure controls and procedures have been evaluated; how management is considering the SEC guidance with respect to risk factors, MD&A and financial statement disclosures; the processes and controls in place to help ensure that, in the event of a cyber breach, appropriate management and directors are involved in the review of the related disclosures; and whether the company's insider trading policies take into account material cyber incidents, including preventing insiders from trading prior to disclosure of the event.

SideBar

In its guidance, the SEC encourages companies to assess whether their disclosure controls and procedures are adequate to reasonably ensure that information about cybersecurity risks and incidents is reported to "appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications." The controls should also suffice to ensure that information is communicated to appropriate personnel to facilitate compliance with insider trading policies. In particular, the SEC advises, "[c]ontrols and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company's business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents." The SEC also notes that the required CEO and CFO certifications address effectiveness of disclosure controls and "should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company's ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective."

With regard to questions to the auditor regarding cybersecurity disclosures, the CAQ suggests asking what the auditor considers in connection with cybersecurity disclosures included in the Form 10-K or other documents that include the audited financial statements as compared to cybersecurity disclosures in other company documents; the nature of the auditor's responsibility with respect to the company's assessment of financial statement disclosures related to a material contingent liability for a cyber incident; and the nature of the auditor's responsibility if a material cyber incident is discovered after the balance sheet date but before the date of the auditor's report on the financial statements.

For the third topic, Understanding management's approach to cybersecurity risk management, the CAQ observes that, according to the SEC, "disclosures regarding a company's cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility." Note that the SEC guidance indicates that companies are required to disclose the extent of their boards' role in risk oversight, including how the board administers that function. If cybersecurity risks are material, the SEC believes that the board's role in oversight of that risk should be discussed, along with the company's cybersecurity risk management program and how the board engages with management on cybersecurity issues.

To better understand a company's cyber risk management program, the CAQ suggests asking management about the frameworks used both to design the program (e.g., NIST, ISO/IEC 27001/27002, SEC cybersecurity guidelines, AICPA Trust Services Criteria) and to communicate information about the program; the processes and programs in place to periodically evaluate the program and related controls; the cybersecurity policies, processes and controls in place to "detect, respond to, mitigate, and recover from—on a timely basis—cybersecurity events that are not prevented," and "to address the impact to the company of a cybersecurity breach at significant/relevant vendors and business partners with whom the company shares sensitive information," including risk identification and mitigation procedures; the controls in place to inform IT and management about a cybersecurity breach and to ensure other appropriate responses and communications; whether the company has conducted a cyber event simulation; whether the company has considered cyber insurance coverage; and whether the company has staff with appropriate skills to design and operate an effective cybersecurity risk management program.

In a sidebar, the CAQ discusses the 2017 NACD Director's Handbook on Cyber-Risk Oversight, which identifies five principles for boards in fulfilling their cyber risk oversight functions:

  1. "Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risk as they relate to their company's specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
  4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  5. Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach."

The CAQ also attaches as Appendix A another series of questions from the NACD related to board cyber risk oversight. For a discussion of the views of SEC staff and Commissioners regarding the need to treat cybersecurity as more than simply an IT problem, as noted in the first principle above, but also as a business risk, see this PubCo post.

In the fourth topic, Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management, the CAQ suggests a dialogue with audit firms about incremental offerings related to cybersecurity that CPA firms can provide, beyond the scope of a regular financial statement audit (which is usually focused only on IT risks that affect financial reporting). These might include how the AICPA's new cybersecurity risk management reporting framework could be used by management as a self-assessment tool or by the audit firm as an attestation service to evaluate management's description of its cybersecurity program or to determine the effectiveness of the company's controls within the program. In addition, directors may want to inquire about the factors to be considered before engaging a CPA firm (including the technical skills of the firm) to validate effectiveness of cybersecurity controls, the objectives of an examination of "SOC for Cybersecurity" (services that relate to assurance over system-level controls of a service organization and system- or entity-level controls of other organizations), efforts of the audit profession to help address third-party cybersecurity risks and other types of engagements that may be available to help board members with cybersecurity risk oversight.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Shearman & Sterling LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Shearman & Sterling LLP
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions