The Center for Audit Quality has just issued Cybersecurity Risk Management Oversight: A Tool for Board Members. The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures. The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting (ICFR), and to help the board understand how the company is managing its cybersecurity risks.

The publication is organized in four parts and provides important and sometimes quite specific and detailed questions for audit committees and other board members with cybersecurity oversight responsibility to ask the auditors and management.

The first topic, Understanding how the financial statement auditor considers cybersecurity risk, is designed to help board members who have responsibility for cybersecurity risk oversight to understand the roles and responsibilities of the financial statement auditor related to cybersecurity risks. The CAQ suggests that these directors ask the auditor about how the auditor’s approach to identifying and assessing financial statement and ICFR risks takes cybersecurity risks into account, how the auditor addresses cybersecurity risks identified in the audit process, why the ICFR audit does not address all of the company’s enterprise-wide cybersecurity risks and controls, the impact of a cybersecurity breach on the auditor’s assessment of ICFR and what the auditor’s audit response would be to a cybersecurity breach that resulted in a potential material contingent liability.

In the second topic, Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures, the CAQ addresses the renewed focus of the SEC, particularly in the 2018 guidance, and others on cybersecurity disclosure in light of the increasing importance of cybersecurity and the increasing incidence of cyber threats and breaches. The CAQ notes in particular SEC Chair Jay Clayton’s advice that Corp Fin will be monitoring cybersecurity disclosures as part of its selective filing reviews. In addition, in its guidance, the SEC advised companies to examine the adequacy of their disclosure controls and procedures with respect to cybersecurity. (See this Cooley Alert and this PubCo post.)

With regard to questions to management regarding cybersecurity disclosures, the CAQ focuses primarily on disclosure controls, including how management has considered cybersecurity risks in the company’s ability to record, process, summarize and report on information required to be disclosed in its SEC filings; what disclosure controls and procedures are in place to facilitate accurate and timely cybersecurity disclosures; whether the design and operating effectiveness of the disclosure controls and procedures have been evaluated; how management is considering the SEC guidance with respect to risk factors, MD&A and financial statement disclosures; the processes and controls in place to help ensure that, in the event of a cyber breach, appropriate management and directors are involved in the review of the related disclosures; and whether the company’s insider trading policies take into account material cyber incidents, including preventing insiders from trading prior to disclosure of the event.

In its guidance, the SEC encourages companies to assess whether their disclosure controls and procedures are adequate to reasonably ensure that information about cybersecurity risks and incidents is reported to “appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications.” The controls should also suffice to ensure that information is communicated to appropriate personnel to facilitate compliance with insider trading policies. In particular, the SEC advises, “[c]ontrols and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.” The SEC also notes that the required CEO and CFO certifications address effectiveness of disclosure controls and “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”

With regard to questions to the auditor regarding cybersecurity disclosures, the CAQ suggests asking what the auditor considers in connection with cybersecurity disclosures included in the Form 10-K or other documents that include the audited financial statements as compared to cybersecurity disclosures in other company documents; the nature of the auditor’s responsibility with respect to the company’s assessment of financial statement disclosures related to a material contingent liability for a cyber incident; and the nature of the auditor’s responsibility if a material cyber incident is discovered after the balance sheet date but before the date of the auditor’s report on the financial statements.

For the third topic, Understanding management’s approach to cybersecurity risk management, the CAQ observes that, according to the SEC, “disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility.” Note that the SEC guidance indicates that companies are required to disclose the extent of their boards’ role in risk oversight, including how the board administers that function. If cybersecurity risks are material, the SEC believes that the board’s role in oversight of that risk should be discussed, along with the company’s cybersecurity risk management program and how the board engages with management on cybersecurity issues.

To better understand a company’s cyber risk management program, the CAQ suggests asking management about the frameworks used both to design the program (e.g., NIST, ISO/IEC 27001/27002, SEC cybersecurity guidelines, AICPA Trust Services Criteria) and to communicate information about the program; the processes and programs in place to periodically evaluate the program and related controls; the cybersecurity policies, processes and controls in place to “detect, respond to, mitigate, and recover from—on a timely basis—cybersecurity events that are not prevented,” and “to address the impact to the company of a cybersecurity breach at significant/relevant vendors and business partners with whom the company shares sensitive information,” including risk identification and mitigation procedures; the controls in place to inform IT and management about a cybersecurity breach and to ensure other appropriate responses and communications; whether the company has conducted a cyber event simulation; whether the company has considered cyber insurance coverage; and whether the company has staff with appropriate skills to design and operate an effective cybersecurity risk management program.

In a sidebar, the CAQ discusses the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, which identifies five principles for boards in fulfilling their cyber risk oversight functions:

  1. “Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risk as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
  4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  5. Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.”

The CAQ also attaches as Appendix A another series of questions from the NACD related to board cyber risk oversight. For a discussion of the views of SEC staff and Commissioners regarding the need to treat cybersecurity as more than simply an IT problem, as noted in the first principle above, but also as a business risk, see this PubCo post.

In the fourth topic, Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management, the CAQ suggests a dialogue with audit firms about incremental offerings related to cybersecurity that CPA firms can provide, beyond the scope of a regular financial statement audit (which is usually focused only on IT risks that affect financial reporting). These might include how the AICPA’s new cybersecurity risk management reporting framework could be used by management as a self-assessment tool or by the audit firm as an attestation service to evaluate management’s description of its cybersecurity program or to determine the effectiveness of the company’s controls within the program. In addition, directors may want to inquire about the factors to be considered before engaging a CPA firm (including the technical skills of the firm) to validate effectiveness of cybersecurity controls, the objectives of an examination of “SOC for Cybersecurity” (services that relate to assurance over system-level controls of a service organization and system- or entity-level controls of other organizations), efforts of the audit profession to help address third-party cybersecurity risks and other types of engagements that may be available to help board members with cybersecurity risk oversight