November 02, 2011
In today’s day and age, it’s hard to imagine any company that is not using the internet or internal technology to drive their business. However, companies, their boards and shareholders may not always understand the full extent of the risk that lies in that technology. Prompted by the irrefutable amount of attention to high-profile cybersecurity incidents, the Division of Corporate Finance of the Securities and Exchange Commission has focused on this issue and recently provided their views on registrants’ cyber risk disclosure obligations.
The Division states, “Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”
Why is cybersecurity such a critical issue?
Virtually all activities today rely on computers and the internet – communication (internet, smartphones), shopping (online stores, credit cards), personal records (medical, employee and customer information), accounting records, etc. Cybersecurity entails protecting this information by protecting from, detecting, and responding to attacks.
What risks and consequences do you need to consider?
The risks companies should consider are: 1) misappropriation of sensitive data including proprietary information, 2) corrupted data and 3) operational disruption. These may be carried out by someone gaining unauthorized access or causing processing disruptions. Attacks may lead to consequences such as additional costs, lost revenues, litigation as well as reputational damage.
Which companies are most at risk?
Everyone who maintains data in an electronic environment. Zeena Patel, a leader in EisnerAmper’s Technology Audit and Advisory Services group, notes: “The Division was prompted to provide their views when several large companies were involved in significant attacks. However, data shows that criminals are just as likely to invade smaller and medium-sized organizations who may not have the resources to detect and prevent attacks quickly.”
What disclosures may be required? The guidance, which does not change the existing rules and regulations, requires companies to disclose any aspects of a company’s business that could have material costs and consequences.
A significant attack, or high risk of attacks (even if currently undetected), may require quantitative and qualitative information within the “Risk Factor” disclosure.
Further consideration must also be given as to the inclusion of costs and consequences in Management’s Discussion and Analysis and Financial Statements.
Lastly, further, lacking operating cybersecurity controls may lead to ineffective Disclosure Controls and Procedures.
How should companies respond to the guidance? Zeena further states: “Companies should be preparing a risk assessment which also includes third-party providers. Understanding the magnitude and likelihood of potential attack within your current controls will allow you to determine your disclosure requirements.”
The guidance can be found at here
If you have any questions, please contact Bauerle and Company.
This publication has been prepared by EisnerAmper LLP for informational purposes only. These materials do not constitute accounting, tax or legal advice and cannot be relied upon by any taxpayer for the purpose of avoiding penalties imposed under the Internal Revenue Code.
Redistributed by Bauerle and Company, P.C. with permission
PKF North America is an association of independently owned public accounting firms who share educational, client service, best practice and marketing resources, and benefit from various ranges of expertise.
PKF NA provides its members with specialized technical resources and thought leadership as well as invaluable networking and professional development opportunities, empowering them to better serve growth-minded businesses across all industries (or sectors).
