Board members charged with cybersecurity risk oversight should be prepared with certain questions about cybersecurity risks and disclosures when interacting with company management and CPA firms. The Center for Audit Quality (CAQ) divides these questions into four key areas:
- Understanding how the financial statement auditor considers cybersecurity risk.
Two key contexts of cybersecurity are considered by a financial statement auditor: the audits of financial statements and other disclosures. The CAQ identifies six topics to focus on in auditor discussions:
- Risks of material misstatements
- Enterprise-wide cybersecurity risks
- Breach disclosures
- Internal controls over financial reporting
- Enterprise-wide cybersecurity controls
- The role of information technology
- Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures.
In 2018, the SEC updated disclosure guidance to address the importance of cybersecurity policies and the application of insider trading prohibitions in the cybersecurity context. They emphasized the importance of making certain periodic reports, like a 10-Q, that provide timely and ongoing information regarding material cybersecurity risks and incidents. It is also important that management is evaluating disclosure controls and procedures for these reports.
Topics to touch on during discussions with management:
- SEC Filings Compliance
- Operating Effectiveness of Disclosure Controls/Procedures
- Insider Trading Policies
- Design of Disclosure Controls/Procedures
- Cybersecurity Considerations on Risk
- Cybersecurity Disclosure in MD&A
- Understanding management’s approach to cybersecurity risk management.
The following are several broad cybersecurity-related questions that board members, in their oversight roles, can use to better understand a company’s cybersecurity risk management program:
- What framework, if any, does management use in designing a cybersecurity risk management program? (Examples: NIST, ISO, AICPA Trust Services Criteria)
- What framework, if any, does management use in communicating pertinent information about its cybersecurity management program?
- What processes and programs are in place to periodically evaluate the cybersecurity risk management program and related controls?
- In the event of a cybersecurity breach, what controls are in place to help ensure that the IT department and appropriate senior management are informed and engaged on a timely basis?
- Has the company conducted a cyber event simulation as part of its approach to enterprise risk management?
- Has the company considered cost mitigation/risk transfer options in the form of cyber insurance coverage in the event of a cybersecurity breach?
- Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management.
CPAs are in a strong position to play an important role in informing the advancement of cybersecurity risk management practices. This is true as a result of the accounting profession paying increased attention to continuous improvement/education, public service and consistent sufficient investor confidence. This understanding aims to foster a dialogue between auditors and board members about identifying incremental offerings that CPA firms may provide to organizations.