March 24, 2014
Data breaches are headline news, and cybersecurity is understandably on the minds of legislators, regulators, boards, and management. Aside from the financial implications, there are also reputation implications for investors and those in the supply chain, as well as possible regulatory fines. Given the seriousness of the situation, cybersecurity has become a broad business concern and is not just an IT issue.
The U.S. Securities and Exchange Commission (SEC) has taken note and announced its plans to hold a cybersecurity roundtable this Wednesday, March 26, from 9:30 a.m. to 3 p.m. Eastern at its headquarters in Washington, D.C. Panelists will discuss the landscape and issues facing exchanges and other key market systems, broker-dealers, investment advisers, transfer agents, and public companies. Panelists also will be invited to discuss industry and public-private sector coordination efforts relating to assessing and responding to cybersecurity issues. The public is invited to observe the roundtable discussion – either in person or via a webcast on the SEC’s website. The SEC will accept comments regarding issues addressed at the roundtable until May 2, 2014.
On March 21, the Center for Audit Quality (CAQ) released an alert, “Cybersecurity and the External Audit,” to its members. The alert includes a diagram depicting the typical access path to an IT system and contrasts those layers on which the external auditors typically focus with the points at which cyber incidents typically first occur. In the alert, the CAQ observes that external auditor responsibilities typically are limited to the financial reporting-related IT system, which normally is a subset of the aggregate systems and data used by companies to support their overall business operations. Given the focus on a narrower slice of a company’s overall IT platform, the execution of an external audit likely would not include areas that would address a cybersecurity breach. However, if information about a material breach is identified, the auditor would need to consider the impact on financial reporting, including disclosures, and the impact on internal controls over financial reporting as part of the audit.
The CAQ alert also recognizes the Feb. 12 release by the National Institute of Standards and Technology (NIST) of its first framework on cybersecurity, “Framework for Improving Critical Infrastructure Cybersecurity.” The framework includes standards, guidelines, and practices to promote the protection of critical infrastructure and to help owners and operators of critical infrastructure to manage cybersecurity-related risk. During his remarks at a March 18 conference, Cyrus Amir-Mokri, the U.S. Treasury’s assistant secretary for financial institutions, outlined the basic substantive elements of the NIST framework and offered his thoughts on how the Treasury’s operational activities and current policy development fit in with the framework.
For More Information
James A. Dolinar
Sydney K. Garmong