Cybersecurity and Accounting
In today’s current digital age, a lot of people have at one point wondered if their online accounts have been compromised or have been part of a large store or restaurant data breach. With the constant news cycle, it can become desensitizing but it is imperative, especially for public companies, to be vigilant and educate their employees and stakeholders on proper protocols and procedures for minimizing risk. Accounting professionals are in a unique position to be utilized in the effort to maintain cybersecurity.
The Securities and Exchange Commission (SEC) issued guidance on cybersecurity. In an article produced by Deloitte’s Christine Mazor and Sandra Herrygers that appeared in The Wall Street Journal, they explained that “issued on February 21, 2018, the release largely refreshes existing SEC staff guidance related to cybersecurity and, like that guidance, does not establish any new disclosure obligations but rather presents the SEC’s views on how its existing rules should be interpreted in connection with cybersecurity threats and incidents.”
The rise and scope of these threats is important to note, as well as the varying type of attacks. The compromising of an employee’s password and the complete breach of a major retailer’s financial transactions are difference in degree, but the need for security is the same.
Further detailing the SEC’s release, EY provided this statement from the SEC: “given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
In a description of the release, EY explains that one of the main components is “clarifying that disclosure controls and procedures should enable registrants to identify cybersecurity risks and incidents, assess and analyze their implications and make timely disclosures.”
Due to the nature and increased sophistication of cyberattacks, PricewaterhouseCoopers stated that “the current US standalone cyber insurance market is estimated at $2.5-$3.5 billion annually…” This alone portrays the vastness and severity of cyber dangers that face companies, specifically public ones.
Lisa Traina lists for AICPA the top 5 cybersecurity dangers that companies and CPAs face:
The first, ignorance, is important because accountants and other hired parties cannot help a company if there is no belief that a danger exists. Regarding passwords, Lisa explains that due to the cloud and remote accessing, the need for strong passwords has increased. Furthermore, she advises against employees carelessly storing passwords in places that can be easily compromised, such as a desktop folder. Phishing, malware and vulnerabilities speak to the need for strong IT infrastructure as well as strong employee training on how best to avoid recognizable compromises.
Given the climate of increased technologies correlating to increased risk, Terry Sheridan asserts that “not all that long ago, most companies relegated anything “cyber” to the IT department. But as recognition grows that cybersecurity risks include personnel practices, supply chain management, and operational decisions, more enterprise-wide approaches to managing these risks have evolved.” This includes accountants and finance professionals.
Terry notes that the Center for Audit Quality (CAQ) published a white paper entitled “The CPA’s Role in Addressing Cybersecurity Risk,” which highlights the inherent strengths of accountants to aid with cybersecurity.
- Core values and attributes
Terry explains that “CPAs are viewed by management and boards as trusted advisors who have a board understanding of businesses, who receive appropriate annual training, who comply with a code of ethics, and who are subject to rigorous external quality reviews.”
- Experience in independent evaluations
The framework has already been laid to make the connection from accounting to cybersecurity, Terry reveals: “…many large and midsized CPA firms have built substantial IT practices that provide attestation and advisory services to organizations on IT security-related matters…”
- Multidisciplinary strengths
This point is important as the combination of accounting knowledge and information technology knowledge is being specifically sough after by firms. For students and professionals looking to enrich or advance their accounting career, adding a specialty of IT knowledge would be very useful for public companies.
Furthermore, there is a need for common language and procedures so companies can have a roadmap to assess their situation and progress. Susan S. Coffey explains that “there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place. This lack of transparency makes it difficult for stakeholders to determine whether an organization’s cybersecurity risk management plan effectively addresses potential threats.”
For this reason, she described that a framework has been developed by Assurance Services Executive Committee (ASEC) comprised of accountants with IT work history with clients; the framework can be found at aicpa.org/cybersecurityriskmanagement.
Coffey outlines how the framework helps accountants become further involved in cybersecurity: “management accountants more directly involved with the organization’s cybersecurity efforts can promote awareness and use of the framework as a means of communication those efforts, both internally and externally, and of evaluating the effectiveness of the organization’s controls in achieving its cybersecurity objectives.”
Expounding on the framework, Russ Banham for Journal of Accountancy, specifically outlines the opportunities for accountants:
- CPAs to perform a consulting engagement to help a client’s management develop a description of its cybersecurity risk management program to provide to the board and other internal parties…
- CPAs to perform a consulting engagement known as a “readiness assessment” to help a client identify where its cybersecurity processes and controls may need to be shored up.
- CPAs to perform a System and Organization Controls (SOC) for Cybersecurity examination engagement to assess the client’s cybersecurity risk management program…
The framework’s suggestion that accountants can be on the forefront of providing sensitive information to a company’s Board is important to note, as a Board’s responsibility is to monitor and be made aware of critical issues facing company operations.
Role of the Board
Christopher P. Skroupa, a Contributor to Forbes, has interviewed Michael Yaeger, an expert in cybersecurity. In response to a question about the role of cybersecurity as it relates to the Board, Yaeger explained that “one basic function of a modern corporate Board is to oversee risk management, and many risks do not present themselves as cybersecurity issues.” This is all the more reason to be vigilant on all sides of a company’s operations, including accounting and finance.
Speaking specifically on what the Board can do regarding cybersecurity, Yaeger asserts that “the board must ensure that the company has cyber risk management policies and procedures consistent with its strategy and risk appetite, and the board must ensure that these policies and procedures are functioning.”
It is a given that there are moving pieces when it comes to cybersecurity and the need for employees and a company at large to be secure. For this reason, it is most beneficial when accounting professionals have a multi-layered background that includes cybersecurity so they are able to be an additional line of defense. And as the research has shown, accounting and cybersecurity is a perfect match.
Banham, Russ. “Cybersecurity: A new engagement opportunity.” Journal of Accountancy, 22 May 2018. < https://www.journalofaccountancy.com/issues/2017/oct/cybersecurity-engagement-for-cpas.html>
Coffey, Susan S. “It’s Time to Speak the Same Language on Cybersecurity.” AICPA, 22 May 2018. < http:// blog.aicpa.org/2017/05/its-time-to-speak-the-same-language-on-cybersecurity. html#sthash .aVdMkso8 .pnI16iEE.dpbs>
Mazor, Christine and Herrygers, Sandra. “SEC Issues Cybersecurity Guidance.” The Wall Street Journal, 22 May 2018. <http://deloitte.wsj.com/cfo/2018/04/27/sec-issues-cybersecurity-guidance/>
Porcelli, Mike et al. “Are insurers adequately balancing risk & opportunity? Findings from PwC’s global cyber insurance survey.” PwC, 22 May 2018. < https://www.pwc.com/us/en/industry/assets/pwc-cyber-insurance-survey.pdf>
“SEC Reporting Update: SEC issues guidance on cybersecurity.” EY, 22 May 2018. < file:///C:/Users / llestino/Downloads/secreportingupdate_01030-181us_cybersecurity_22february2018.pdf>
Sheridan, Terry. “CPAs Have the Strengths Needed to Address Cybersecurity Risk.” Accountingweb, 22 May 2018. < https://www.accountingweb.com/aa/auditing/cpas-have-the-strengths-needed-to-address-cybersecurity-risk>
Skroupa, Christopher P. “Cybersecurity And The Board’s Responsibilities—‘What’s Reasonable Has Changed.’” Forbes, 22 May 2018. < https://www.forbes.com /sites/christopherskroupa/2018/04/19/ cybersecurity-and-the-boards-responsibilities-whats-reasonable-has-changed/#6c156c1e3c3c>
Traina, Lisa. “The top 5 cybersecurity risks for CPAs.” AICPA Store, 22 May 2018. < https://www.Aicpa store.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2015/CPA/JUN/fivecybersecurityrisks.jsp>