Everyone hears about cyber risk, but not everyone is aware that that the federal government is taking steps to help protect public companies and investors from malicious hackers. Recently, the Senate moved forward a bill requiring public companies to 1) name a cyber security expert on the board or 2) explain the other cyber security steps taken if no board member has cyber security expertise (the Cybersecurity Disclosure Act of 2017). The bill has bipartisan support and is a common sense next step. This bill is very similar to the requirement that came out of SOX that required a financial expert on audit committees.
Many public companies and their boards have expressed interest in cyber risk management. Very, very few of these same boards currently have a cyber expert. Given the shortage of cyber expertise in the US, it may be hard to source these experts in the short term.
Additionally, the PCAOB has released an Inspection Brief summarizing the planned approach for their inspections of firms performing audits of public companies. For last year’s audit cycle, they began to ask questions of firms’ considerations of risk of material misstatement related to cyber. Cyber security is becoming as much as a business risk as a technology risk. It’s reasonable to assume that the PCAOB will continue to ask these questions of audit firms, which in turn puts pressure on public companies to better assess and manage cyber risks.
Last year, the House introduced a bill to include cyber risk management and controls in the annual SOX certifications. This bill has stalled, but is a good indicator of where legislation may be headed in the near future.
Companies should begin preparing now for these impending changes.
Boards and executives should receive cyber awareness training and regular updates on cyber risk management, any network incursions, and the results of either manual or automated monitoring controls used to manage cyber risks.
Nominating committees for board should begin to consider cyber experience in evaluating potential new board members. For companies in industries with a strong cyber risk profile (healthcare, technology, financial services, or those entities conducting a significant portion of their business on line or with customized software), new board members with cyber experience should be added now.
Finally, entities looking to improve their cyber risk management and transparency of reporting to their Board and stakeholders should consider a SOC for Cyber Security. In these engagements, a CPA performs an audit of a company’s cyber risks. This report can be shared internally to leadership as well as externally to regulators, customers and vendors. Pairing a SOC for Cyber Security with a robust advanced penetration test is one of the best steps to take to address cyber risk.
For weekly insights, please sign up here: