Companies are facing cyberattacks every day, with large organizations across industries reporting hackers gaining access to customer information, taking down IT systems and often making demands for ransom payments. As cyberattacks become more frequent and sophisticated, organizations are facing increased stakeholder calls and regulatory requirements to show they are protecting their information appropriately. According to a recent KPMG survey, 83% of companies suffered a cyberattack in the past year, and respondents said it took them an average of one month to fully contain the attack.
The Securities and Exchange Commission (SEC) is undertaking a comprehensive effort to increase cybersecurity preparedness and resilience for all registrants. This spring, new cybersecurity reporting requirements for public companies are expected, enhancing and standardizing risk management, strategy, governance and incident disclosures. The SEC also released proposed cybersecurity rules for broker-dealers and other market entities and opened comments on rules for registered advisers and funds in March 2023. At the same time, the SEC is enforcing large penalties against some companies for misleading disclosures around past cyberattacks. Additionally, in April 2023, the Public Company Accounting Oversight Board listed cybersecurity among its top priorities for this year’s inspections.
With the increased focus on cybersecurity from regulators, customers and investors, executives have a growing responsibility to understand their company’s cyber risks and the state of cyber programs. As a baseline, with oversight from the board, management should be preparing now to comply with the SEC’s final rules on cybersecurity disclosures. Going beyond regulatory compliance, it’s imperative to understand how your organization is positioned to detect, mitigate and remediate any cybersecurity threats and vulnerabilities with respect to information systems as well as business continuity and overall cyber incident reliance.
As a first step, management should evaluate the organization’s current situation, laying the groundwork for a strategy for enhancing the organization’s cyber maturity, achieving SEC compliance and reassuring customers, investors and other stakeholders that appropriate safeguards are in place. Key questions may include:
Third-party assessments and attestations are tools for management and the board to understand the organization’s current cyber readiness and respond to stakeholder demand for transparency. A cyber maturity assessment is a way for the financial reporting and internal controls function to get a clear, easily digestible view of the organization’s current cyber program benchmarked against other organizations of similar size and industry. A cybersecurity-focused SOC report can provide attestation for cyber controls.
Leaders should consider assessments that include potential vulnerabilities along the supply chain, which are often exploited by bad actors. With increased pressure from stakeholders throughout the supply chain to obtain varying levels of cybersecurity assurance, management may look to shift the organization’s assessment of its cybersecurity posture from the historically acceptable self-attestation approach to assessments or attestation engagements performed by an independent third party. This level of independent attestation can clearly demonstrate to vendors and customers that appropriate governance and controls are in place to protect their sensitive data and reduce exposure to their IT environment.
With an understanding of the organization’s starting point, management can plot out a path to compliance with SEC cyber regulations, transparency in response to stakeholder demand and organizational resilience.
Updating the internal communications plan
Questions to ask:
Even when a cyber incident has not been identified, cybersecurity update meetings should be held at defined frequencies to ensure all key stakeholders are equipped with the latest pertinent information. Establishing clear communication and reporting lines for identified cyber incidents is critical for ensuring those charged with financial reporting and internal controls are informed at the appropriate time to consider implication on Internal Controls over Financial Reporting and achieve compliance with any SEC regulations.
Preparing for a potential cyberattack
Questions to ask:
Management should review and update cyber incident response policies and procedures, including a clear delineation of responsibilities of the cybersecurity and risk management teams, management’s disclosure committee, and the legal department, plus escalation procedures to determine materiality, and preparation and review of disclosures.
With board oversight, management should test the cyber response plan and procedures, including documenting the cyber incident, evaluating it for materiality, drafting the disclosure and reviewing incidents in the aggregate. In its rule for public companies, the SEC will expect a materiality determination to be made “as soon as reasonably practicable,” which may require judgment. Audit committees and boards should confirm that management has a plan for escalating incidents to the disclosure committee and legal team to make the final materiality determination.
As regulatory requirements around cybersecurity increase and threats from cybercriminals become more severe, it will be crucial to manage risks by ensuring governance is in place to protect sensitive information. Management can lead the way through uncharted waters by bolstering cyber maturity ahead of coming regulations.
 KPMG LLP, “A triple threat across the Americas: KPMG 2022 Fraud Outlook,” 2022, https://kpmg.com/xx/en/home/insights/2022/01/kpmg-fraud-outlook-survey.html.
 KPMG LLP, “SEC proposes cybersecurity rules,” March 2022, https://frv.kpmg.us/reference-library/2022/sec-cybersecurity-guidance.html.
 KPMG LLP, “SEC Proposals on Cyber Risk Management for Market Entities,” 2023, https://advisory.kpmg.us/articles/2023/sec-roposals-on-cyber-risk-management-for-market-entities.html.
 KPMG LLP, “Cybersecurity: SEC Proposal for Adviser/Fund Risk Management, 2022, https://advisory.kpmg.us/articles/2022/sec-cybersecurity-reg-alert-feb-2022.html.
 Public Company Accounting Oversight Board, “Spotlight: Staff Priorities for 2023 Inspections, April 2023, https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/priorities-spotlight.pdf