As everyone who reads the news knows by now, cyberattacks can be expensive. In addition to the risk of direct loss of revenue and intellectual property, there are the potential costs of remediation, legal expenses, brand erosion and urgent cybersecurity improvements.
Public companies face the additional risk of a drop in stock value, and the added responsibility of publicly disclosing not only cyber attacks, but the likely risk of cyberattacks, as well. In February 2018, the SEC issued interpretive guidance on a 2011 cyber attack disclosure directive, adding new disclosure policies. And in May 2019, Kathleen Hamm, a board member of the Public Company Accounting Oversight Board (PCAOB) called on external auditors to “lean in” and become more aggressive in evaluating cybersecurity risks and the adequacy of disclosures.
In our experience, cybersecurity risks and disclosures have not been top-of-mind for companies preparing for an initial public offering, but with the changing risk landscape, they absolutely must be. Regulators are doing everything in their power to signal that public companies need to pay attention to this large and growing risk, and external auditors are increasing their focus on cybersecurity as part of Sarbanes-Oxley 404 testing efforts. The increased focus from external audit firms is on the maturity of the overall cybersecurity program, including understanding cyber risks and what controls are in place to protect the most valuable company information. The increased scrutiny means that pre-IPO companies need to make cybersecurity part of the public company transition planning process.
For companies unfamiliar with how this planning process should go, we suggest the following four-step approach:
Step 1: Document the current situation — Identify gaps using a formal, defined framework. Most public companies use ISO27001 or NIST; private companies, especially those considering an IPO, could start with one of those.
Step 2: Define a desired future state — This is what the situation will look like after the risks identified in step one have been addressed.
Step 3: Create a road map — Once a company knows where it wants to be in its future state, it is important to determine exactly how it plans to get there. That means having a strategy for how to achieve the desired objectives and executing that strategy.
Step 4: Monitor/report results —The fourth and final step involves reporting to the executive management team and the board on how the security program is performing relative to the established goals and objectives.
All four of these steps are important. In many cases, we’ve seen that the cybersecurity practices of companies in the IPO process lack the rigor of a public company. Private companies considering an IPO will want to be especially diligent in remediating this risk in order to avoid regulatory challenges or valuation penalties in their offerings.
Finally, companies need to acknowledge that cybersecurity breaches these days are more likely than not, and any comprehensive cybersecurity program needs to focus at least as much on recovery as it does on prevention.
Good recovery plans address all aspects of infrastructure: people, processes and technology. Cybersecurity training needs to be realistic enough so that employees understand their individual roles and responsibilities and are prepared to act in the event of a breach. If appropriate, external auditors can be helpful in determining whether the proper controls are in place and what disclosures may be required.
Cybersecurity is an area of particular interest here at Protiviti and we have compiled a wealth of information available on our website. Sharpening the focus on cybersecurity was also the subject of a recent director roundtable, captured in Issue 113 of our Board Perspectives: Risk Oversight series.