John D. Rockefeller IV, Chairman of the US Senate Committee on Commerce, Science and Transportation said:
“This guidance fundamentally changes the way companies will address cybersecurity … It will allow the market to evaluate companies in part on their ability to keep their networks secure.”
What does that mean?
To make a long story short: If your IT environment is critical to your business you need to consider the risk associated with it and evaluate potential risk caused by cybersecurity issues like DDoS, intrusions etc. and potentially include statements about this in your SEC filings.
The longer version of this short story!
Under „CF Disclosure Guidance: Topic No2. – Cybersecurity“ the SEC clarifies that existing disclosure requirements already include the evaluation of cybersecurity risks. They stated that potential investors may have an interest in evaluating a potential investment also based on security risk considerations.
Item 503(c) of Regulation S-K represents the heart of this guidance. Here registrants are requested to disclose significant risks that could affect investments in this registrant in a negative way, thus make investments speculative or risky in general. The guidance points out that regstrants shall disclose their risks associated with cybersecurity incidents or cybersecurity risks in general if they are considered tob e a material factor to the registrant.
As part of the evaluation registrants should consider likelihood and magnitude of those risks.
This includes various things like:
- Outsourced functions
- Business that might be affected by cybersecurity incidents
- Already experienced cyberincidents
Where and how to disclose what?
Prevention / Software
Prevention of cyberattacks have to be registered in accordance with ASC (Accounting Standard Codification) 350-40, Intangibles – Goodwill and Other – Internal Use Software
Incentives / Penalties
To mitigate security breaches by providing incentives to clients have to be registered in accordance with ASDC605-50
Cyber Incidents may cause losses which have tob e registered in accordance with ASC 450-20, Contingencies – Loss Contingencies
Conclusion – Business Impact
First of all registrants need tob e aware of potential cybersecurity incidents and risks. This means that incident detection and response are absolutely mandatory to conclude on security breaches, but also a cyberthreat related risk approach is vital to determine potential monetary implications of a cybersecurity incident.
CFOs may tend to the position that IT itself is not critical to their business but as cybersecurity incidents become more and more serious and attacks become more and more focussed, a mind shift is essential to comply with accounting standards. Up to now there are only few companies that have a direct and effective link from their security function to their finance function. This is an essential requirement which can facilitate a mind shift in finance and security leading to improved skillsets in both functions.
Now CFOs have to understand security! With their 20-F filing at the SEC they confirm that they have taken security into their considerations and accounted for them propperly. This is not explicitely stated but implicitely. Since this guidance is in place no CFO can anymore deny the implications of security to their financial statements. SEC staff will question disclosures if in press and media registrants are mentioned together with security incidents that have caused business disruption. Certain industry sectors will not be able to deny anymore that they might be affected (e.G. Telcos seen as first line of defense by their countries).
The security function now needs to improve their accounting skills to better support the finance function regarding the compliance with disclosure controls and procedures. They need to understand the implication of security incidents on financial statements.
The last but most political consequence is that procurement organizations may take a look at the disclosures and add cybersecurity disclosures to their criteria list to register or remove suppliers from their supply chain. Nations may use this criteria to secure national supply chains.