Security Goes Accounting

John D. Rockefeller IV, Chairman of the US Senate Committee on Commerce, Science and Transportation said:

“This guidance fundamentally changes the way companies will address cybersecurity … It will allow the market to evaluate companies in part on their ability to keep their networks secure.”

 What does that mean? 

To make a long story short: If your IT environment is critical to your business you need to consider the risk associated with it and evaluate potential risk caused by cybersecurity issues like DDoS, intrusions etc. and potentially include statements about this in your SEC filings.

The longer version of this short story!

Under „CF Disclosure Guidance: Topic No2. – Cybersecurity“ the SEC clarifies that existing disclosure requirements already include the evaluation of cybersecurity risks. They stated that potential investors may have an interest in evaluating a potential investment also based on security risk considerations.

Item 503(c) of Regulation S-K represents the heart of this guidance. Here registrants are requested to disclose significant risks that could affect investments in this registrant in a negative way, thus make investments speculative or risky in general. The guidance points out that regstrants shall disclose their risks associated with cybersecurity incidents or cybersecurity risks in general if they are considered tob e a material factor to the registrant.

As part of the evaluation registrants should consider likelihood and magnitude of those risks.

This includes various things like:

  • Outsourced functions
  • Business that might be affected by cybersecurity incidents
  • Already experienced cyberincidents

Where and how to disclose what?

Prevention / Software

Prevention of cyberattacks have to be registered in accordance with ASC (Accounting Standard Codification) 350-40, Intangibles – Goodwill and Other – Internal Use Software

Incentives / Penalties

To mitigate security breaches by providing incentives to clients have to be registered in accordance with ASDC605-50


Cyber Incidents may cause losses which have tob e registered in accordance with ASC 450-20, Contingencies – Loss Contingencies

Conclusion – Business Impact

First of all registrants need tob e aware of potential cybersecurity incidents and risks. This means that incident detection and response are absolutely mandatory to conclude on security breaches, but also a cyberthreat related risk approach is vital to determine potential monetary implications of a cybersecurity incident.

CFOs may tend to the position that IT itself is not critical to their business but as cybersecurity incidents become more and more serious and attacks become more and more focussed, a mind shift is essential to comply with accounting standards. Up to now there are only few companies that have a direct and effective link from their security function to their finance function. This is an essential requirement which can facilitate a mind shift in finance and security leading to improved skillsets in both functions.

Now CFOs have to understand security! With their 20-F filing at the SEC they confirm that they have taken security into their considerations and accounted for them propperly. This is not explicitely stated but implicitely. Since this guidance is in place no CFO can anymore deny the implications of security to their financial statements. SEC staff will question disclosures if in press and media registrants are mentioned together with security incidents that have caused business disruption. Certain industry sectors will not be able to deny anymore that they might be affected (e.G. Telcos seen as first line of defense by their countries).

The security function now needs to improve their accounting skills to better support the finance function regarding the compliance with disclosure controls and procedures. They need to understand the implication of security incidents on financial statements.

The last but most political consequence is that procurement organizations may take a look at the disclosures and add cybersecurity disclosures to their criteria list to register or remove suppliers from their supply chain. Nations may use this criteria to secure national supply chains.


Some words about Security in the Cloud

The security of cloud services has been the subject of heated debate and neither side is giving an inch.

One side claims cloud computing harbours uncontrollable risks and warns that we may well lose control of our own data; to them, every new security incident is grist to the mill.

The other side sees cloud computing as the way to higher security through the increasing industrialisation of IT services.

Both lines of argument have their merits. We can naturally expect a greater aggregation of data at certain providers as IT continues to industrialise. If a security incident were to occur in this situation, the assumption is that larger masses of data and even more enterprises could be affected as well. Inasmuch, the damage caused by a security incident at such a provider would be greater than the damage ensuing in the individual operations of an enterprise that has outsourced its data and services to that provider.  And there is another factor that makes the impact look even worse. While in-house security incidents are almost never reported (unless required by law), not so for the processes that many enterprises have contracted out to this provider. There will be no mantle of silence to cover up a security incident that affects so many enterprises and causes so much damage.

Deciding which side is right will depend on business indicators which we simply do not have at this time because they do not have to be reported in today’s regulatory climate.

Yet one thing is clear: the need to establish a systematic approach to secure our own data and processes.

That makes it indispensable to learn how to integrate our technical and business situation with cloud computing. As part of the big picture, (Cf. Chapter 3.3.1) cloud computing can be seen in the context of other hot topics.

The basic tendency is to try to prevent security incidents. That goes not only for cloud computing but also general business practice. To achieve that goal, we must clarify and understand the risks associated with cloud computing. That is the only way to do justice to the idea of Prevention.

Significant risk management parameters are ‘impact’ and ‘probability’. As the probability may be low, but not ‘nil’, an effective process must be established comprising two component to deal with actual risks:

  1. Detection
  2. Reaction

Detection is the process of flagging security incidents. Various studies show that only about 50% of all security incidents are detected within a week, while the rest are only discovered much later. Cloud computing complicates matters further.

Detection of a security incident must trigger a suitable reaction. Given the changing architectures in cloud computing, the procedures for obtaining legal evidence of security incidents are subject to change, and  both enterprises and the courts have yet to follow suit.

Look at the big picture and understand that the management of identities and authentication for a user’s cloud ecosystem is a not-to-be-underestimated strategic factor.