Before this particular bit of news sails downstream, internal control professionals might want to note that an SEC commissioner spoke this week about the importance of internal controls for cybersecurity. She raised a few points worth considering.
The remarks came from Caroline Crenshaw, a Democratic appointee to the Securities and Exchange Commission who, in my opinion, is something of a stalking horse for SEC policy. She stakes out strong positions early, and then commission staff or chairman Gary Gensler follow up a while later with more measured versions of whatever Crenshaw had proposed before. So her statements are worth your attention.
Crenshaw spoke Tuesday at a gathering of corporate controllers hosted by PwC and Pepsico. (There’s an odd couple for you.) Most of her speech dwelled on how internal controls relate to ESG risks, which we’ve discussed many times before on this blog and won’t rehash again today.
But Crenshaw also made a passing reference to how internal controls should support strong cybersecurity. Given how important cybersecurity is to regulatory compliance, financial audits, and external reporting; and the potential for either the SEC or the PCAOB to revisit their guidance on cybersecurity, we should unpack what she said.
One passage in Crenshaw’s speech that caught my eye was this:
I’m particularly interested in understanding how public companies are responding to the various types of cybersecurity intrusions and attacks public issuers are facing, since these create threats to management’s ability to safeguard the company’s assets, in particular.
Why? Because the nature of cyber threats is changing. As hackers shift from swiping copies of customer data to launching ransomware attacks that can disable corporate operations, more corporate assets are put in jeopardy, and to a greater extent. Well, as the potential for damage to corporate assets increases, so does the need for effective internal control to safeguard them.
Consider the Possible Cyber Headaches
For example, if hackers break into a global business and abscond with copies of 100 million customer records — that’s bad, and it will probably lead to enforcement from the Federal Trade Commission or state attorneys general somehow. But stolen customer data wouldn’t normally lead to a financial restatement, and in many instances the remediation costs might not even be material. Plus, at the end of that ordeal, the company still has the asset: the customer data, ready to be used for marketing purposes or other transactions.
Ransomware attacks are fundamentally different. They do leave the company unable to use its assets: the data, or the IT systems to process that data. If you don’t pay the ransom, you might never get those assets back. Or the attackers might post the data online anyway and render it worthless. (Say, if they steal design plans for your next killer product.) Plus, if ransomware attacks leave you unable to operate for prolonged periods, you could well lose large sums of money that are material to the business.
So as the ransomware menace continues to increase, the importance of internal controls to safeguard company assets increases right along with it — potentially to the point that audit firms might flag cybersecurity issues more often, or that the SEC might issue new guidance on the subject. I mean, clearly Crensaw is thinking about this; she can’t be the only one at the agency who is.
What’s really happening here is that the definition of “assets” is expanding to include data and easy access to your IT systems to process that data. So businesses need to implement internal controls to safeguard those assets, just like you would with physical inventory or office locations.
Internal Control Implications
Crenshaw went on to give a few examples of how companies might approach risk assessment and internal controls for cybersecurity:
Are companies evaluating authentication protocols and potential weaknesses in security frameworks? And what internal controls are in place to protect electronic systems from unauthorized access or to ensure financial transactions are processed as authorized and not diverted?
Right there, we can classify our internal control concerns into two categories just like Crenshaw did. First are those authentication protocols: user IDs, password policies, the governance of administrator accounts that have authority to create other user accounts, multi-factor authentication, efficient de-provisioning of access when an employee leaves the company, and so forth.
The compliance and audit community has talked about authentication protocols many times, and audit firms already know the importance of testing those controls. This stuff isn’t easy, but I’m not worried about it.
The second category, however, are internal controls to protect electronic systems from unauthorized access — and I do worry about this category, because it includes the threat of unauthenticated attacks against corporate IT systems directly.
Unauthenticated attacks happen when hackers discover weaknesses in your SAP, Oracle, or other business software systems; and use those weaknesses to gain access and execute commands without ever needing to enter a user ID and password. Imagine a bouncer at the front door, thoroughly checking everyone’s ID before granting access — then someone pries open a creaky window in the back that you never bothered to replace, and steals the cash box. That’s an unauthenticated attack.
Nobody has a good answer yet for the internal control and audit questions that arise from these attacks. For example, could a company hire a cybersecurity firm to test its entire ERP software system, document all known vulnerabilities, patch them — and then tell auditors that it has sufficient internal control? Is an audit firm allowed to accept that? Is the audit firm supposed to perform its own ERP vulnerability analysis?
To the best of my knowledge, the Public Company Accounting Oversight Board has no specific views on this subject. (In no small part because the PCAOB has been a basket of dysfunction for years.) The SEC has guidance on what companies should disclose for cybersecurity failures that have happened, but no guidance on how much cybersecurity is “enough” for a company to say that, yes, its internal controls are providing sufficient safeguarding of assets.
Crenshaw made one other point worth noting. She said this about enforcement:
For good reason, the Commission has brought enforcement actions when public companies and regulated entities have lacked adequate internal accounting controls, or made inadequate public disclosures concerning cyber-intrusions and related risks. This is an area where I expect our Enforcement and Exams Divisions’ staff would continue to pay attention.
Well, yes, but those enforcement actions for inadequate accounting controls are typically related to fraud or inadequate disclosure of specific events. I expect the Enforcement and Exams Divisions to keep paying attention to those issues too.
But what we need even more is to think long and hard about defining adequate security in the first place, and how internal controls should assure it — especially as ERP software systems grow ever more complex, and ransomware attackers get ever more ambitious.