Attestations for Cyber Controls
Last week I was in Atlanta speaking to a group of IT auditors. Conversation turned to the SEC’s proposals for expanded disclosure of cybersecurity risks, and attendees raised a good question: Does this mean that CISOs and other executives will need to attest that, yes, the company’s cybersecurity measures are effective?
Under the text of the SEC’s proposed rules, right now the answer is no; neither “attest” nor “attestation” appear anywhere in the proposal’s 129 pages. As a practical matter, however, CISOs, auditors, and compliance officers have some issues here to think through — and by the time we’re done, the answer on attestations might well be yes.
The fundamental question is this: How much assurance will the board and senior management want to provide to stakeholders that, yes, the company is handling its cybersecurity issues smartly? The more assurance they want to provide, the more likely it is that eventually some system of attestation (complete with sub-certifications from lower-level employees, and so forth) will take root at your organization.
The closest analogy to all this is compliance with the Sarbanes-Oxley Act. These days certifications and sub-certifications are standard practice for SOX compliance, but remember that SOX only requires certification about the accuracy of financial reporting from the CEO and the CFO — with the threat of criminal liability if those executives are certifying the effectiveness of internal control falsely. (Plus additional liability for the board and its audit committee, too.)
So when SOX compliance went into effect in the mid-2000s, all those senior executives told internal audit, the finance team, and anyone else touching financial controls, “You need to be sure this stuff is right, because I want to stay out of jail.” Twenty years later, here we are with SOX certifications up and down the org chart of every large company that comes anywhere near U.S. capital markets. It’s natural to wonder whether assurance demands for cybersecurity might follow a similar arc.
From SOX to Cyber Attestations
Now, a disclosure rule from the SEC is a far cry from a federal statute with criminal penalties attached. The SEC’s cybersecurity proposals would only require organizations to describe how they manage cybersecurity issues. Companies would still have lots of discretion to decide what those risk management practices actually are, and they would face no audit requirement to confirm that those practices are sufficient or actually, ya know, work. All of which lays the groundwork for a company to convince itself that, no, it doesn’t need the burden of cybersecurity attestations.
But when you consider the demands for cybersecurity assurance that already exist from so many stakeholder groups — regulators, investors, auditors, business partners, consumers — that argument looks increasingly deluded.
For example, if you’re a financial firm subject to the cybersecurity rules from the New York Department of Financial Services, your CISO already has to certify the effectiveness of data classification, access control, and other cybersecurity measures. If that demand leads the CISO to implement sub-certifications from operating business units and other lower-level employees, then why wouldn’t you tailor that sub-certification program to be sure it supports the disclosures you’re also making in SEC filings? (Or consider the converse: you make one set of statements about cybersecurity to certify DFS compliance, and then have other statements about cybersecurity in SEC filings with no attestations to back them up. That sounds like a litigation nightmare waiting to happen.)
It’s also quite possible that many of the cybersecurity measures you’d put in place to achieve SOX compliance — say, controls for user access to financial data, or controls to govern ERP software — are the same measures that underpin whatever discussion of cybersecurity risk management you’d include in the 10-K to satisfy those new SEC proposals. Somebody in your organization is probably attesting to the effectiveness of those measures; they’re SOX controls, after all.
In other words, as CISOs and IT auditors wonder whether they might need to start attesting to the effectiveness of cybersecurity controls — the truth is that in many instances, somebody in the organization already is (or should be) making those attestations.
So it’s a short leap of logic to say you might as well formalize the effort and provide that much more coverage over the company’s rear end. Because, fundamentally, the demand for assurance over cybersecurity is not going away any time soon.
OMG, SOX All Over Again!
Critics will say that re-inventing the wheel of SOX certifications to encompass cybersecurity is invasive and unnecessary. Indeed, that’s pretty much what SEC commissioner Hester Peirce said back in March, when she objected to the proposals for enhanced disclosure of cybersecurity issues:
The enumerated disclosure topics likely make sense for many public companies, but securities regulators are not best suited to design cybersecurity programs to be effective for all companies, in all industries, across time. The proposal’s detailed disclosure obligations on these topics will have the undeniable effect of incentivizing companies to take specific actions to avoid appearing as if they do not take cybersecurity as seriously as other companies.
That last bit about “incentivizing companies to take specific actions” could certainly include attestations. Peirce is warning us that by giving companies a long list of disclosures to make, the SEC is subtly pressuring companies to take specific steps on cybersecurity so those companies can then disclose, “Yep, we do all the best practices and we’re awesome” — except, of course, those steps come at a cost. Which ultimately is borne by shareholders.
I suppose that’s a fair point in whatever abstract, rarified world Peirce inhabits. In the real world that compliance officers, IT auditors, and senior executives encounter every day, we’re already well along the road to attestations for effective cybersecurity. Business partners want that assurance. Regulators such as New York DFS want it. Insurance firms underwriting cyber breach disclosures want it.
In that case, a better use of audit and compliance professionals’ time might be to consider how to integrate that reality into your cybersecurity planning as efficiently as possible. Think more about automating cyber controls, designing control systems that need fewer attestations, identifying existing attestation requirements that could meet cybersecurity assurance needs, and so forth. Show me the world of 2028 or 2030 where such efforts won’t be necessary — because when I look at the evolution of IT and cybersecurity risk, I see no such alternative.
It may well end up that cyber attestations are a lot like democracy: the worst form of governance there is, except for all the others.