HR 5069, the Cybersecurity Systems and Risks Reporting Act, was introduced last week in the House. It would modify Sarbanes-Oxley by adding cybersecurity reporting requirements that are missing in the current law. While there is a long road to follow between being introduced and being enacted, it might be smart to consider what the bill is saying.
Given the cybersecurity preparedness of many companies, both big and small, whether the bill passes this year or not, publicly traded companies should look at what is being proposed and begin the long journey to add cyber risk to their financial governance process.
Remembering that the bill language could change significantly before it is passed into law – if it makes it that far, what does the bill say. Here are a few details.
- The definition of audit is changed by adding information systems to financial statements; i.e. auditing information systems and financial statements.
- Audit committees would responsible for reviewing financial and cybersecurity systems reporting processes.
- The definition of professional standards would be modified to add cybersecurity systems standards and practices.
- In addition to modifying the above definitions, three new terms are defined – information system, cybersecurity system and cybersecurity risk.
- Information systems means a set of activities involving people, processes, data or technology which enable the user to obtain, generate, use and communicate information. Those are not the exact words, but it is a very broad definition.
- The bill adds responsibility for information systems to the existing responsibility for financial reports and adds a requirement for principal cybersecurity systems officer.
- The bill adds assessment of information systems controls to other internal controls saying adequate internal control and cybersecurity systems structures and procedures for financial and information systems reporting.
- Finally, the bill requires the disclosure of cybersecurity systems experts on the audit committee and requires the SEC to define that term.
There are some oddities in this bill. For example, why do we only care about the cybersecurity of systems for financial reporting, other than that is where SOX’s main focus is.
Whether the government could get enough qualified people to oversee such a program is questionable.
And, finally, whether Congress has the will to pass a major extension to SOX in an election year is unknown.
Still, remember how CISA finally got passed. At the last minute, it was inserted into a must pass spending bill. Congress is well known for sticking unrelated stuff that they want to happen into bills that are either popular or must be passed.
What this bill is saying is that the Board and company management needs to be held accountable for managing cyber risk just like they are responsible for managing the rest of financial risk.
I would go even further to say that cyber risk is just a form of cyber risk and should be part of the financial audit process. Just ask Target or Sony if a cyber breach has significant impact to the financial statement.
Whether this bill passes or not, I think that it is time for businesses to start treating cyber risk like the financial risk that it is, whether the government tells them that they have to or not.
Information for this post came from Chemical Facility Security News.