September 17, 2019

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

Public Company Accounting Oversight Board (PCAOB) Focuses on Cybersecurity at Standing Advisory Group Meeting

Panelists at the PCAOB’s June 25 Standing Advisory Group Meeting discussed cybersecurity and the potential implications for financial reporting and auditing. Some of the highlights from the panel include the following:

  • Companies need internal controls to prevent and detect cyber attacks generally, including controls to prevent and, more importantly, detect a cyber attack on a company’s information technology (IT) accounting system.

  • Companies should continually assess the controls related to their IT accounting system to ensure that the controls are up to date.

  • A cyber attack of a company’s IT accounting system could involve, or could suggest the risk of, manipulation by the cyber attacker of the company’s books and records, which could affect financial statements.

  • Even if a review of the cyber attack shows that someone can read only the electronic financial information, such access may be covered by a company’s internal control over financial reporting.

  • A cyber attack may have an indirect effect on financial statements by requiring the future recognition of asset impairments and loss contingencies and may require a company to reconsider projections.

  • According to one panelist, companies are not doing a good job when it comes to establishing controls that enable them to detect cyber attacks. Specifically, the panelist estimated that, in 75% of the 3,000 cyber attacks that the government reported to companies, the companies had not detected the cyber attack. The panelist did not say whether the inability to detect the cyber attack suggested that the companies’ detection controls were not adequate or that detection controls could not be updated sufficiently to anticipate new cyber attack methods.

  • If a company’s financial position is not sound, a cyber attack might require an assessment as to whether the company continues to be a going concern.

  • One panelist asserted that the notion that cybersecurity is first an issue for auditors and the audit committee is misguided because cybersecurity is the responsibility of the entire board.

  • A deputy chief accountant of the SEC noted that, from a management perspective, cybersecurity is an issue that transcends internal control over financial reporting and reliable financial reporting because there are also business and operational risks, risk factor disclosure and internal accounting controls extending beyond internal control over financial reporting, which management must keep at the forefront of its mind.1


1In this regard, the SEC’s Office of Compliance Inspections and Examinations attached to a risk alert in April 2014 a document request that it uses in connection with its assessment of cybersecurity preparedness in the securities industry. This list may be helpful to all companies in identifying controls, standards, and policies that could be used to address cyber threats. In addition, the Financial Industry Regulatory Authority (FINRA) indicated in its 2014 Regulatory and Examination Priorities Letter that cybersecurity remains a priority for FINRA, with its primary focus being “on the integrity of firms’ policies, procedures and controls to protect sensitive customer data. FINRA’s evaluation of such controls may take the form of examinations and targeted investigations.”

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Linda Griggs, Securities attorney, Morgan Lewis
Senior Counsel

Linda L. Griggs’s practice focuses on securities regulation and corporate law matters. She draws on her experience as a former chief counsel to the chief accountant of the US Securities and Exchange Commission (SEC) to advise clients on issues related to financial reporting, accounting, and other disclosure requirements under securities laws and public and private securities offerings. Linda also advises clients on the fiduciary duties of directors and officers, as well as corporate governance matters.​​

202.739.5245
Sean Donahue, Capital markets lawyer, Morgan Lewis
Partner

Sean M. Donahue counsels public companies across the United States on activist defense matters. As a member of the firm’s market-leading shareholder activism defense practice, he advises public companies in high-profile proxy contests, activist shareholder campaigns, contests for corporate control and negotiated and contested mergers and acquisitions (M&A). Sean also advises public companies and their boards of directors on the latest techniques for lessening a company’s vulnerability to activist shareholders, board advisory matters, and the implementation of takeover defenses.​​

202-739-5658