Cybersecurity Disclosures

Understanding the Role of Management and

Responsibilities of the Financial Statement Auditor

Related to Cybersecurity Disclosures

In September 2017, Securities and Exchange Commission (SEC) Chairman Jay Clayton stated, "I recognize that even

the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes

adequate disclosure no less important."

[3]

The SEC is focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those

risks are managed. Investor groups have also asked company boards to strive for transparency in reporting efforts

to prevent and mitigate cyber threats.

[4]

In 2011, the SEC's Division of Corporation Finance (Division) issued disclosure guidance. Under that guidance, a

company may determine it is necessary to disclose cybersecurity risks in various places throughout its Form 10-K

(e.g., risk factors, management's discussion and analysis [MD&A], legal proceedings, business description, and/or

financial statements).

[5]

While the 2011 SEC staff guidance remains applicable, in February 2018, the SEC updated

its disclosure guidance to reinforce and expand on the 2011 guidance. The new guidance addresses two topics not

developed in 2011 guidancenamely, the importance of cybersecurity

policies and procedures and the application

of insider trading prohibitions in the cybersecurity context.

[6]

In the 2018 guidance the SEC emphasized the

importance of ensuring that periodic reports such as the Form 10-Q continue to provide timely and ongoing

information on material cybersecurity risks and incidents. The SEC also emphasized that companies must maintain

disclosure controls and procedures, and management must evaluate their effectiveness.

The SEC staff has communicated publicly that it intends to focus more on companies' disclosures about cyber

incidents and their cybersecurity programs. The following are questions that board members with cybersecurity

risk oversight may use to clarify management's role and the auditor's responsibilities related to cybersecurity

disclosures.

Questions

The Role of Management

1.

In complying with the current SEC guidance, how has management considered cybersecurity risks in its

ability to record, process, summarize, and report on information required to be disclosed in its SEC filings?

2.

What disclosure controls and procedures are in place to help ensure that the disclosures comply with the

SEC's guidance regarding the importance of a company being able to make accurate and timely disclosures

of material cyber events?

[7]

3.

Have the design and operating effectiveness of the disclosure controls and procedures been evaluated to

ensure they appropriately record, process, summarize, and report on information required to be disclosed in

the company's SEC filings?

4.

How is management considering the current SEC guidance with respect to cybersecurity on risk factors,

MD&A, and financial statement disclosures?

5.

In the event of a cybersecurity breach, what processes and controls are in place to help ensure that

appropriate levels of management and board members with cybersecurity risk oversight are involved in the

review of the related disclosures, if appropriate?

6.

Has the company considered its insider trading policies in the event of a material cyber incident? Are

appropriate policies and procedures in place to guard against company executives and other insiders taking

advantage of the period between the company's discovery of a cybersecurity incident and public disclosure?

Questions

The Role of the Financial Statement Auditor

1.

What does the financial statement auditor consider related to cybersecurity disclosures included in the

Form 10-K or other documents that include the audited financial statements?

2.

How do those considerations differ when cybersecurity related information is included in another

company document (e.g., a press release)?

3.

If the company had a material contingent liability for an actual cyber incident, what is the financial

statement auditor's responsibility with respect to the company's assessment of any related financial

statement disclosure(s)?

4.

What is the financial statement auditor's responsibility if a cyber incident material to the financial

statements is discovered after the balance sheet date but before the auditor's report on the financial

statements is issued?

Submit your word document, addressing all of the questions above. Be sure to

include at a minimum 3 scholarly sources.