Back in May 2020 the Cybersecurity Solarium Commission wrote to the Securities and Exchange Commission (SEC) to encourage it to exercise its authority under section 404 of the Sarbanes Oxley Act. To include cyber risk reporting, recognising the material impact that cyber attacks have on corporate balance sheets and publicly traded companies. SEC guidance around material risk and reporting under SoX has developed since its inception in 2002. At the time cyber was not considered a risk which materially impacted financial statements. This has changed over the past 20 years, the development of nation state lead cyber and cyber crime has turned cyber attacks into a real threat to corporate balance sheets and materiality. Ransomware attacks are the predominant cyber threat, which for most organisations covered by the SEC can prevent an organisation from trading in any capacity. Impacting trading and financial reporting.
The request supports PCAOB concerns that cyber incidents have prompted material misstatements of financial statements and impact trading performance. Failure to trade for significant periods of time, missing reporting timelines and impacting the accuracy of reporting are foundations to trading on SEC covered markets, in addition to the oversight of credit rating agencies and access to capital. They are also key measures by which leadership teams of publicly traded companies are held to account by the markets regulator.
The Solarium Commission supported a risk based approach to cyber security and the need to provide guidance outlining what ‘adequate’ internal controls for cyber security could look like and the adoption of a NIST cybersecurity framework. A further example of cybersecurity standards being recommended within the US. In this case one which could impact any publicly traded company and its leadership team.