In this two-part conversation, public accounting experts from the CPA firm Wolf & Co. provide insights on current trends in public company compliance. In this first conversation, we discuss cybersecurity regulatory trends with Jerry Gagne, who heads Wolf’s risk services practice.
The Podium: Hello, Jerry. Thank you for joining us. In today’s discussion, we wanted to focus on cybersecurity. This seems like a hot area right now and of great interest to boards of directors. What issues are you seeing right now with cybersecurity?
JG: We deal with several types of regulated companies, whether they be public companies, financial services or healthcare. These are companies that are required to have cybersecurity controls in place. I believe first, we need to start by defining cybersecurity. I look at it as information security, which is confidentiality of information, where only the people who are supposed to see specific data can see it. Then there’s integrity of information – that the information you’re looking at is correct. And finally, availability of the data. That is, will it be available when I need it?
The Podium: So confidentiality, integrity and availability. That’s information security?
JG: Exactly. The nuance for cybersecurity is that we have an increasingly connected world. The connections you have to vendors, customers and suppliers are far greater than they were in the past. That creates the potential for a business problem.
The Podium: Many times, it’s the audit committee that is tasked with cybersecurity. Is that appropriate?
JG: You’re right, it’s usually the audit committee that is forced to deal with it. But really, cybersecurity is a broader issue, a board-level issue. I think that’s an important distinction. Every board member should have some accountability and responsibility for understanding what the risks are and what the business is doing to control it.
The Podium: Do you see companies setting up cybersecurity committees? It seems like we are at that point.
JG: We are now seeing cybersecurity training of the board. Boards also are appointing a central committee to report back on what the threats are, which threats are relevant to the company and what the company is doing to protect itself.
The Podium: Are there any rules about disclosing cyber “incidents?” Do you see that happening in the near future?
JG: Right now, there is no public company requirement to report every cybersecurity breach. Public companies are required to report incidents of a “material” nature. But these fall under a different standard that covers cybersecurity and a host of other areas.
On the broker-dealer and investment adviser side, the SEC has announced cybersecurity guidelines. These include having in place risk assessment, a corporate governance structure dedicated to cybersecurity and an information security officer with a reporting line independent of the IT organization.
The Podium: Many regulatory agencies want to know how a company is responding to the cybersecurity threat. How do companies demonstrate that?
JG: A good place to begin is to belong to InfraGard or other information sharing organizations. There are many popping up helping organizations share information back and forth around cyber threats. One of the things the bad guys are better at is sharing information. For instance, if I have nefarious intent and find a vulnerability in a banking system or in a technology, I can pass that word along to other bad guys, and create kits to exploit it quickly. However, if I’m a public company and my system becomes infected, I usually keep it quiet and don’t tell anyone. So what the industry is doing is creating a Neighborhood Watch program, so to speak, where if a company’s backdoor is attacked, or something doesn’t look right, I can tell other companies to watch out for that threat. These information sharing sites help companies improve their cyberattack response times.
The Podium: Who is setting up those sites?
JG: The federal government. It’s all within Homeland Security. InfraGard is a major organization, but there are others.
The Podium: What are some things companies should be doing to protect themselves from cybersecurity threats?
JG: First is governance and risk protection. For example, putting in place the infrastructure to understand what threats you are facing. Second is information sharing and training – that’s huge. It’s understanding the threats seen by others in your organization or in your industry and then training employees on how to respond to those threats. For instance, during training, we will test an organization’s cybersecurity awareness by sending phishing emails. That’s something all companies should do. We’ll send the email to an organization and start with everyone in the company. It will use someone’s name from within the organization and ask users to click on a link to verify their health insurance information. Once they click on the link, they’ll be asked to enter their username and password. We’ll capture those credentials, and then the simulation will end. At the end of the test, we will share our findings with the CEO and CIO and show them that if we received a high response rate, they have a serious cybersecurity problem.
The Podium: What sorts of cybersecurity education are available for companies?
JG: We offer training to boards at the highest level. We’ll relate current events to how their company could be affected by a similar cyber threat. We’ll discuss the Target or JPMorgan breach, for example. If we know the company well, we can triangulate the risks with what the organization is already doing in order to assess any gaps.
The Podium: Who are the primary actors in cyberattacks?
JG: Typically, these are nation-states looking for secrets, but they could also be corporations. Take the St. Louis Cardinals, for example, when they were accused of hacking the Houston Astros’ internal network to steal closely guarded information about Astros players. That would be corporate espionage. There’s also hacktivism, where someone has been offended by your organization and seeks revenge. For our practice, we mostly see the economic threat. It’s not nation-states but people looking to sell private information.
The Podium: How do companies typically respond when you bring up a potential threat to their cybersecurity?
JG: Many times, companies point to their business continuity plan and say, ‘I have a plan, so I’m ready if there is an incident.’ But in a business continuity plan, usually an office or systems become unavailable, and the thought process is around bringing those systems back online. By contrast, in a cybersecurity incident, the systems are already running. In those cases, the response plan should detail how to detect the threat, how to contain it and how to shut down systems. It’s a different mindset.
The Podium: Thank you, Jerry. We look forward to speaking with you and some of your colleagues at Wolf & Co. next time, when we’ll discuss new public company accounting regulations, audit, technology and other current compliance trends.