Search results
1 – 10 of 146Stuart Gelfond, Una Dean, Dave N. Rao and Justin Sedor
To discuss the new guidance on public companies’ disclosure obligations regarding cybersecurity risks and incidents, which was recently unanimously approved by the Securities and…
Abstract
Purpose
To discuss the new guidance on public companies’ disclosure obligations regarding cybersecurity risks and incidents, which was recently unanimously approved by the Securities and Exchange Commission (SEC).
Design/methodology/approach
Outlines the general disclose requirements and the materiality standard set forth by the SEC, explains specific guidance on public company cybersecurity disclosure, and discusses cybersecurity risk management and insider trading policies.
Findings
In addition to clarifying the disclosure requirements with respect to cybersecurity issues, the article discusses two additional areas of concern identified by the New Guidance that public companies should consider in the context of cybersecurity and related disclosure. First, public companies must design and maintain policies and procedures to help manage cybersecurity risks and respond to incidents as they occur. Second, public companies should consider adopting insider trading policies that specifically prohibit management and other corporate insiders from trading on the basis of material non-public information regarding a cybersecurity risk or incident.
Originality/value
Practical analysis of the guidance on disclosure obligations regarding cybersecurity risks and incidents, including discussion surrounding two aspects of cybersecurity not previously addressed in prior SEC staff guidance on the topic.
Details
Keywords
Aldo M. Leiva and Michel E. Clark
To examine the COVID-19 pandemic’s effects on regulated entities within the context of cybersecurity, US Securities and Exchange Commission (SEC) compliance, and parallel…
Abstract
Purpose
To examine the COVID-19 pandemic’s effects on regulated entities within the context of cybersecurity, US Securities and Exchange Commission (SEC) compliance, and parallel proceedings.
Design/methodology/approach
Describes the SEC’s ability to conduct its operations within the telework environment, its commitment and ability to monitor the securities market, its enhanced monitoring of the adverse effects of SEC-regulated companies from COVID-19, its guidance to public companies of disclosure obligations related to cybersecurity risks and incidents, the SEC Office of Compliance and Examinations’s (OCIE’s) focus on broker-dealers’ and investment advisories’ cybersecurity preparedness, the role and activities of the SEC Division of Enforcement’s Cyber Unit, and parallel proceedings on cyberbreaches and incidents by different agencies, branches of government or private litigants.
Findings
SEC-regulated entities face many challenges in trying to maintain their ongoing business operations and infrastructure due to severe financial pressures, the threat of infection to employees and customers, and cybersecurity risks posed by remote operations from hackers and fraudsters. The SEC has reemphasized that its long-standing focus on cybersecurity and resiliency within the securities industry will continue, including ongoing vigilance over companies’ efforts to identify, assess, and address the inherent, heightened cybersecurity risks of teleworking and the resource reallocation that business need to sustain their operations until a safe and effective vaccine is developed for COVID-19.
Originality/value
Expert analysis and guidance from experienced lawyers with expertise in securities, litigation, government enforcement, information technology, data protection, privacy and cybersecurity.
Details
Keywords
The purpose of this paper is to explain the SEC's recent guidance on disclosure obligations related to cybersecurity risks and cyber incidents.
Abstract
Purpose
The purpose of this paper is to explain the SEC's recent guidance on disclosure obligations related to cybersecurity risks and cyber incidents.
Design/methodology/approach
The paper provides an overview of the guidance, including recommended mention of cybersecurity and cyber incident considerations in a company's discussion of risk factors, MD&A, description of business, disclosure of legal proceedings, financial statement disclosures, and disclosure controls and procedures. The paper recommends steps that companies should take in light of the guidance, including a review of cybersecurity practices, cyber disclosure, disclosure controls and procedures, regulation S‐P information security policies and procedures, and other legislative and regulatory proposals relating to cybersecurity.
Findings
The SEC staff guidance clarifies that even though the SEC's existing disclosure rules do not specifically reference cybersecurity, public companies should consider the growing importance of cybersecurity and make appropriate disclosures “consistent with the relevant disclosure considerations that arise in connection with any business risk”.
Originality/value
The paper provides expert guidance by experienced financial services lawyers.
Details
Keywords
Elina Haapamäki and Jukka Sihvonen
This paper aims to update the cybersecurity-related accounting literature by synthesizing 39 recent theoretical and empirical studies on the topic. Furthermore, the paper provides…
Abstract
Purpose
This paper aims to update the cybersecurity-related accounting literature by synthesizing 39 recent theoretical and empirical studies on the topic. Furthermore, the paper provides a set of categories into which the studies fit.
Design/methodology/approach
This is a synthesis paper that summarizes the research literature on cybersecurity, introducing knowledge from the extant research and revealing areas requiring further examination.
Findings
This synthesis identifies a research framework that consists of the following research themes: cybersecurity and information sharing, cybersecurity investments, internal auditing and controls related to cybersecurity, disclosure of cybersecurity activities and security threats and security breaches.
Practical implications
Academics, practitioners and the public would benefit from a research framework that categorizes the research topics related to cybersecurity in the accounting field. This type of analysis is vital to enhance the understanding of the academic research on cybersecurity and can be used to support the identification of new lines for future research.
Originality/value
This is the first literature analysis of cybersecurity in the accounting field, and it has significant implications for research and practice by detailing, for example, the benefits of and obstacles to information sharing. This synthesis also highlights the importance of the model for cybersecurity investments. Further, the review emphasizes the role of internal auditing and controls to improve cybersecurity.
Details
Keywords
The purpose of this study is to examine how financial analysts deal with cybersecurity information in their investment analysis process and whether they find cybersecurity…
Abstract
Purpose
The purpose of this study is to examine how financial analysts deal with cybersecurity information in their investment analysis process and whether they find cybersecurity disclosures in companies’ financial reports useful.
Design/methodology/approach
Investment managers/financial analysts and chief information security officers (CISOs) at seven institutional investors were interviewed.
Findings
Not all financial analysts consider cybersecurity risk in their investment analyses. Those who do look at company strategy, how the company integrates cybersecurity into its processes and whether it has certified its cybersecurity information. The financial analysts use this qualitative information to adjust the results of their quantitative analysis. They do not find boilerplate or cursory cybersecurity information in financial reports to be useful. In fact, they view it as unreliable and prefer drawing on other information sources to assess the company’s cybersecurity risk.
Practical implications
The results of this study highlight to securities regulators that reported cybersecurity information is of limited usefulness. Regulators are challenged to revisit their disclosure requirements. Companies wishing to improve the usefulness of their cybersecurity information should provide more company-specific information.
Originality/value
To the best of the authors’ knowledge, this study is the first to look at financial analysts’ perception of cybersecurity-related information. It complements findings from prior market studies by adding new insights into the way influential market participants deal with this information in their investment analysis process.
Details
Keywords
Mohammed Mehadi Masud Mazumder and Dewan Mahboob Hossain
Cybersecurity disclosure (CSD) provides users with valuable information and significant insights about a firm's susceptibility to cyber risk and its management. It is argued that…
Abstract
Purpose
Cybersecurity disclosure (CSD) provides users with valuable information and significant insights about a firm's susceptibility to cyber risk and its management. It is argued that the board of directors, with its oversight role, should be vigilant in managing cyber risk and disclosures. This study aims to measure the extent of CSD of the banking companies and examines the association between the characteristics of board composition (i.e. board size, board independence and gender diversity) and CSD.
Design/methodology/approach
This study adopted automated content analysis to find out the extent of CSD in the listed commercial banks of an emerging country, Bangladesh, where CSD is voluntary. Further, multiple linear regression is applied to determine the relationship between board composition and CSD.
Findings
The findings reveal an increasing trend of CSD over the sample period (2014–2020). The study confirms a significant positive relationship between board independence and CSD. The study also demonstrates that the higher presence of female directors on the board is associated with higher CSD. However, no consistently significant relationship is found between board size and CSD.
Research limitations
The study is based on listed banking companies only. Hence, the results can not be generalised to companies in other sectors. Also, it is important to acknowledge that we focused on the quantity (not the quality) of CSD contained in annual reports.
Practical implications
The study provides an overall understanding of current trends of CSD in the Banking sector of a developing country. Regulators may use our findings to understand the current level of CSD and assess the need for issuing guidance in this regard. The association between board composition and CSD has implications both for banks when selecting board members and policymakers when establishing requirements concerning board composition under corporate governance guidelines.
Originality/value
This is one of the very few studies in the context of an emerging economy where CSD is voluntary. The paper contributes to a narrow stream of research investigating CSD and its association with board composition. Notably, it contributes to understanding how board composition is associated with CSD in the banking industry, which is highly exposed to cyber risk.
Details
Keywords
Saeed J. Roohani and Xiaochuan Zheng
With recent increases in cybersecurity incidents, it is imperative to supplement current accounting curriculum, equip accounting graduates with sufficient knowledge and skills to…
Abstract
With recent increases in cybersecurity incidents, it is imperative to supplement current accounting curriculum, equip accounting graduates with sufficient knowledge and skills to assess cybersecurity risk, and learn about controls to mitigate such risks. In this chapter, the authors describe 10 teaching modules, supported by 10 professionally produced video series. The authors developed these videos for educating students on cybersecurity and the videos are available free to instructors from other institutions who wish to use them. The videos are filled with insights and advice from our two experts – one a former hacker and the other an experienced cybersecurity professional. This dialogue between two different sides provides a rich discussion that leads to answering many questions that people often have about cybersecurity. Further, in Exhibit 1, this chapter offers a framework for characterizing and analyzing some recent publicized data-breach cases, which can supplement discussion on cybersecurity modules. Instructors can add more cases to this source overtime. Finally, the authors share the analysis of feedback from students who went through the series. The results suggest that the students show interest in the topic, and videos helped them better understand the complexity of cybersecurity risk and controls.
Details
Keywords
Michael Clark and Charles E. Harrell
This paper aims to familiarize readers about the nature and extent of the risks that listed companies and their boards of directors face by not addressing their attention to…
Abstract
Purpose
This paper aims to familiarize readers about the nature and extent of the risks that listed companies and their boards of directors face by not addressing their attention to insuring the cyber-security of their operations and not disclosing cyber-episodes and their impact on operations as suggested by the SEC's Division of Corporate Finance.
Design/methodology/approach
This article provides an overview of recent developments that led the SEC's Division of Corporate Finance to issue a non-binding guidance on cyber-security, along with an analysis of the importance of cyber-security in today's marketplace, those business sectors that already must comply with statutory and regulatory duties to safeguard private information, the applicable duties of directors under Delaware law, and an overview of the enforcement activities against companies that have experienced data breaches, as well as a discussion of private class actions that have sought damages claimed to have resulted from the negligence of companies and their boards to fulfill their duties to protect such information from being stolen due to inadequate systems and protective measures.
Findings
The SEC Division of Corporate Finance's voluntary disclosure guidance concerning cyber-security offers various, non-binding reasons for listed companies to report about cyber-events that may be material to a business operation or profitability. Listed companies and their boards face enforcement and private litigation risks in the event of a cyber-incident because of the heightened interest in cyber-security, the considerable costs likely incurred as a result of a cyber-event, and the duties they owe to exercise appropriate oversight in the face of known risks.
Originality/value
The paper provides practical explanation of developing issues by experienced corporate and litigation lawyers.
Details
Keywords
David Martin, David Engvall, Kerry Burke, Gerald Hodgkins, Matthew Franker and Reid Hooper
To summarize and explain the US Securities and Exchange Commission’s (Commission) recent report of investigation cautioning public companies to consider cyber-related threats when…
Abstract
Purpose
To summarize and explain the US Securities and Exchange Commission’s (Commission) recent report of investigation cautioning public companies to consider cyber-related threats when designing and implementing internal accounting controls.
Design/methodology/approach
Explains that the Commission’s report arose out of a Commission enforcement investigation into the internal accounting controls of nine unidentified public companies that were victims of email scams, explains that the Commission issued the report to emphasize that cybersecurity remains a high priority for the Commission and the report should serve as a reminder that all public companies need to consider cyber-related threats when devising and maintaining internal accounting controls and provides practical considerations for public companies to consider in light of the Commission’s report.
Findings
Public companies should assume that the Commission is actively monitoring all areas related to cybersecurity, including corporate disclosures of cyber-related incidents and also whether companies have established policies, procedures, and internal controls in place to ensure cyber-related incidents are prevented. Given that assumption, public companies should take prompt steps to assess and, if appropriate, improve internal accounting controls, disclosure controls, and cyber-related policies and procedures to address the risk of cyber-related incidents.
Originality/value
Practical guidance from experienced securities lawyers.
Details
Keywords
James Guthrie, Francesca Manes Rossi, Rebecca Levy Orelli and Giuseppe Nicolò
The paper identifies the types of risks disclosed by Italian organisations using integrated reporting (IR). This paper aims to understand the level and features of risk disclosure…
Abstract
Purpose
The paper identifies the types of risks disclosed by Italian organisations using integrated reporting (IR). This paper aims to understand the level and features of risk disclosure with the adoption of IR.
Design/methodology/approach
The authors use risk classifications already provided in the literature to develop a content analysis of Italian organisations’ integrated reports published.
Findings
The content analysis reveals that most of the Italian organisations incorporate many types of risk disclosure into their integrated reports. Organisations use this alternative form of reporting to communicate risk differently from how they disclose risks in traditional annual financial reporting. That is, the study finds that the organisations use their integrated reports to disclose a broader group of risks, related to the environment and society, and do so using narrative and visual representation.
Originality/value
The paper contributes to a narrow stream of research investigating risk disclosure provided through IR, contributing to the understanding of the role of IR in representing an organisational risk.
Details