Catherine Ide is the managing director of professional practice and member services at the Center for Audit Quality (CAQ), where she leads and advances regulatory and policy strategies that promote the professional practice and audit quality agendas.
Previously, Ide served as director of audit at the global law firm of Fragomen, Del Rey, Bernsen & Loewy. In that role, she helped create the firm’s internal audit and compliance function. While at Fragomen, Ide developed and launched their global practice review audit plan to more than 46 offices worldwide.
Prior to Fragomen, Ide was in the audit practice at PwC for more than 15 years, most recently as a senior manager in PwC’s Chief Auditor Network providing auditing advice and technical guidance on auditing standards, policies and methodologies at the local engagement level – particularly related to areas of internal and external inspection findings.
Christopher P. Skroupa: How can a company identify and properly disclose material cybersecurity risks and incidents?
Catherine Ide: Management, directors and others within a company need to understand that cybersecurity is an enterprise-wide risk management issue, not just an IT issue. Maintaining comprehensive cybersecurity policies that help companies detect, respond to, mitigate and recover from breaches and other security events is critical. These policies and procedures should be evaluated periodically for their effectiveness in helping management to identify material cybersecurity risks and incidents and to be able to disclose them properly.
Skroupa: Who within an organization should be gathering the information for cyber reporting?
Ide: Cybersecurity is a shared responsibility. Disclosure controls and procedures related to cybersecurity should be structured in a way that helps inform a company’s directors, officers and other persons responsible for developing and overseeing such controls about the cybersecurity risks and incidents that the company has faced or is likely to face. This will likely take a combined effort, with input from not only the CIO and/or the CISO and management, but also internal audit, the office of general counsel, and others responsible for overseeing enterprise wide risk and compliance. Open dialogue with technical experts and disclosure advisers is critical.
Skroupa: What guidance does the Securities and Exchange Commission (SEC) provide to companies regarding disclosure of cyber risks?
Ide: Since 2011, the SEC has said that companies may be obligated to disclose cybersecurity risks and incidents. This year, the SEC updated that guidance to provide more clarity around cybersecurity disclosure and oversight for management and boards of directors, including audit committees.
Specifically, SEC guidance now highlights that disclosure controls and procedures are more likely to be effective when directors and officers are involved in that oversight. It also reminds public companies of the laws and rules relating to insider trading and selective disclosure.
Skroupa: What type of cyber-related information needs to be reported to directors and other stakeholders?
Ide: Organizations and their stakeholders need timely, useful information about organizations’ cybersecurity risk management efforts. More and more, directors and senior management are requesting reports on the effectiveness of their cybersecurity risk management programs from independent third-parties.
In response to this rising demand, the American Institute of CPAs (AICPA) has developed a voluntary, market-based solution to enhance public trust in company communications about cybersecurity risk management. The AICPA’s Cybersecurity Risk Management Reporting Framework comes with key criteria that management and CPAs can use to evaluate and enhance cybersecurity risk management reporting.
Equipped with the framework and the criteria, CPAs can then perform an examination-level attestation engagement, known as a SOC for Cybersecurity examination. Taken together, the framework, criteria and examination is designed to meet the needs of a broad range of potential report users who need useful information about an entity’s cybersecurity efforts.
Catherine Ide will be moderating on a panel entitled Cybersecurity Reporting: A Collaborative Approach to Cybersecurity Risk Management Disclosure at The Future of Corporate Reporting on July 10 in New York, NY.
Follow us on twitter @SkytopStrat, and on Facebook @SkytopStrategies. Find us on YouTube, too, for exclusive interviews, panel discussions and debates that are prime examples of the market moving dialogue held at our various conferences and summits around the world.