乐鱼(Leyu)体育官网

Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

乐鱼(Leyu)体育官网's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

乐鱼(Leyu)体育官网 has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That鈥檚 why 乐鱼(Leyu)体育官网 LLP established its industry-driven structure. In fact, 乐鱼(Leyu)体育官网 LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Navigating enhanced cybersecurity regulations

Download PDF
Share

Authored by:

  • Doron Rotman, Managing Director, Technology Assurance 鈥� Audit, 乐鱼(Leyu)体育官网 LLP
  • Maksim Vander, Managing Director, Technology Assurance 鈥� Audit, 乐鱼(Leyu)体育官网 LLP
  • Christopher Montone, Director, Technology Assurance 鈥� Audit, 乐鱼(Leyu)体育官网 LLP
  • Ruixiang Wu, Director, Technology Assurance 鈥� Audit, 乐鱼(Leyu)体育官网 LLP

Companies are facing cyberattacks every day, with large organizations across industries reporting hackers gaining access to customer information, taking down IT systems and often making demands for ransom payments. As cyberattacks become more frequent and sophisticated, organizations are facing increased stakeholder calls and regulatory requirements to show they are protecting their information appropriately. According to a recent 乐鱼(Leyu)体育官网 survey[1], 83% of companies suffered a cyberattack in the past year, and respondents said it took them an average of one month to fully contain the attack.

The Securities and Exchange Commission (SEC) is undertaking a comprehensive effort to increase cybersecurity preparedness and resilience for all registrants. This spring, new cybersecurity reporting requirements[2]聽for public companies are expected, enhancing and standardizing risk management, strategy, governance and incident disclosures. The SEC also released proposed cybersecurity rules for broker-dealers and other market entities[3]聽and opened comments on rules for registered advisers and funds[4]聽in March 2023. At the same time, the SEC is enforcing large penalties against some companies for misleading disclosures around past cyberattacks. Additionally, in April 2023, the Public Company Accounting Oversight Board listed cybersecurity among its top priorities for this year鈥檚 inspections.[5]

With the increased focus on cybersecurity from regulators, customers and investors, executives have a growing responsibility to understand their company鈥檚 cyber risks and the state of cyber programs. As a baseline, with oversight from the board, management should be preparing now to comply with the SEC鈥檚 final rules on cybersecurity disclosures. Going beyond regulatory compliance, it鈥檚 imperative to understand how your organization is positioned to detect, mitigate and remediate any cybersecurity threats and vulnerabilities with respect to information systems as well as business continuity and overall cyber incident reliance.

You are here: Assessing your organization鈥檚 current cyber risk

As a first step, management should evaluate the organization鈥檚 current situation, laying the groundwork for a strategy for enhancing the organization鈥檚 cyber maturity, achieving SEC compliance and reassuring customers, investors and other stakeholders that appropriate safeguards are in place. Key questions may include:

  • Does management understand how mature the organization鈥檚 cyber programs are in relation to others in the same industry?
  • Is there appropriate insight into the current and future business, regulatory and compliance impacts of cyber risks on the organization鈥檚 supply chain, both upstream and downstream?
  • Has any risk assessment been performed to understand how the organization may be impacted by the current or future SEC proposals and regulations?

Third-party assessments and attestations are tools for management and the board to understand the organization鈥檚 current cyber readiness and respond to stakeholder demand for transparency. A cyber maturity assessment is a way for the financial reporting and internal controls function to get a clear, easily digestible view of the organization鈥檚 current cyber program benchmarked against other organizations of similar size and industry. A cybersecurity-focused SOC report can provide attestation for cyber controls.

Leaders should consider assessments that include potential vulnerabilities along the supply chain, which are often exploited by bad actors. With increased pressure from stakeholders throughout the supply chain to obtain varying levels of cybersecurity assurance, management may look to shift the organization鈥檚 assessment of its cybersecurity posture from the historically acceptable self-attestation approach to assessments or attestation engagements performed by an independent third party. This level of independent attestation can clearly demonstrate to vendors and customers that appropriate governance and controls are in place to protect their sensitive data and reduce exposure to their IT environment.

Insight
Audit Insights
乐鱼(Leyu)体育官网 is a firm with a history of doing great work and making a difference.
Read more

Mapping out the future

With an understanding of the organization鈥檚 starting point, management can plot out a path to compliance with SEC cyber regulations, transparency in response to stakeholder demand and organizational resilience.

Updating the internal communications plan

Questions to ask:

  • How does the Information Security function disseminate information to key stakeholders in financial reporting and internal controls, including the board, audit committee and controller?
  • At what frequency do these communications occur?

Even when a cyber incident has not been identified, cybersecurity update meetings should be held at defined frequencies to ensure all key stakeholders are equipped with the latest pertinent information. Establishing clear communication and reporting lines for identified cyber incidents is critical for ensuring those charged with financial reporting and internal controls are informed at the appropriate time to consider implication on Internal Controls over Financial Reporting and achieve compliance with any SEC regulations.

Preparing for a potential cyberattack

Questions to ask:

  • Does management, with oversight from the Audit Committee, have fulsome cybersecurity incident response and recovery plans and procedures in place?
  • Does management understand how potential cybersecurity incidents will be triaged and ultimately communicated to key stakeholders responsible for reporting to the SEC if a breach is identified? Are those reporting mechanisms in place?

Management should review and update cyber incident response policies and procedures, including a clear delineation of responsibilities of the cybersecurity and risk management teams, management鈥檚 disclosure committee, and the legal department, plus escalation procedures to determine materiality, and preparation and review of disclosures.

With board oversight, management should test the cyber response plan and procedures, including documenting the cyber incident, evaluating it for materiality, drafting the disclosure and reviewing incidents in the aggregate. In its rule for public companies, the SEC will expect a materiality determination to be made 鈥渁s soon as reasonably practicable,鈥� which may require judgment. Audit committees and boards should confirm that management has a plan for escalating incidents to the disclosure committee and legal team to make the final materiality determination.

Know before you go

As regulatory requirements around cybersecurity increase and threats from cybercriminals become more severe, it will be crucial to manage risks by ensuring governance is in place to protect sensitive information. Management can lead the way through uncharted waters by bolstering cyber maturity ahead of coming regulations.

Footnotes

[1] 乐鱼(Leyu)体育官网 LLP, 鈥淎 triple threat across the Americas: 乐鱼(Leyu)体育官网 2022 Fraud Outlook,鈥� 2022:聽

[2] 乐鱼(Leyu)体育官网 LLP, 鈥淪EC proposes cybersecurity rules,鈥� March 2022,聽.

[3] 乐鱼(Leyu)体育官网 LLP, 鈥淪EC Proposals on Cyber Risk Management for Market Entities,鈥� 2023, /us/en/articles/2023/sec-roposals-on-cyber-risk-management-for-market-entities.html

[4] 乐鱼(Leyu)体育官网 LLP, 鈥淐ybersecurity: SEC Proposal for Adviser/Fund Risk Management, 2022,聽/us/en/articles/2022/sec-cybersecurity-reg-alert-feb-2022.html

[5] Public Company Accounting Oversight Board, 鈥淪potlight: Staff Priorities for 2023 Inspections, April 2023,聽

Dive into our thinking:

Navigating enhanced cybersecurity regulations

Download PDF

Explore more

News
Webcast Replay Webcast Upcoming Listen Now From The Web

Taking a Byte Out of Cybercrime

乐鱼(Leyu)体育官网 U.S. leaders have identified three key cyber security considerations for technology company boards.

Read more
Federal government
Industry
Webcast Replay Webcast Upcoming Listen Now From The Web

Education

乐鱼(Leyu)体育官网 leverages our experience serving colleges and universities, research institutions and not-for-profit organizations across the country to provide valuable insights.

Read more

乐鱼(Leyu)体育官网. Make the Difference.


Some or all of the services described herein may not be permissible for 乐鱼(Leyu)体育官网 audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. 乐鱼(Leyu)体育官网 LLP does not provide legal services.

The information contained herein is not intended to be 鈥渨ritten advice concerning one or more Federal tax matters鈥� subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

漏聽2025 乐鱼(Leyu)体育官网 LLP, a Delaware limited liability partnership and a member firm of the 乐鱼(Leyu)体育官网 global organization of independent member firms affiliated with 乐鱼(Leyu)体育官网 International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the 乐鱼(Leyu)体育官网 global organization please visit聽.

Thank you!

Thank you for contacting 乐鱼(Leyu)体育官网.聽We will respond to you as soon as possible.

Contact 乐鱼(Leyu)体育官网

Use this form to submit general inquiries to 乐鱼(Leyu)体育官网. We will respond to you as soon as possible.

By submitting, you agree that 乐鱼(Leyu)体育官网 LLP may process any personal information you provide pursuant to 乐鱼(Leyu)体育官网 LLP\'s .聽

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services 乐鱼(Leyu)体育官网 can help assist you with.

Office locations

View locations

International hotline

You can confidentially report concerns to the 乐鱼(Leyu)体育官网 International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline