Issues Central - Cybersecurity

Canadian National Instrument 52-109 and COSO 2013: Cyber Security Risk Management

Cathy Connally Corporate Governance, Financial Compliance, Uncategorized

When it comes to cyber security, look no further than COSO 2013 for guidance. For companies listed on North American Stock Exchanges, cyber security is becoming an ever more important risk factor to be managed.  National Instrument 52-109, Quarterly and Annual CEO/CFO Certifications certifying officers are “responsible for establishing and maintaining disclosure controls and procedures (DC&P) and internal control over financial reporting (ICFR)”… and to disclose any material weaknesses.

A majority of smaller to mid-sized companies  have not regarded IT controls and cyber security as top priorities in their design, implementation of internal controls. They have preferred to concentrate only on those controls that directly relate to financial statement reliability. This was a mistake under COSO 1992. With COSO 2013, it is unacceptable because specific guidance for use and implementation of technology exists in two Principles.

COSO 2013

“Principle 11 (The organization selects and develops general control activities over technology to support the achievement of objectives. (Control Activity) and Principle 13 (The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control. (Information & Communication)”

COSO 2013 was modified because of the massive changes in today’s business models and reliance on information technology compared to COSO 1992. Therefore ignoring IT controls and cyber security would be in direct contravention to some of the changes that have been made to these important updates for COSO 2013. Some would argue that most if not all COSO 2013 Principles are integral to cyber security. I would agree with that but for the purpose of this blog entry we will discuss principles 11 and 13 in detail because they are directly addressing these areas of concern around technology controls.

A very fundamental requirement in COSO 2013 is that all 17 Principles and COSO components must be “Present and Functioning” at all times.  This is achieved through setting of objectives, assessing and managing risk and implementing controls that achieve these objectives.

Assuring that the principles and COSO components are “Present and Functioning” is especially important when it comes to IT controls and cybersecurity since even a temporary lapse in these controls can be deadly.

In this vein, The US Securities and Exchange Commission (SEC) issued an article by Commissioner Luis A. Aguilar called The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsized Businesses on October 19th 2015. In this very timely article, they note that “Small and Mid-Sized Businesses “SMBs” are not just targets of cyber crime, they are its principle target”

This is quite alarming because in the recent cyber attack on Target stores, it took time for information to be disclosed that Target Stores had in fact been penetrated via its contracting arrangements with a smaller HVAC company who was providing support services for much larger Target Stores.  Therefore if small to mid-sized companies are going to do business with larger companies, their IT security and protections from cyber crime are going to be ever more critical in order to retain the relationships of these larger partners.

To this end, the US government has been instrumental in trying to introduce tools and preventative techniques to assist organizations of all sizes (from any country) to combat and prevent cybercrime. Version 1 of Framework for Improving Critical Infrastructure Cybersecurity  (Cybersecurity Framework) from the National Institute of Science and Technology (NIST), issued February of 2015, is delivering on promises to provide such tools.

This Cybersecurity Framework with Prosyn specialists provides an excellent way for companies to expand and augment what is required for public companies under the COSO 2013 Principles 11 and 13. The Cybersecurity Framework allows companies to evaluate their maturity level on risk management around IT security.  It uses a 4 Tier system just to assists organizations in understanding where they are regarding risk management on IT and cybersecurity and potentially where they want to progress to.

The  Cybersecurity Framework  is written in plain terms and is meant to be read and implemented by Boards and Senior Officers . This is critical, because cyber governance and risk management begins at the top as does all corporate governance. Cybersecurity needs to be put on the agenda at Board of Directors’ meetings because it is a top risk that needs to be managed. Certifying officers (CEOs and CFOs) must certify that all types of risks are managed and where material risks exist, they need to be disclosed.

For companies listed on Canadian companies listed on the TSX and TSX-V, Canadian Securities Administrators issued CSA Staff Notice 11-326 Cybersecurity in September, 2013 indicating that “Issuers…who have not considered the risks of cyber crime to date should consider how they can best address the risks of cyber crime….” and “ Issuers… should review their cyber security risk control measures on a  regular basis”. This should be enough to let public company Boards and Certifying Officers that this is a high liability area not to be ignored.

You only need to look at the horrifying example of Nortel Networks. They had no idea that they had been penetrated by a cyberattack and valuable intellectual property stolen until years later. This was a key reason for the demise of the company. If your cyber security controls are inadequate, attacks and theft of sensitive and/or valuable information may have occurred right under your nose. Shareholders are relying on the Board and Certifying officers to manage and disclose material cyber risks.

To learn more on how to manage cyber risks and disclose risks appropriately, attend Issues Central’s  Corporate Governance and I.T./Cybersecurity – What Boards and Senior Officers Need to Know