Given the frequency, magnitude, and cost of cybersecurity incidents, the Securities and Exchange Commission (SEC) recently issued its “Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Securities Exchange Commission 2018). This guidance suggests that public companies should take actions to inform investors about material cybersecurity risks and incidents in a timely fashion. This guidance includes companies that are subject to material cybersecurity risks, but may not yet have been the victim of a cyber-attack.

To disclose cybersecurity risks and incidents within the prescribed timeframe, companies must implement disclosure controls and procedures. Companies are required to provide an appropriate method to identify relevant risks and incidents, and related risks’ potential material impact on companies’ businesses, financial conditions, and results of operations (Securities Exchange Commission 2018).

Problem Requirements

P3 (a) Assume that you are the controller for a midsize company. You learn that your company experienced a cybersecurity breach impacting several servers during the current fiscal period. When you inform the CFO about this, you are asked to identify the next steps to determine the impact of the breach. (4 points)

P3 (b) Assume you learn the following further information. Identify how each piece of information would impact your next steps. For example, learning that financial close process information was stored on the breached server increases the potential that the breach may materially impact the company’s financial position. (1.5 points each for total of 9 points)

1. A number of Excel spreadsheets that are used to complete the financial closing process were on the breached server.

2. None of the spreadsheets or other server data contain Personally Identifiable Information (PII)

3. The breach occurred because of an unpatched server. The patch was for a known vulnerability.

4. A cybersecurity firm was hired to eliminate the breach and ensure that patch management processes were updated in a manner to avoid a repeat breach.

5. The servers remained available throughout the breach.

6. It is believed that no data were stolen; however, management and the cybersecurity firm acknowledge that data could have been copied from the server.

P3 (c) Based on the additional information above, what do you recommend as next steps? (3 points)

Answer rating: 100% (QA)

P3 a The first step is to determine the extent of the breach and what if any data may have been comp... View the full answer