By Matt Kelly

Allow me to begin this post with a confession. For a long time, I believed cybersecurity risks weren’t that important to internal control over financial reporting. 

Today I understand that such a statement is crazy, but hear me out. Once upon a time there was a certain logic to that view—and that logic is worth considering, because it says much about how cybersecurity threats have evolved over the years. That evolution, in turn, has big implications for an organization’s approach to internal control.

First, remember that for most of the last 20 years or so, the most serious and high-profile cybersecurity breaches were privacy breaches. Hackers would penetrate a company’s IT defenses, copy as much personal data as they could find, and then abscond with those records to sell them on the dark web. 

To be clear, those privacy breaches could be costly disasters for a company. You would need to pay remediation costs such as identity theft protection to consumers and new privacy controls; and suffer through expensive regulatory probes, with potentially painful penalties at the end. 

But how do any of those burdens jeopardize financial reporting? 

After all, a privacy breach doesn’t require you to restate financial results. The costs of the breach all happen in subsequent periods, and they can be recorded just like any other expense. 

Or let’s say the threat was a business email compromise—where, for example, attackers impersonate the CFO in an email to the controller, and dupe him or her into wiring company money to an overseas account. 

For a “BEC” to harm financial reporting, the stolen amount would need to be material. Well, in 2020 the average revenue for an S&P 500 firm was $24.1 billion and average operating income was $2.5 billion. If we peg materiality at 1 percent, that would be $241 million and $25 million, respectively. Perhaps some corporations large enough to rank among the S&P 500 are so cavalier with cash controls that they’ll wire that much money on nothing more than an email—but really, how often would that happen? Large companies can be bad at ICFR, but few are that bad.

Hence my previous belief that cybersecurity threats, pernicious as they might be, weren’t directly relevant to ICFR. 

Then came my conversion.

What Changed? The Nature of the Risk

In the last several years two types of cyber attacks have arrived with a vengeance. First are ransomware attacks, which encrypt your data or mission-critical systems until your company pays a ransom. Second are unauthenticated attacks, where attackers find a vulnerability in your ERP software system and use that to penetrate into your data center. From there, the hackers can exfiltrate data, change balance entries, or even execute commands such as a wire transfer to an outside account. All without ever hitting an access control, which also means nothing to review in your audit logs.

Both types of attacks have existed for years, but only recently have they become epidemic. For example, research firm IDC estimates that 37 percent of large organizations globally were hit by ransomware in 2021; the FBI received 2,000 ransomware complaints in the first half of 2021, a 62 percent increase from 2020. 

Last year we also saw unauthenticated attacks such as Recon (targeting vulnerabilities in SAP systems) and BigDebIT (targeting Oracle) hit the corporate IT landscape. Another, Log4j (a weakness in Java software), is battering corporate IT systems right now. 

These attacks are categorically different from privacy breaches because they hijack the company’s ability to govern its operations—and with that shift, suddenly internal control over financial reporting becomes much more urgent. 

For example, if your business doesn’t maintain effective patch management and hackers use an unauthenticated attack to alter your account balances or wire $100 million to parts unknown—that can lead to a financial restatement. Or if a ransomware attack locks out your sales order system for a week, that could be a material loss for the quarter. 

The critical issue is that these attacks prevent a company controlling its assets and transactions. For example, the Securities and Exchange Commission defines the elements of internal control as follows:

Ransomware and unauthenticated attacks violate pretty much every one of the above points. A privacy breach, in contrast, really only violates that third point about access to assets (personal data). A privacy breach doesn’t involve a “transaction” per se, and the data is only copied and exfiltrated rather than stolen. You can suffer a massive privacy breach and still use those personal data assets for another marketing campaign next week. 

But when ransomware or a cyber attack seize your company’s assets—either hard assets like cash, or more abstract assets like time spent using IT systems to drive revenue—those assets are gone forever. 

Hence my conversion. In the modern IT landscape, cybersecurity threats can be a mortal danger to effective and reliable financial reporting. External auditors, internal auditors, and regulators will all need to start treating it as such — which has profound implications for design of internal controls, testing, documentation, and even collaboration between SOX compliance and IT security teams. 

Food for thought as you stare at that next suspicious email, or that next alert to upgrade your software ASAP.


Other news