Comparison of Cybersecurity Guidance
On April 13, 2018, the AICPA issued a comparison of its guidance (for both public and private entities) and the SEC’s guidance (for public companies) on cybersecurity, “Communications of Cybersecurity Incidents: Comparison Between SEC Release 33-10459 and the AICPA’s Cybersecurity Risk Management Framework.” In the comparison, the AICPA identifies the following similarities:
- Both describe cybersecurity processes and controls that should be designed and implemented for a robust cybersecurity risk management program.
- Both support the need for a robust program to manage an entity’s unique cybersecurity risks.
- Both include criteria for processes and controls necessary to effectively communicate material cybersecurity events to key shareholders.
- Both recognize that senior management and the board of directors should have effective oversight over the processes and controls in the program, including:
- Setting the “tone at the top” that cybersecurity matters are important
- Assessing identified deficiencies
- Monitoring the results of in-house cybersecurity controls evaluations
- Overseeing corrective actions
A difference noted in the comparison is that the SEC’s guidance addresses the need for corporate insiders to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents. That requirement is not included in the AICPA’s framework.
Also, on July 17, 2018, the AICPA cohosted a webinar, “Putting Cyber Risk in Context: Lessons From the 2018 Cyber Balance Sheet Report.”