Cybersecurity: Where We Are; What More Can be Done? A Call for Auditors to Lean In

Date: May 2, 2019

Speaker: Kathleen M. Hamm, Board Member

Event: Baruch College 18th Annual Financial Reporting Conference

Location: New York, NY

I. Introduction

Good afternoon, everyone. Thank you for that kind introduction. And thank you to Baruch College's Robert Zicklin Center for Corporate Integrity for inviting me to speak here today. It is wonderful to be part of the 18th Annual Financial Reporting

Conference.[1]

This center and the Public Company Accounting Oversight Board (PCAOB) have much in common. We were both created at a time when corporate and accounting scandals dominated the headlines, and public confidence in U.S. business was shaken.

By sponsoring forums like this one, the center helps private-sector executives and public-policy makers probe a broad range of complex contemporary issues confronting U.S. corporations and the capital markets.

We at the PCAOB wrestle with many of the same issues. Our mission calls on us to protect investors and the public interest by overseeing one particular aspect of the financial reporting ecosystem: the preparation of informative, accurate, and independent audit reports.

Today, I'd like to discuss an emerging area for our oversight: cybersecurity. Specifically, I'd like to explore the dangers posed by cyber and how cybersecurity presents a threat to our financial reporting system and capital markets. I'd also like to share my thoughts on what more audit professionals can do to strengthen the cybersecurity and resiliency of our financial reporting system.

But before I do, let me give you a brief update on what the PCAOB accomplished last year and where we are heading.

II. Update on the PCAOB

This April marked the first full year with an entirely new PCAOB board in place. A board that by design brought together members with diverse expertise, skill sets, and perspectives. Over much of the past year, my colleagues and I have worked hard, individually and collectively, to understand and assess the PCAOB's core programs and operations.[2] We have also probed whether and how we can improve the PCAOB's ability to more effectively accomplish our mission.

Last month the PCAOB published our 2018 annual report, the first annual report reflecting the oversight of the new board.[3] Some of the significant highlights were:

These results reflect some of the key priorities identified during a far-reaching strategic planning process that we began last year. That process started with the board querying our personnel bottom to top on what the PCAOB did well and where we could do better. We also reached out to a broad, diverse set of external stakeholders for their views and suggestions. We conducted a public survey, one-on-one interviews, and board members embarked on listening tours.[4]

After extensive consultation and deliberation inside and outside, last November we published our five-year strategic plan.[5] That plan has five goals.

Two look inward – becoming more efficient and effective with our resources, and empowering our people for success and prudent risk-taking to promote our mission. The remaining three goals look outward.

These external strategies are:

III. The Promise; the Threat

Why is technology a key strategic imperative for us? While we don't know precisely how or when, we do know that emerging technologies and data analytics will fundamentally change the way financial information is reported, how audits are conducted, and ultimately how we at the PCAOB perform our work.

Companies now perform more and more finance tasks using algorithms and robotic process automation.[6] They are also increasing their use of advanced analytics and artificial intelligence in their financial reporting.[7]

Auditors in turn are exploring new approaches to technology and analytics to perform their assurance function. Today some auditors use drones for inventory observations. Tomorrow data analytics could replace sampling techniques with analysis of all transactions and accounts. Eventually blockchain and distributed ledger technology could make confirmations a thing of the past.

Technology offers the promise of combining increased efficiencies with improved effectiveness, resulting in enhanced audit quality. Freed from time-consuming manual reviews, technology may provide auditors with more time to exercise their business and financial expertise. That time could help auditors sharpen their professional skepticism and their ability to more effectively identify indicators of error or fraud. That additional time could also allow auditors to more deeply probe the potential root causes of identified issues and concerns.

But, for all their promise, emerging technologies present real risks. Coding errors present inherent threats. Some occur during development. Others can occur when changes are made after deployment. Still other errors may lay dormant for extended periods of time. Some experts estimate that between 15 and 50 coding errors exist in every one thousand lines of code.[8] Given the complexity of many software applications and solutions, many of which contain millions or tens of millions of lines of code, the risk of material errors is not trivial.[9]

A threat also exists of unintended, or algorithmic, bias. This bias occurs when systematic, repeatable errors in software or computer systems cause unfair outcomes, arbitrarily favoring one result over another. Bias can emerge from the design of an algorithm itself or through unintended or unanticipated uses of the algorithm. For example, software designed to automate the analysis of real-estate leases may prove feeble at analyzing equipment leases. Bias can also occur from the way data is coded, collected, selected, or used to train algorithms. These algorithms underpin machine learning and related artificial intelligence solutions.[10]

Unauthorized access to information systems and data also presents a significant threat. Amplifying this threat is how interconnected we all are to one another through technology and communication networks and systems. This interconnection occurs through domestic and international telecommunication, financial, retail and wholesale payment, and clearing and settlement systems; it also occurs through the internet.

IV. Setting the Stage

a. The Internet and the "Internet of Things"

Today we communicate and engage in commerce through the internet. Organizations of all types – energy, transportation, healthcare, financial services, nonprofits and humanitarian groups, governments – operate on the internet. Vast amounts of personal and other data are accessible there too.

Initially designed in the late 1960s to provide known, trusted users access to one another, interoperability was a key characteristic of the internet: That is, the ability for different networks, systems, devices, and applications to connect, exchange, and use data across organizations and sovereign borders. Security was an afterthought at best.

And now everyday objects, so-called "Internet of things" or "IoT" devices, are connected to the internet as well. Personal computers, smartphones, cars, thermostats, wearable gadgets, lights, and cardiac monitors to name a few – send and receive huge amounts of data largely unfettered by country boundaries.

To fully appreciate the magnitude, scope, and speed of this change, think about this: In 2003 – just a year after the PCAOB and this center were established – a half a billion devices were connected to the internet around the globe.[11] Fast forward 17 years. By next year, internet-connected devices are expected to have increased 60 fold to almost 31 billion.[12] This translates into nearly four devices for every man, woman, and child on the planet.

With this unprecedented access and interoperability comes peril. Until recently though, much like the internet itself, little thought was typically given to the security of these devices. This means 31 billion potential access point for criminals, hacktivists, independent digital malcontents, and rogue nation states.

b. Cyber threat

Earlier this year, the U.S. Director of National Intelligence released a report outlining the gravest dangers facing the United States and our intelligence community's proposed response to those dangers.[13] One of those threats was cybersecurity and resiliency. The threat includes the loss of proprietary and sensitive information, the manipulation and destruction of data, systems, and networks, and even the harming of physical assets, as well as the related costs and undermining of confidence in our institutions.

While acknowledging heightened awareness of cyber threats and improved cyber defenses, the report was sobering in its conclusion that "nearly all information, communication networks, and systems will be at risk."[14] The report continues that our adversaries – both state and non-state actors – are using cyber access and capabilities to advance their own strategic and economic interests. As we integrate technology into everything we do – critical infrastructures, communication networks, and consumer devices – the report notes that cyber threats will pose increasing risk to our economic prosperity and public health and safety.[15]

Similarly, last January the World Economic Forum highlighted the rising dependencies of economies on internet connectivity and digital information, citing data fraud or theft and cyber-attacks as the fourth and fifth most likely sources of global risk in 2019.[16] In its prior year report, the forum highlighted a study that projects that cybercrime will cost businesses $8 trillion over the next five years.[17] On a related point, reinsurer Munich Re estimates that the market for cyber-risk insurance could reach $8 to $9 billion in premiums by 2020, double the amount of premiums written just two years earlier.[18]

Now let's put a finer point on specifically how cyber threats can affect financial reporting.

i. Data breaches and disclosure obligations

One example: Just over a year ago, the SEC brought a settled enforcement action against the company formerly known as Yahoo! Inc. for misleading investors by failing to disclose one of the world's largest data breaches.[19] Yahoo's successor, Altaba, paid a $35 million penalty. This was the SEC's first action against a company for a cybersecurity disclosure violation.

To recap, in late 2014, hackers associated with the Russian Federation infiltrated Yahoo's systems and stole personal data relating to hundreds of millions of user accounts. Within days of the intrusion, Yahoo's information security team understood that the company's so-called "crown jewels" had been ex-filtrated. This stolen data included: the usernames, email addresses, phone numbers, birth dates, encrypted passwords, and security questions and answers for the compromised accounts. While information on the breach was reported to Yahoo's senior management and legal department, the company failed to properly investigate the incident or adequately consider whether the breach needed to be disclosed to investors. The company also kept its auditors and outside lawyers in the dark. The breach was only disclosed publicly more than two years later, when Yahoo's operating business was being sold to Verizon Communications, Inc. Ultimately, because of the breach, Verizon lowered its purchase price for Yahoo by $350 million, representing a 7.25 percent discount.

Among other things, the SEC found that Yahoo failed over a two-year period to make required disclosures about the breach and its potential business impact and legal implications in its quarterly and annual reports. In those filings, instead of disclosing that an actual breach had occurred, the company merely stated that it faced the risk of, and potential negative effects from, data breaches. Importantly, the SEC also found that Yahoo failed to appropriately design and maintain effective disclosure controls and procedures to ensure the timely assessment and escalation of cyber-incidents.

Relatedly, earlier this year, $29 million was paid to settle a private, derivative lawsuit alleging that the former directors and officers of Yahoo violated their fiduciary duties of care by failing to properly oversee the company's handling of a series of cyberattacks from 2013 to 2016. These cyberattacks allegedly involved as many as three billion user accounts and included the data breach that formed the basis of the SEC's enforcement action.[20] Of note, this settlement also represented another first: It was the first monetary recovery in a derivative action involving a data breach. Until then, settlements of data breach-related derivative lawsuits included governance changes and modest attorney fees, but no cash awards.

ii. Cyber-enabled fraud

Another example: Last October, the SEC issued an investigative report highlighting a specific type of cyber-enabled fraud that victimized nine public companies.[21] It involved criminals using manipulated – or spoofed – email addresses and domains to impersonate company executives and vendors to dupe employees into making unauthorized payments.

Over the course of weeks or months, each of the nine companies lost at least $1 million, with one losing more than $45 million. Collectively, the companies lost nearly $100 million. Most of the money was not recovered. In some instances, the frauds were only detected after inquiry from law enforcement or an outside party.

What exactly happened?

The scams came in two varieties. The first type involved criminals masquerading as company executives sending emails to mid-level finance employees with authority to transmit funds. The emails typically made urgent requests for funds to be wired to the purported foreign bank accounts of well-known law firms to facilitate supposed fast-moving mergers. The emails also instructed employees to keep the requests secret. Then instead of going to the law firms, the funds were wired to bank accounts controlled by the criminals.

The second more sophisticated variant involved criminals hacking into the actual email accounts of companies' foreign vendors. After fooling company employees into revealing actual purchase order and invoice information, the hackers then tricked employees into replacing the vendors' payment information with routing information to bank accounts controlled by the hackers.

While declining to bring enforcement actions against the companies, the SEC used the report to underscore the obligations of public companies to devise and maintain sufficient systems of internal accounting controls. By statute, those systems must provide reasonable assurance that access to company assets and execution of company transactions are only done in accordance with the general or specific authorization of management.[22]

According to the SEC, the hackers succeeded in large part because company personnel were unaware of, or did not understand, their companies' internal controls. Those employees also failed to recognize multiple red flags indicating that a fraudulent scheme was underway. The Commission further cautioned public companies to be mindful of cyber threats when designing and maintaining internal accounting controls.

To put these threats in context, the FBI estimates that business email compromises have cost companies more than $5 billion over the past five years.[23] Given the likelihood of underreporting, the actual figure might be higher. In fact, some empirical evidence suggests that companies withhold information from investors on more severe cyberattacks, especially when management appears to believe that the attacks will not be discovered independently.[24]

V. Role of Auditors

What is the role of the auditor as it relates to these and other cybersecurity threats facing our financial reporting system?

a. Limited but important role

First, let's level set.

Today, based on our current standards, an auditor of public company financial statements plays an important, but limited, role with respect to cybersecurity. The auditor does not broadly evaluate the company's overall cybersecurity risk or the design and effectiveness of operational and other non-financial controls adopted by the company to mitigate that risk.[25]

Instead, as it relates to cybersecurity, the auditor focuses on information technology (IT) that the public company uses to prepare its financial statements. The auditor also focuses on automated controls around financial reporting, such as the controls around the reliability of underlying data and reports.[26] When doing integrated audits, the auditor also separately evaluates those companies' internal controls over financial reporting (ICFR). [27]

With respect to cybersecurity disclosures by a public company, the financial statement auditor plays two distinct, but likewise limited, roles. For cybersecurity-related incidents reflected in the financial statements themselves, the auditor evaluates whether those statements taken as a whole are fairly presented in accordance with generally accepted accounting principles, in all material respects. For example, if a company establishes a material contingent liability for an actual cyber-incident, then the auditor would need to evaluate, in the overall context of the financial statements, the appropriateness of the disclosure of that liability in the footnotes to those statements.

The auditor plays an even more limited role when cyber-related information is not contained in the financial statements themselves but elsewhere in a company's annual report. Here the auditor need not corroborate the information in the report. Instead, the auditor need only read and consider whether the cyber-related information in that report, or its presentation, is a material misstatement of fact or materially inconsistent with the information in the financial statements.[28]

b. Risk assessments

Can auditors do more?

Unless an organization runs entirely on manual processes without using technology or the internet, I believe auditors should consider cybersecurity as part of their audit risk assessment. While Benedictine nuns and monks in a monastery atop a mountain copying the Bible by hand on vellum, using quills, and natural-made inks comes to mind, few other enterprises are totally devoid of cybersecurity risk, particularly public companies.[29]

We know some auditors are laser focused on cybersecurity and have taken steps to specifically consider cyber when assessing the risk of material misstatements in the financial statements of public companies.

Whether or not a cyber-incident has occurred, during the planning process an auditor must perform a risk assessment, and I believe that assessment should consider any cybersecurity risks that could have a material effect on the company's financial statements.[30] If the auditor identifies a risk related to cybersecurity that could have a material effect on a company's financial statements, the auditor should then design and execute procedures to address those risks.[31] For an integrated audit, this work would include testing relevant controls.

To begin the risk assessment, an auditor must obtain an understanding of the company and its external and internal environment. This understanding, of course, includes the company's IT systems relevant to financial reporting, along with any related subsystems. This also includes understanding the potential access points into these systems, as well as the logical access controls over the systems.[32]

As part of the risk assessment, I believe the auditor should also understand the methods used by the company to prevent and detect cyber-incidents that could have a material effect on the financial statements: the company's processes that block and identify attempted unauthorized transactions or access to assets, as well as employees' familiarity with those processes. Other areas of focus should include the company's processes to assess and address material cyber-incidents once identified. This includes understanding, for example, how the company ensures timely evaluation and reporting up the management ladder of material cyber-incidents. It also includes how the company ensures appropriate escalation to the board and timely consideration of disclosure obligations to investors and others.

When performing these risk assessments, I encourage auditors to think broadly. Why? As companies become more and more digitally linked with their vendors, customers, and employees, the potential entry points and attack surfaces multiple. We also know that threat actors usually target the weakest link to gain entry, a website or an email account. And once inside, threat actors typically seek to move laterally throughout an organization's IT architecture looking to gain access to systems they can exploit. As a result, an auditor should be clear-eyed about the risk that attackers can operate under the guise of legitimate users, ultimately accessing a company's systems or subsystems that support the financial reporting process.

c. Responding to cyber-incidents

Even if a specific cybersecurity incident has not been identified, it is important for an auditor to remain professionally skeptical throughout the audit. Why? According to a recent study, the average time to identify a breach is 196 days – more than six months.[33] Therefore, a real possibility exists that a breach has occurred and has not yet been identified or disclosed to the engagement team.

What is the auditor's responsibility if a company experiences a cyber-incident? Of course, the auditor must assess the nature and extent of the breach, including what was stolen, altered, or destroyed. The auditor should also consider the expected effect of the breach on the company's operations. Armed with this information, the auditor should consider the financial implications of the breach.

The financial effects could include the loss of revenue from disrupted operations and the costs associated with securing, reconfiguring, and replacing systems. Costs could also include the fees associated with conducting forensic inquiries and defending against enforcement investigations and civil actions, as well as the payment of regulatory fines and monetary penalties to harmed private parties.

Beyond that, the auditor should also assess whether the incident resulted from a deficiency in the company's internal controls over financial reporting and whether the company has put in place procedures to prevent similar future incidents. The auditor should also explore with management and the audit committee the nature and type of disclosures that the company is considering in its financial statements or the notes to those statements.

The auditor's obligation to assess the risk of material misstatement continues throughout the audit.[34] Therefore, if during the audit, the auditor obtains information about a cyber-incident, then the auditor should evaluate whether that incident has an effect on the previously performed risk assessment. If so, the auditor would need to revise the risk assessment and appropriately modify the planned audit procedures; potentially performing additional procedures. Regardless of the effect on the risk assessment, the auditor would need to document relevant considerations of the cyber-incident on the audit.[35]

Finally, even when a cyber-incident may appear not to be material to the financial statements, if the auditor becomes aware of a possible illegal act related to the incident, the auditor would need to assure themselves that the company's audit committee was adequately informed as soon as practical. Such an instance could occur if management, notwithstanding a legal requirement, failed to timely disclose a breach of customers' personally identifiable information.[36]

VI. Conclusion

Cybersecurity represents one of the most significant economic, operational, and national security threats of our time. It is a key risk to investors and our capital markets as well.

So, how do we respond? One thing is for sure: We all must take responsibility. The government, private institutions, and individuals each share responsibility for protecting our individual and collective assets and each other from cyber threats.

Public companies and their officers and directors have important roles as well. So do auditors.

Thank you for giving me the opportunity to share my views on this important topic.

[1] The views I express here are mine alone, and do not necessarily reflect the views of the PCAOB, my fellow board members, or the PCAOB staff.

Thank you to Emily Adams, an accounting intern with my office from the University of Georgia, whose terrific research helped inform these remarks. Thank you as well to Robert Ravas and Treazure Johnson who helped me deepen my thinking on this topic. Any errors or omissions are mine alone.

[2] The PCAOB's four core duties are: (1) registering public accounting firms, (2) conducting inspections, (3) setting standards, and (4) pursuing disciplinary actions when warranted.

[3] PCAOB 2018 Annual Report.

[4] We heard from investors, audit committee and board members, chief financial officers, and others who play significant roles in preparing and evaluating financial statements. We spoke with an array of auditors. The SEC chairman, commissioners, and staff shared their views. Academics and foreign regulators weighed in.

[5] PCAOB 2018 – 2022 Strategic Plan.

[6] Accenture Strategy, From Bottom Line to Front Line, Accenture (Sept. 2018).

[7] Id.

[8] S. McConnell, Code Complete, 2nd ed. Microsoft Press, Redmond, WA (2004).

[9] Information is Beautiful, Codebases: Millions of Lines of Code (Sept. 24, 2015).

[10] Algorithmic bias creates most concern when it reflects "systematic and unfair" discrimination, both obvious and latent. Only recently has this bias been considered in legal frameworks, such as the 2018 European Union's General Data Protection Regulation. A bill was introduced in Congress last month, the Algorithmic Accountability Act of 2019, which would require large companies to audit their machine-learning systems for bias and discrimination, and take timely action to correct any identified.

[11] CISCO, The Internet of Things: How the Next Evolution of the Internet Is Changing Everything at 2 (Apr. 2011).

[12] Sam Lucero, IoT Platforms: Enabling the Internet of Things IHS Technology at 5 (Mar. 2016).

[13] Office of the Director of National Intelligence, National Intelligence Strategy of the United States of America (Jan. 2019).

[14] Id. at 11 (emphasis added).

[15] Id. at 4-5.

[16] World Economic Forum, The Global Risk Report 2019 at 5 (Jan. 15, 2019).

[17] World Economic Forum, The Global Risk Report 2018 at 15 (Jan. 17, 2018).

[18] Munich Re, Cyber Policies: More Than Just Risk Transfer (Oct. 9, 2018).

[19] Altaba Inc., f/d/b/a Yahoo! Inc., SEC Accounting and Auditing Enforcement Release No. 3937 (Apr. 24, 2018).

[20] Oath Yahoo provides notice to additional users affected by previously disclosed 2013 data theft (Oct. 3, 2017).

[21] U.S. Securities and Exchange Commission, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Exchange Act Release No. 84429 (Oct. 16, 2018).

[22] Sections 13(b)(2)(b)(i) and (iii) of the Securities Exchange Act of 1934; 15 U.S.C. § 78m (b)(2)(b)(i) & (iii). Not all public companies must adhere to these requirements. Instead, companies required to adhere to Section 13(b)(2) must either have securities registered with the SEC pursuant to Section 12 of the Exchange Act or are required to file periodic reports with the SEC pursuant to Section 15(d) of the Exchange Act. 15 U.S.C. § 78m (b)(6). In this context, reasonable assurance means the degree of assurance that "would satisfy prudent officials in the conduct of their own affairs." 15 U.S.C. § 78m (b)(7).

[23] FBI, 2017 Internet Crime Report at 4 (May 7, 2018).

[24] Eli Amir, Shai Levi, and Tsafrir Livne, Do Firms Underreport Information on Cyber-Attacks? Evidence from Capital Markets, Review of Accounting Studies (June 19, 2018).

[25] Two years ago, in May 2017, the American Institute of Certified Public Accountants (AICPA) issued a guide on the performance of a new cybersecurity assurance engagement that would cover all cyber-related risks and controls at entities. AICPA, Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls (May 1, 2017). That engagement has three parts. First, management would provide a narrative description of the company's cybersecurity risk management program and the ways in which the company identifies, controls, and reduces its cyber risks. Second, management would then attest to whether the controls implemented are suitably designed and are operating effectively. Finally, the auditor would opine on the accuracy and completeness of management's description as well as whether the cybersecurity controls are suitably designed and are operating effectively in achieving the company's cybersecurity objectives.

[26] AS 2110, Identifying and Assessing Risks of Material Misstatement, Appendix B, Consideration of Manual and Automated Systems and Controls.

[27] AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements.

[28] AS 2710, Other Information in Documents Containing Audited Financial Statements.

[29] The Saint John's Bible, The Saint John's Bible Media Fact Sheet (Oct. 2012).

[30] AS 2110.04 and .05.

[31] Paragraph .03 of AS 2301, The Auditor's Responses to the Risks of Material Misstatement.

[32] AS 2110.07 and Appendix B.

[33] Ponemon Institute, 2018 Cost of a Data Breach Study: Global Overview at 33 (July 2018).

[34] AS 2110.74.

[35] Paragraph .12f of AS 1215, Audit Documentation.

[36] Paragraph .17 of AS 2405, Illegal Acts by Clients.