Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Navigating enhanced cybersecurity regulations

Authored by:

  • Doron Rotman, Managing Director, Technology Assurance – Audit, KPMG LLP
  • Maksim Vander, Managing Director, Technology Assurance – Audit, KPMG LLP
  • Christopher Montone, Director, Technology Assurance – Audit, KPMG LLP
  • Ruixiang Wu, Director, Technology Assurance – Audit, KPMG LLP

Companies are facing cyberattacks every day, with large organizations across industries reporting hackers gaining access to customer information, taking down IT systems and often making demands for ransom payments. As cyberattacks become more frequent and sophisticated, organizations are facing increased stakeholder calls and regulatory requirements to show they are protecting their information appropriately. According to a recent KPMG survey[1], 83% of companies suffered a cyberattack in the past year, and respondents said it took them an average of one month to fully contain the attack.

The Securities and Exchange Commission (SEC) is undertaking a comprehensive effort to increase cybersecurity preparedness and resilience for all registrants. This spring, new cybersecurity reporting requirements[2] for public companies are expected, enhancing and standardizing risk management, strategy, governance and incident disclosures. The SEC also released proposed cybersecurity rules for broker-dealers and other market entities[3] and opened comments on rules for registered advisers and funds[4] in March 2023. At the same time, the SEC is enforcing large penalties against some companies for misleading disclosures around past cyberattacks. Additionally, in April 2023, the Public Company Accounting Oversight Board listed cybersecurity among its top priorities for this year’s inspections.[5]

With the increased focus on cybersecurity from regulators, customers and investors, executives have a growing responsibility to understand their company’s cyber risks and the state of cyber programs. As a baseline, with oversight from the board, management should be preparing now to comply with the SEC’s final rules on cybersecurity disclosures. Going beyond regulatory compliance, it’s imperative to understand how your organization is positioned to detect, mitigate and remediate any cybersecurity threats and vulnerabilities with respect to information systems as well as business continuity and overall cyber incident reliance.

You are here: Assessing your organization’s current cyber risk

As a first step, management should evaluate the organization’s current situation, laying the groundwork for a strategy for enhancing the organization’s cyber maturity, achieving SEC compliance and reassuring customers, investors and other stakeholders that appropriate safeguards are in place. Key questions may include:

  • Does management understand how mature the organization’s cyber programs are in relation to others in the same industry?
  • Is there appropriate insight into the current and future business, regulatory and compliance impacts of cyber risks on the organization’s supply chain, both upstream and downstream?
  • Has any risk assessment been performed to understand how the organization may be impacted by the current or future SEC proposals and regulations?

Third-party assessments and attestations are tools for management and the board to understand the organization’s current cyber readiness and respond to stakeholder demand for transparency. A cyber maturity assessment is a way for the financial reporting and internal controls function to get a clear, easily digestible view of the organization’s current cyber program benchmarked against other organizations of similar size and industry. A cybersecurity-focused SOC report can provide attestation for cyber controls.

Leaders should consider assessments that include potential vulnerabilities along the supply chain, which are often exploited by bad actors. With increased pressure from stakeholders throughout the supply chain to obtain varying levels of cybersecurity assurance, management may look to shift the organization’s assessment of its cybersecurity posture from the historically acceptable self-attestation approach to assessments or attestation engagements performed by an independent third party. This level of independent attestation can clearly demonstrate to vendors and customers that appropriate governance and controls are in place to protect their sensitive data and reduce exposure to their IT environment.

Insight
Audit Insights
KPMG is a firm with a history of doing great work and making a difference.

Mapping out the future

With an understanding of the organization’s starting point, management can plot out a path to compliance with SEC cyber regulations, transparency in response to stakeholder demand and organizational resilience.

Updating the internal communications plan

Questions to ask:

  • How does the Information Security function disseminate information to key stakeholders in financial reporting and internal controls, including the board, audit committee and controller?
  • At what frequency do these communications occur?

Even when a cyber incident has not been identified, cybersecurity update meetings should be held at defined frequencies to ensure all key stakeholders are equipped with the latest pertinent information. Establishing clear communication and reporting lines for identified cyber incidents is critical for ensuring those charged with financial reporting and internal controls are informed at the appropriate time to consider implication on Internal Controls over Financial Reporting and achieve compliance with any SEC regulations.

Preparing for a potential cyberattack

Questions to ask:

  • Does management, with oversight from the Audit Committee, have fulsome cybersecurity incident response and recovery plans and procedures in place?
  • Does management understand how potential cybersecurity incidents will be triaged and ultimately communicated to key stakeholders responsible for reporting to the SEC if a breach is identified? Are those reporting mechanisms in place?

Management should review and update cyber incident response policies and procedures, including a clear delineation of responsibilities of the cybersecurity and risk management teams, management’s disclosure committee, and the legal department, plus escalation procedures to determine materiality, and preparation and review of disclosures.

With board oversight, management should test the cyber response plan and procedures, including documenting the cyber incident, evaluating it for materiality, drafting the disclosure and reviewing incidents in the aggregate. In its rule for public companies, the SEC will expect a materiality determination to be made “as soon as reasonably practicable,” which may require judgment. Audit committees and boards should confirm that management has a plan for escalating incidents to the disclosure committee and legal team to make the final materiality determination.

Know before you go

As regulatory requirements around cybersecurity increase and threats from cybercriminals become more severe, it will be crucial to manage risks by ensuring governance is in place to protect sensitive information. Management can lead the way through uncharted waters by bolstering cyber maturity ahead of coming regulations.

Footnotes

[1] KPMG LLP, “A triple threat across the Americas: KPMG 2022 Fraud Outlook,” 2022: 

[2] KPMG LLP, “SEC proposes cybersecurity rules,” March 2022, https://frv.kpmg.us/reference-library/2022/sec-cybersecurity-guidance.html.

[3] KPMG LLP, “SEC Proposals on Cyber Risk Management for Market Entities,” 2023, https://kpmg.com/us/en/articles/2023/sec-roposals-on-cyber-risk-management-for-market-entities.html

[4] KPMG LLP, “Cybersecurity: SEC Proposal for Adviser/Fund Risk Management, 2022, https://kpmg.com/us/en/articles/2022/sec-cybersecurity-reg-alert-feb-2022.html

[5] Public Company Accounting Oversight Board, “Spotlight: Staff Priorities for 2023 Inspections, April 2023, https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/priorities-spotlight.pdf

Dive into our thinking:

Navigating enhanced cybersecurity regulations

Download PDF

Explore more

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline