Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Navigating enhanced cybersecurity regulations

Download PDF
Share

Authored by:

  • Doron Rotman, Managing Director, Technology Assurance – Audit, KPMG LLP
  • Maksim Vander, Managing Director, Technology Assurance – Audit, KPMG LLP
  • Christopher Montone, Director, Technology Assurance – Audit, KPMG LLP
  • Ruixiang Wu, Director, Technology Assurance – Audit, KPMG LLP

Companies are facing cyberattacks every day, with large organizations across industries reporting hackers gaining access to customer information, taking down IT systems and often making demands for ransom payments. As cyberattacks become more frequent and sophisticated, organizations are facing increased stakeholder calls and regulatory requirements to show they are protecting their information appropriately. According to a recent KPMG survey[1], 83% of companies suffered a cyberattack in the past year, and respondents said it took them an average of one month to fully contain the attack.

The Securities and Exchange Commission (SEC) is undertaking a comprehensive effort to increase cybersecurity preparedness and resilience for all registrants. This spring, new cybersecurity reporting requirements[2] for public companies are expected, enhancing and standardizing risk management, strategy, governance and incident disclosures. The SEC also released proposed cybersecurity rules for broker-dealers and other market entities[3] and opened comments on rules for registered advisers and funds[4] in March 2023. At the same time, the SEC is enforcing large penalties against some companies for misleading disclosures around past cyberattacks. Additionally, in April 2023, the Public Company Accounting Oversight Board listed cybersecurity among its top priorities for this year’s inspections.[5]

With the increased focus on cybersecurity from regulators, customers and investors, executives have a growing responsibility to understand their company’s cyber risks and the state of cyber programs. As a baseline, with oversight from the board, management should be preparing now to comply with the SEC’s final rules on cybersecurity disclosures. Going beyond regulatory compliance, it’s imperative to understand how your organization is positioned to detect, mitigate and remediate any cybersecurity threats and vulnerabilities with respect to information systems as well as business continuity and overall cyber incident reliance.

You are here: Assessing your organization’s current cyber risk

As a first step, management should evaluate the organization’s current situation, laying the groundwork for a strategy for enhancing the organization’s cyber maturity, achieving SEC compliance and reassuring customers, investors and other stakeholders that appropriate safeguards are in place. Key questions may include:

  • Does management understand how mature the organization’s cyber programs are in relation to others in the same industry?
  • Is there appropriate insight into the current and future business, regulatory and compliance impacts of cyber risks on the organization’s supply chain, both upstream and downstream?
  • Has any risk assessment been performed to understand how the organization may be impacted by the current or future SEC proposals and regulations?

Third-party assessments and attestations are tools for management and the board to understand the organization’s current cyber readiness and respond to stakeholder demand for transparency. A cyber maturity assessment is a way for the financial reporting and internal controls function to get a clear, easily digestible view of the organization’s current cyber program benchmarked against other organizations of similar size and industry. A cybersecurity-focused SOC report can provide attestation for cyber controls.

Leaders should consider assessments that include potential vulnerabilities along the supply chain, which are often exploited by bad actors. With increased pressure from stakeholders throughout the supply chain to obtain varying levels of cybersecurity assurance, management may look to shift the organization’s assessment of its cybersecurity posture from the historically acceptable self-attestation approach to assessments or attestation engagements performed by an independent third party. This level of independent attestation can clearly demonstrate to vendors and customers that appropriate governance and controls are in place to protect their sensitive data and reduce exposure to their IT environment.

Insight
Audit Insights
KPMG is a firm with a history of doing great work and making a difference.
Read more

Mapping out the future

With an understanding of the organization’s starting point, management can plot out a path to compliance with SEC cyber regulations, transparency in response to stakeholder demand and organizational resilience.

Updating the internal communications plan

Questions to ask:

  • How does the Information Security function disseminate information to key stakeholders in financial reporting and internal controls, including the board, audit committee and controller?
  • At what frequency do these communications occur?

Even when a cyber incident has not been identified, cybersecurity update meetings should be held at defined frequencies to ensure all key stakeholders are equipped with the latest pertinent information. Establishing clear communication and reporting lines for identified cyber incidents is critical for ensuring those charged with financial reporting and internal controls are informed at the appropriate time to consider implication on Internal Controls over Financial Reporting and achieve compliance with any SEC regulations.

Preparing for a potential cyberattack

Questions to ask:

  • Does management, with oversight from the Audit Committee, have fulsome cybersecurity incident response and recovery plans and procedures in place?
  • Does management understand how potential cybersecurity incidents will be triaged and ultimately communicated to key stakeholders responsible for reporting to the SEC if a breach is identified? Are those reporting mechanisms in place?

Management should review and update cyber incident response policies and procedures, including a clear delineation of responsibilities of the cybersecurity and risk management teams, management’s disclosure committee, and the legal department, plus escalation procedures to determine materiality, and preparation and review of disclosures.

With board oversight, management should test the cyber response plan and procedures, including documenting the cyber incident, evaluating it for materiality, drafting the disclosure and reviewing incidents in the aggregate. In its rule for public companies, the SEC will expect a materiality determination to be made “as soon as reasonably practicable,” which may require judgment. Audit committees and boards should confirm that management has a plan for escalating incidents to the disclosure committee and legal team to make the final materiality determination.

Know before you go

As regulatory requirements around cybersecurity increase and threats from cybercriminals become more severe, it will be crucial to manage risks by ensuring governance is in place to protect sensitive information. Management can lead the way through uncharted waters by bolstering cyber maturity ahead of coming regulations.

Footnotes

[1] KPMG LLP, “A triple threat across the Americas: KPMG 2022 Fraud Outlook,” 2022: 

[2] KPMG LLP, “SEC proposes cybersecurity rules,” March 2022, https://frv.kpmg.us/reference-library/2022/sec-cybersecurity-guidance.html.

[3] KPMG LLP, “SEC Proposals on Cyber Risk Management for Market Entities,” 2023, https://kpmg.com/us/en/articles/2023/sec-roposals-on-cyber-risk-management-for-market-entities.html

[4] KPMG LLP, “Cybersecurity: SEC Proposal for Adviser/Fund Risk Management, 2022, https://kpmg.com/us/en/articles/2022/sec-cybersecurity-reg-alert-feb-2022.html

[5] Public Company Accounting Oversight Board, “Spotlight: Staff Priorities for 2023 Inspections, April 2023, https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/priorities-spotlight.pdf

Dive into our thinking:

Navigating enhanced cybersecurity regulations

Download PDF

Explore more

News
Webcast Replay Webcast Upcoming Listen Now

Taking a Byte Out of Cybercrime

KPMG U.S. leaders have identified three key cyber security considerations for technology company boards.

Read more
Federal government
Industry
Webcast Replay Webcast Upcoming Listen Now

Higher education, research and other not-for-profits

KPMG leverages our experience serving colleges and universities, research institutions and not-for-profit organizations across the country to provide valuable insights.

Read more

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline