Risk Transparency – Reporting Information Security Risk as Financial Risk
In the previous post, I discussed three major retailers who had suffered breaches and how their 10K reporting on financial implications of information security risks had changed from before the breach to a few years after the breach. It was clear that two out of the three organizations did not report any financial risk associated with information security prior to the breaches, and after the breaches they had changed this to include that a breach could lead to lawsuits, government investigation, and loss of reputation.
So, what should an organization report to their investors and potential investors. It’s easy to go straight to the tools that organizations are employing to protect themselves, such as firewalls, device encryption, or have a team for information security lead by a Chief Information Security Officer, or perhaps that they have processes in place to prevent unauthorized information disclosure.
However, reporting on tools, people, and processes doesn’t actually address the risks, only that the organization are taking mitigating action to minimize the impact of an information security event. The real question is what risks are they trying to mitigate.
For an investor to understand what type of risks an organization is exposed to, the investor must know what type of information the organization is collecting, creating, and storing. Then the investor can assess the high-level risk.
Once you know what type of information, the next step is to report on the controls in place to limit the exposure to that high-level risk. From an accounting perspective, this is usually done based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a well-known framework for internal accounting controls. The auditor of the financials of any public organization also audits the internal accounting controls. Therefore, investors can be reasonably certain that internal controls are in place to mitigate any major risk related to accounting practices, and that the 10K is a good start for doing research on the organization. The same cannot be said for information security risks or controls. There is not widely accepted standard or framework for how to approach information security. Sure, we have some that are more popular than others, like NIST 800-53, ISO27001, and Critical Security Controls Top 20, and industry specific to information specific like HIPAA, PCI DSS, and NERC CIP-011. But to achieve the reasonably fair level of understanding, and be able to compare between organization, there needs to be a standard framework, per industry at the very least, for information security that the auditors can audit against.
One of the reasons there has not been one framework that is used by everyone, I believe, is simply because of the lack of maturity in IT in general, and the lack of understanding by other business functions of the true financial implications.
From a non-IT business function, IT is complicated, technical, and something you want to avoid if you can. To make matters worse, most organizations have leaders with an MBA, Master of Business Administration, and while MBA gives a great overview how a business functions, very few of the programs out there actually have anything on IT. This means that the leaders of large organizations have a basic understanding of every function except IT.
Based on all these factors, answering the question on what should be reported in the 10K is not that easy. In my opinion, organizations should at the very least report the risks, and then any compliance requirements based on the information that they are collected, creating, and storing (HIPAA, PCI DSS).
The next step would be to start reporting on the information security program as a whole, against one standard or another. Even if the standards are different from one organization to another, investors should know what the organization is doing to protect itself against material risks that are associated with information security.
Personally, I would recommend an organization to start with something simple as Critical Security Controls, each control comes with a thorough metric companion so it is easy to assess the maturity of each control.
It would be great if organizations could be proactive and start reporting on their own and together with their auditor instead of waiting for the mandate from the regulatory body, but perhaps that is a bit too optimistic!
As an ending point, I want to mention that I don’t want to discount the MBA or people who have MBA’s (I’m one of them). Just that the MBA curriculum needs to address IT as a business function too.
Disclaimer – this post is unaffiliated with my employer