cybersecurity risk management oversight

Need answers to the following questions :

Questions

The Role of Management

  1. In complying with the current SEC guidance, how has management considered cybersecurity risks in its ability to record, process, summarize, and report on information required to be disclosed in its SEC filings?
  2. What disclosure controls and procedures are in place to help ensure that the disclosures comply with the SEC’s guidance regarding the importance of a company being able to make accurate and timely disclosures of material cyber events? [7]
  3. Have the design and operating effectiveness of the disclosure controls and procedures been evaluated to ensure they appropriately record, process, summarize, and report on information required to be disclosed in the company’s SEC filings?
  4. How is management considering the current SEC guidance with respect to cybersecurity on risk factors, MD&A, and financial statement disclosures?
  5. In the event of a cybersecurity breach, what processes and controls are in place to help ensure that appropriate levels of management and board members with cybersecurity risk oversight are involved in the review of the related disclosures, if appropriate?
  6. Has the company considered its insider trading policies in the event of a material cyber incident? Are appropriate policies and procedures in place to guard against company executives and other insiders taking advantage of the period between the company’s discovery of a cybersecurity incident and public disclosure?

Questions

The Role of the Financial Statement Auditor

  1. What does the financial statement auditor consider related to cybersecurity disclosures included in the Form 10-K or other documents that include the audited financial statements?
  2. How do those considerations differ when cybersecurity related information is included in another company document (e.g., a press release)?
  3. If the company had a material contingent liability for an actual cyber incident, what is the financial statement auditor’s responsibility with respect to the company’s assessment of any related financial statement disclosure(s)?
  4. What is the financial statement auditor’s responsibility if a cyber incident material to the financial statements is discovered after the balance sheet date but before the auditor’s report on the financial statements is issued?