A cybersecurity breach involving theft of a company’s customer data could mean that the company has a weakness, which could be material, in its internal control over financial reporting (ICFR) related to controls over the safeguarding of assets. To minimize the possibility of cyber theft, companies should examine their controls over customer data as well as other assets to be sure that they are sufficient. To the extent that a company outsources information management activities, the company must also ensure that the providers of those activities have adequate controls over the company’s customer data and any other company assets.
Rule 13a-15(f) of the Exchange Act defines ICFR as a process to provide, among other things, “reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.” According to the SEC’s adopting release on ICFR, this “provision [was] specifically included to make clear that, for purposes of [this] definition, the safeguarding of assets is one of the elements of internal control over financial reporting.” Because customer data is an asset, a company’s failure to have sufficient controls to prevent the unauthorized acquisition, use, and/or disposition of customer data may constitute a weakness in ICFR. If it meets the definition of a material weakness in ICFR, the company will have to report ineffective ICFR. This type of material weakness, however, would not likely require a company to conclude that its disclosure controls and procedures are not effective.
Several retailers, banks, and other companies have recently experienced cybersecurity breaches that resulted in the loss of customer data. These breaches, and the resulting significant expenditures that were incurred in addressing the breaches, further emphasize the need for companies to review the adequacy of their internal controls relating to the safeguarding of customer data.
For more information on ICFR, see our January 24 post.