Accounting for Cybersecurity Incidents: Reserves, Disclosures, and More

cyber-security-and-accounting-for-cybercrime-fusion-cpa

Some people say there are two types of companies – those that have experienced a cyber attack, and those that haven’t…yet. After all, it has a whopping 15% growth rate a year, and is estimated to cost companies across the globe $10.5 trillion annually by next year! 

With this in mind, your business must do everything it can to avoid cyberattacks – and this starts with your bookkeeping practices. When it comes to accounting for cybercrime, your finance team must ensure compliance, and follow the correct procedures for financial disclosure. 

 

Understanding Cybersecurity Incidents in Accounting 

Cybersecurity incidents are those which affect the integrity, confidentiality, or availability of your assets. As such, accounting for cybercrime deals with the financial implications of a cyberattack on your business. However, this requires an understanding of the nature of the incident, its financial impact, and the relevant accounting principles and regulations.

Types of cybersecurity incidents and their financial impact

There are five main kinds of cybercrimes of which all accountants should be aware. 

  • Phishing: This is the most common type of crime. Essentially, it involves sending emails that trick your team into sharing sensitive information or putting your network’s security at risk. 
  • Malware: Malicious software is usually found in email attachments, links, or ads. It can take the form of computer viruses, ransomware, spyware, or a rootkit, which is undetected software that provides administrative access to your device. 
  • Social Engineering: Also called ‘human hacking’, this refers to someone manipulating you, in order to get sensitive information, in a variety of ways. A hacker might impersonate a senior executive or vendor from your company, a bank or government official, or even pretend to be someone from your IT provider. 
  • Insider Threats: Here, the risk comes from your company itself, when a current or former staff member with access to sensitive information abuses this access. Unfortunately, this can happen accidentally.
  • Denial of Service (DoS) Attacks: In these instances, a specific device or your entire network is overloaded until it crashes and you are unable to use it. 

With so many ways to potentially affect your business, your finance team must be able to manage these risks effectively. 

The role of accounting in cyber threat management

By being aware of the various kinds of threats, your team can take proactive measures in accounting for cybercrime. Of course, the best starting point is to ensure that you use secure, cloud-based accounting software like QuickBooks or NetSuite.

The next step is to conduct a risk assessment, usually with your chief information security officer (CISO) or equivalent position. If your business doesn’t have its own security team, this can be outsourced. 

Then, your accountants should assess the potential impacts of a security breach, and how best to respond. This will be based on their knowledge of your company’s financial goals, and of regulatory compliance requirements. For example, you may be able to migrate uncompromised data, or have to accept and write off losses. 

Fusion-CPA-can-advise-you-on-accounting-for-cybercrime

Your finance team can also use this information to advise you on the best strategies for risk management. For example, through budget proposals for cybersecurity.

 

Establishing Reserves for Cybersecurity Incidents

When it comes to accounting for cybercrime, consider setting aside funds to handle any unforeseen events. To do so, you’ll need to establish your company’s specific risk exposure to threats, in terms of the nature of your data, and the potential impact on operations. 

To help with this, the Securities and Exchange Commission (SEC) has guidelines for determining what constitutes a significant cyber threat​. 

Next, you must establish the criteria for setting up these reserves. Usually, these funds are categorized under contingent liabilities or provisions. However, estimating the right level of reserves requires a thorough analysis of the potential financial impacts. Consider the following to determine how much you’ll need:

  • Conduct a reasonable estimation: Determine a realistic figure for potential expenses, based on available information and any past experience.
  • Budget for legal assistance: Your risk assessment should outline whether you’ll require legal assistance in the event of a security breach.
  • Be aware of the disclosure requirements: As we’ll discuss later, your business might be required to disclose a cybercrime event. However, this means you could have service interruptions, loss of revenue, or payments in the form of penalties or refunds.
  • Regularly review your funds: The amount of money you set aside may need to be adjusted. For example, new types of scams might be devised, or you find potential vulnerabilities in your software or network after upgrades. 

It’s also essential to have an incident response policy in place. This allows your team to react timeously, and reduce the impact and costs of recovery. This policy should establish detailed roles and responsibilities in the event of a security breach, based on compliance with accounting standards. 

 

Accounting Treatments for Cybersecurity Incidents

So what do you do if your business is hit by cybercrime? No matter the form of the attack, it will cost you. That’s why accounting for cybercrime is critical.

First, it’s vital to establish the immediate financial impact. Start by recognizing expenses and losses in your income statement. These include costs for system repair and recovery, data restoration, legal fees, and any payments made (such as payments for ransomware attacks).

If the attack compromises assets or inventory, or digital assets like software or financial data, these must be assessed and recorded. 

Next, recognize the liabilities. Factors like lawsuits or regulatory fines should be disclosed as contingent liabilities. Also, provide provisions for any obligations like customer compensation or contract penalties. 

Over the long term, your accounting for cybercrime should factor in the impact on asset values,  potential asset impairments, and changes in these valuations.

Also remember that an attack can also affect your competitiveness, business reputation, customer relationships, and potential litigation or regulatory investigations. This will require strategic financial decision-making and forecasting. 

 

Financial Disclosures Related to Cybersecurity Incidents

According to the SEC guidelines mentioned above, if your business is subject to a cyberattack, you must disclose this within four business days, using Form 8-K. This is effective for all public companies with a fiscal year starting after December 31, 2023. 

In the form, you’ll detail the nature, scope, timing, and material impact of the attack. You must also disclose your business’ processes for assessing, identifying, and managing cybersecurity risks.

Under Generally Accepted Accounting Principles (GAAP), you may also be required to disclose attacks under standards ASC 220-10 (Income Statement Reporting), ASC 450-20 (Loss Contingencies), or ASC 275 (Risks and Uncertainties).

The specific disclosure processes you need to follow will depend on the nature, size, and impact of the cybersecurity incident. Therefore, it’s best to consult with a CPA to ensure compliance. 

And then there’s stakeholder communication. Once you’ve identified key stakeholders to be informed (such as investors, employees and customers), prepare a communication plan. This should cover the scope of the crime and its impact, and detail your company’s response and mitigation efforts. 

Be transparent and honest about everything, and provide a feedback mechanism through which they can respond. 

 

Regulatory and Compliance Considerations

In addition to the SEC requirements discussed above, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 dictates that any cybercrime that could harm foreign relations, the US economy, or the public confidence or civil liberties of US citizens must be reported to the Cybersecurity and Infrastructure Security Agency (CISA). 

According to the act, cyber incidents must be reported within 72 hours of occurring, and any payments to ransomware attacks must be reported within 24 hours. 

There are also several other regulatory requirements regarding cybersecurity breaches. For example, under the Federal Trade Commission (FTC), failure to protect your customer data from cyber breaches can have significant legal and financial repercussions.

Chat-to-a-Fusion-CPA-about-compliance-in-accounting-for-cybercrime

Many states have enacted laws requiring businesses to notify consumers and other stakeholders in the event of a data breach involving personal information. In addition, some state laws may impact how businesses account for and disclose the financial impacts of cybersecurity breaches.

The role of audits 

Financial audits can help to assess and mitigate potential cybersecurity incidents. This usually requires a collaborative approach between your finance and IT teams, to establish a framework for compliance.

After all, auditors have experience with setting up and implementing internal controls, and will be well-versed in the various regulations surrounding cyber security. 

 

Cybersecurity Insurance 

With the prevalence of cyber risks, many businesses make provision for cybersecurity insurance when accounting for cybercrime. 

This insurance can help protect your finance team when sensitive data is stolen or compromised. After all, your clients might hold you liable for being affected by an attack. Generally, the policies provide coverage for data breach lawsuits, disclosure expenses, and fraud monitoring costs.

However, keep in mind that insurance might not cover indirect costs, like lost clients or reputational damage. 

Selecting and managing insurance

When choosing insurance coverage, consider the following:

  • The scope of coverage. Your chosen policy should cover a broad range of cyber risks, as well as the costs related to crisis management, legal fees, and any fines.
  • Exclusions. Always check what isn’t covered. Some policies exclude certain types of attacks.
  • Policy limits and deductibles. Make note of policy limits to ensure they’re adequate for your risk exposure, and how deductibles impact your financial responsibility in the event of a claim.
  • Claim reporting requirements. Make sure you understand how to report a claim, as failing to comply can result in denied claims.

If in doubt, consult with financial experts who can help you make these decisions. 

Preparing and Planning for Future Incidents

To mitigate the risks in accounting for cybercrime, ensure your team has strict protocols in place for data security. This includes identity and access management, including limiting administrator privilege, and implementing strong passwords. Also consider Multi-Factor Authentication (MFA) or geo-fencing for emails, which are a common target for cyber criminals. 

Next, draw up a cybersecurity document that outlines the best practices for preventing risks, as well as information on how to spot potential security threats, including warnings from your antivirus software and unusual user activity. 

Also establish a response plan, which outlines what constitutes a data breach, how to respond, along the role staff members should take in such an event. 

It’s also paramount that your company invests in cybersecurity software, which must include training for your staff. 

Finally, ensure that all your data security policies and procedures are updated regularly, in conjunction with conducting frequent internal audits. 

To ensure your team follows best practices in accounting for cybercrime, schedule a Discovery Call with one of our CPAs.

Schedule a Discovery Call


The information presented in this blog article is provided for informational purposes only. The information does not constitute legal, accounting, tax advice, or other professional services. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information contained herein. Use the information at your own risk. We disclaim all liability for any actions taken or not taken based on the contents of this blog. The use or interpretation of this information is solely at your discretion. For full guidance, consult with qualified professionals in the relevant fields.

Menu