The latest U.S. Securities and Exchange Commission (SEC) guidance on Cyber Security risks have “Cyber” firms buzzing.  Those that thought this would be the equivalent of Sarbanes Oxley must have been seriously disappointed.  There was no mandatory audit of Cyber risk included.

The guidance requires companies “to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance”.

Regarding the first part of this quote, the SEC effectively already requires organizations to file an 8k for material events.  Regarding a breach, the disclosure requirement adds that management is, “to describe the material aspects of the incident’s nature, scope, and timing.”

This may seem like they are requiring more detail, but organizations fight against disclosing specifics that puts them further at risk. Eventually, their lawyers will craft a high-level response excluding any red flags for investors to sink their teeth into.

The SEC could have and should have been more specific about their definition of a “cyber incident”.   Is a cyber incident only breach of the network or successfully taking over significant admin privileges? Is it the placing of ransomware?  Would it include a successful phishing attack of a highly privileged IT user?   What about payment fraud made possible through a supplier giving up their credentials to a threat actor?

We know from the guidance that management only has to disclose the event if it is deemed to be “material.”  This term has a very specific meaning that most cyber firms do not understand.  The Supreme Court has weighed in on what this means for registrants when it comes to financial statements.  An omitted fact is “material” if there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote (see https://en.wikipedia.org/wiki/TSC_Industries,_Inc._v._Northway,_Inc.)

What is clear to me is that a “reasonable shareholder” related to a cyber incident is still to be litigated.  Furthermore, two things that will likely need specific definitions: “cyber incident” and “omitted fact”.

ERP Risk Advisors is a firm focused on application access control risks in ERP systems and related tools.  We don’t see any evidence that the cyber industry is focused on understanding application security. Nor do we see that they are focused on Software as a Service (SaaS) applications.

Instead, the primary threat on which the cyber industry seems to be focused is ransomware.  For SaaS applications this leaves cyber firms with little to offer clients given the SaaS provider, for example Oracle for ERP / HCM Cloud, “covers” this risk in their SOC report.

Could a breach of an ERP system like Workday, ERP / HCM Cloud, SAP S/4HANA, or NetSuite be material for a company?  Yes.  Two risks that could be material are Data Theft and Fraud.  As an added complication, configuring and securing the system to address these risks is unique to each system.  How APIs are secured and how integrations are built is very different in ERP Cloud vs Workday or SAP S/4 Hana.  SSO/MFA configurations are different in ERP Cloud vs NetSuite.

Risks in SaaS systems such as ERP Cloud, NetSuite, and Workday are unique to each environment as well.  Understanding these risks takes deep domain expertise in each ERP’s configurations and application roles that can lead to the theft of sensitive data or the committing of fraud.  To effectively evaluate and mitigate these risks for SaaS applications, management needs to include them in cyber risk assessments.

CISOs also need to put a process in place to fully understand if and how these risks evolve as the software provider patches the applications.  Patching of applications happens either quarterly or semi-annually by most ERP providers.  Given the constant evolution of the applications, new APIs and web services are constantly being introduced. This could leave an organization vulnerable to data theft, fraud, and operational risks.

ERP Risk Advisors is the thought lead on risk in ERP applications and can help management and cyber firms fill the gap in the identification, management, and mitigation of these risks.  If you are interested in discussing how we can help your organization, contact us here.