Complete, accurate disclosures
Kovalsky said that because of the changing nature of cybersecurity threats and constant changes in technology, every cybersecurity control is in some state of evolution.
Companies are accustomed to disclosing information internally about the status of cybersecurity practices and controls. CFOs have been meeting with CIOs and CISOs for years to discuss the effectiveness of controls, threat management, potential risks and risks that might not be mitigated yet in a satisfactory fashion.
“But that’s very different from saying you’re ready to disclose it to the public,” Frazier said. “Just like in the MD&A, there’s an onus on management to make sure what is disclosed is complete and accurate.”
However, Kovalsky said one element of the business environment can stand in the way of complete, accurate disclosure. CISOs sometimes go into board meetings under pressure from other executives to make an organization’s cybersecurity risk management processes and protections sound more mature than they really are.
If the board doesn’t have a full appreciation of the risks due to these pressures, it’s more…
