Cyber security from an accounting perspective
Cyber security from an accounting perspective
Has anyone thought about financial reporting?
Digital transformation is indisputably one of the major megatrends of our time. It offers immense benefits in both a private and a professional context - but can also harbor major risks for data security. Whenever companies have not taken sufficient and/or effective protective measures, digitalization - in addition to increased efficiency and flexibility in operating processes - can also quickly become a gateway for cyber attacks. The motivation for such actions is diverse and ranges from personal to purely criminal to political motives.For affected companies, cyber attacks can mean far-reaching damage to themselves and others but how are expenses for cyber security and, in particular, risks and losses from cyber attacks accounted for and reported (in accordance with IFRS and HGB)?
Implications for financial reporting before a cyber attack
Depending on the initial situation, suitable protective measures for cyber security can be costly and include not only risk analyses, upgrading the company's own system landscape or implementing an information security management system, but also raising staff awareness and hiring or commissioning specialists for the topic. While expenses for training measures, internal staff recruitment and/or the commissioning of external specialists are recognized as (personnel) expenses on a periodic basis, there is capitalization potential for information technology expenses.Purchased cyber security software regularly meets the recognition criteria for an intangible asset or asset item. Development costs for internally generated cyber security software and further developments of existing applications can also be capitalized under certain conditions. This must be reported in the balance sheet and in the notes.
Even if sufficient measures for cyber resilience, i.e. prevention of cyber attacks and resilience in the event of an emergency, have been implemented in the company, a residual risk always remains. Not all scenarios or possible security gaps can be anticipated, especially if the approach and techniques of cyber criminals evolve faster than the company's own protective measures. If companies no longer operate individual applications or even entire areas of critical infrastructure on their own servers (on-premise), but instead use cloud services or engage in extensive outsourcing (e.g. software as a service, platform as a service, infrastructure as a service), this can result in further security risks on the part of the IT service provider.
Furthermore, there is always a residual risk posed by the people working in the company, for example if employees do not correctly interpret an incoming spam email during their hectic everyday working life and then open malicious attachments or dial into insecure networks using company-owned hardware outside the traditional office premises.
These (residual) risks need to be identified and assessed on an ongoing basis. In addition to an explanation of the protective measures taken, this must be reported on in the opportunity/risk report within the management report. For some sectors, there are further (minimum) requirements for risk management and reporting (e.g. banks). If you take a look at the annual financial statements of DAX companies, you quickly notice that the topic is reported on with varying degrees of intensity. The EU-wide legislation on cyber security (NIS2 Directive) – which came into force last year - obliges companies to take resilience measures. This also increases the relevance of efficient emergency management and the introduction of business continuity management.1 Concrete requirements for the disclosure of minimum information when dealing with cyber risks do not (yet) exist. The US Securities and Exchange Commission (SEC) has already brought the topic further into focus and also issued initial regulations last year to improve and standardize the disclosure of information on risk management, strategy, governance and cyber security incidents by listed companies subject to the reporting requirements of the Securities Exchange Act of 1934.2
Implications for financial reporting after a cyber attack
Many cyber attacks fall into the category of so-called ransomware attacks, whereby cyber criminals encrypt selected company data using malware and thus block access. The release or decryption of the data is linked to a ransom demand. If the company does not meet the ransom demand (promptly) or is unable to make the data accessible again with the help of experts, there is a risk of significant disruption to business operations, depending on the data and industry. The payment of a ransom has a direct impact on liquidity in the financial statements, provided that, depending on the amount of the ransom, loans do not have to be taken out at short notice (not taking into account the potential criminal liability of ransom payments). Even without a ransom payment or demand, considerable damage can be caused to the affected company:
After restoring access to data, potential obligations to pay for own and third-party damages remain (e.g. expenses for restoring/replacing infrastructure, expenses for official investigations and fines, compensation for customers and business partners), for which the recognition of a financial liability or (liability) provision must be assessed. Stolen data can lead to competitive disadvantages when used (e.g. research results) or to data breaches in the hands of unauthorized persons or when published (e.g. sensitive customer data).
If assets or production assets are manipulated by the cyber attacker, e.g. patented and activated software for operating a wind turbine or the electronics of a motor vehicle, there is a risk of significant operational disruptions and customer orders may not be fulfilled on time. If the software in question is replaced, the manipulated software may have to be written off in full. Such an incident always gives rise to an impairment test of individual (intangible) assets or items or the underlying cash-generating unit.
The additional damage done to a company’s image caused by a cyber attack is difficult to measure in monetary units. Listed companies will be able to derive initial reactions from the share price immediately after the announcement of the ad hoc disclosure. Ultimately, the cumulative damage to the company and third parties can be so material that the continuation of the company's activities is sometimes jeopardized and therefore requires special reporting requirements.
The implications for financial reporting do not represent an exhaustive list, but are rather determined by the extent and the areas affected by the cyber attack as well as the industry-specific characteristics of the company. Therefore, tailored disclosures are required in the annual financial statements and management report while complying with the minimum reporting requirements under IFRS and HGB. The prerequisite for this, and this is where all of this comes full circle, is that the preparation of complete financial data and fulfillment of documentation requirements are not permanently disrupted by the effects of the cyber attack.
The increased threat from cyber criminals should not be a reason not to press ahead with the digital transformation (as planned). However, this does not only include the standardization and automation of company processes, harmonization of the IT landscape or the provision of virtual work and communication options. Data security through the implementation of sufficient and, above all, effective protective measures, which must be regularly reviewed and adapted to changing framework conditions, should be just as important. Ultimately, the additional budgets to be planned for cyber security are disproportionate to the (non-) monetary damage to the company and third parties resulting from a cyber attack.
1 Europäische Kommission: Richtlinie über Maßnahmen für ein hohes gemeinsames Cybersicherheits-niveau in der gesamten Union (NIS2-Richtlinie).
URL: https://digital-strategy.ec.europa.eu/de/policies/nis2-directive [Stand 15.01.2024]
2 Federal Register (2023): Cybersecurity Risk Management, Strategy, Governance, and Incident Dis-closure.
URL: https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure [Stand 15.01.2024]