Research Topic : State of California Department of Justice's (DOJ) data breach incident (State of California Department of Justice, 2019).
Using the following matrices to evaluate the disclosure:
- Completeness
- Timeliness
- Management Involvement
How complete was the disclosure? what aspects of breach were disclosed (Threat – threat agent – vulnerability – actual breach – discovery – investigation – impact – remediation)? How timely was the disclosure? Did it provide adequate time references for evaluation (report lag, discovery lag, investigation lag, remediation lag)?Did management involve themselves in the disclosure? (signature of C-suite executives)You may also consider other aspect to evaluate the disclosure.The research notes does not need to be written in full paragraphs, you may use bullet points to summarize your findings.
Lecture – Unit 9 Evaluate Disclosure
ACCT 855
Seminar in Cybersecurity Audit and Disclosure
Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business
Dye’s Analogy (1985)
Dye (1985) provided a simple analogy using agency theory showing why management would manipulate disclosure:
management’s actions are subject to moral hazard and hidden actions, and
investors, individually, learn about the manager’s actions through disclosure that would reflect the management’s action through stock price changes.
Disclosure allows the principal to mitigate the moral hazard problem by tying the manager’s compensation to the firm’s stock price;
Dye’s Analogy (1985)
In this case, the manager could game the system and make disclosure sufficient to impact or not-impact the firm’s future cash flows.
The firm’s stock price would then become a function of that disclosure rather than a function of investor knowledge about the manager’s actions.
Therefore, firm’s stock price became “influenced” by the disclosure, even more so, by the content of the disclosure.
Dye’s Analogy & Cybersecurity Breach Disclosure
Subsequent to a security breach, managers may foresee that security breach events are intrinsically complex and difficult to understand for the principal;
it may take much longer for the full investigation to be completed.
The manager may very reasonably elect to control the disclosure in a manner that favors the manager’s self-interest.
The market reaction would be a function of the “diluted disclosure”, or “glorified disclosure” not the management’s effort and their true actions in managing or mis-managing the firm.
The Tale of Two Disclosures
StumbleUpon provided little information in its disclosure.
However, it is difficult to evaluate just how “bad” it is.
Need of measuring instruments
The Tale of Two Disclosures
Comparing to another disclosure…
Measuring the Quality of the Disclosure
Discussion: What makes a good disclosure?
ACCURATE
TIMELY
RELEVANT
COMPLETE
MANAGEMENT INVOLVEMENT & CREDIBILITY
Disclosure Accuracy
Accuracy is an important aspect of disclosure.
It’s important for the preparer to issue disclosure truthfully based on best available information at hand.
However…
Accuracy of disclosure is impossible to measure consistently as the “truth” is not observable from the information users’ perspective.
Disclosures are “assumed to be accurate” after independent audit.
Disclosure Timeliness
Timely disclosure allows investors to make timely decisions.
However, in cybersecurity breach, one single dimension of timeliness may not be adequate enough…
Time dimension of cybersecurity breach may include:
When incident occurred
When incident were discovered
When investigation started
When remediation were determined
When external disclosure were issued.
Disclosure Timeliness
These dimensions allows the information user to determine the “lag time” of various events:
Discover lag (from incident occurrence to discovery)
Investigation lag (from discovery to investigation)
Remediation lag (from investigation to remediation)
Disclosure lag (from discovery to external disclosure)
Disclosure Timeliness
Note that it is not necessary to disclose all the information as the current standards do not require management to disclose these aspect. HOWEVER…
Providing more detailed information dispels uncertainty and allow information user to make decisions.
If the information were NOT provided, it shows that the firm either DO NOT have the information, or CHOOSE NOT to disclose the information.
Disclosure Relevancy & Completeness
Relevancy and completeness are related attributes.
In order to achieve relevancy, it must cover aspects of information that are relevant to the decision maker.
What information are relevant can differ from person to person.
In the absence of detailed disclosure rules, the policy maker (such as SEC) need to decide what aspects need to be disclosed.
Completeness is then measured and determined.
Disclosure Completeness
Based on the cybersecurity breach disclosure framework, we can evaluate the quality of the disclosure:
Disclosure Completeness
Management Involvement in Disclosure
SOX highlighted the importance of management involvement in disclosure
Per SOX, CEO or CFO MUST personally certify the annual report to its accuracy and soundness of internal control over the disclosure process.
Management can be observed through several aspects:
Has the management signed or participated in the disclosure?
What level of the management signed the disclosure
What are the forms of management involvement? (apology, press release, resign?)
Management Involvement in Disclosure
SOX highlighted the importance of management involvement in disclosure
Per SOX, CEO or CFO MUST personally certify the annual report to its accuracy and soundness of internal control over the disclosure process.
Management can be observed through several aspects:
Has the management signed or participated in the disclosure?
What level of the management signed the disclosure
What are the forms of management involvement? (apology, press release, resign?)
Management Involvement & Credibility
higher level management’s involvement could potentially enhance the credibility and trustworthiness.
if there is little evidence of management involvement (for example, lack of executive signatures on the report), the information provided could be of little trustworthiness or unable to inspire belief, thereby being relatively useless to the decision maker.
Management Involvement & Credibility
To enhance credibility:
Whether law enforcement authorities were involved in the investigation process.
Whether specialists, such as forensic accountants or external security consultants were involved in the processes.
Whether senior management were involved in the disclosure.
Whether the disclosures were signed.
Whether contact information was provided for reference.
Ambiguous Disclosure
Ambiguous disclosure: If no sentence in a disclosure were found to describe the event or the disclosure simply contain little useful information.
Ambiguous disclosures usually contain very little useful information for the information user.
More words Better disclosure.
Measuring Instrument
Yes/No binary system:
allows no varying “degree” of information content.
Suitable for very simple items.
Scale system:
Require evaluator to rate the disclosure using an arbitrary scale (0-10, percentage scale, S-A-B-C-D-F tier…)
Point system:
Whether the information is provided fully in surveyed elements or only partially indicates the “completeness” aspect of the disclosure.
Combines binary and scale system, allows a more objective rating.
image1.jpeg
image2.png
image3.png
image5.png
image6.jpg
image7.jpg
image8.jpg
image9.jpg
image10.emf
oleObject1.bin
�
Drag the side handles to change the width of the text block.
Incident Occurred
Discovery of Incident
Internal Disclosure & Investigation
Impact assessment/remediation
External Disclosure
Discovery Lag
Investigation Lag
Remediation lag
Disclosure Lag