, ,

5 ways every CFO can mitigate cybersecurity risks

It’s time to test your current events knowledge: Which major retailer acknowledged having to spend $88 million related to a mega data breach in its most recent 10-Q, with more costs expected?

Target immediately comes to mind, right? The prevalence of the retailer’s troubles speaks to the far-reaching effect a cybersecurity attack can have on a company. That $88 million is just a drop in the bucket of expenses and problems Target continues to face following the exposure of its customer payment data over six months ago. The initial tally does not include the company’s anticipated claims for incremental fraud losses nor does it include litigation costs for the more than 100 legal actions filed in various jurisdictions to date or the reputational hit and the faltering loyalty by customers now worried about sharing their credit card information with their local store.

Every day there seems to be a new headline reporting another Internet security breach or data protection lapse – be it hacked credit card data, the Heartbleed Bug or well-crafted phishing scams luring victims to give up sensitive information. If there is an upside, it’s that such news may prompt other companies to do a full sweep of their internal processes and systems to minimize the probability of something like this happening to them.

But will they do a good job? Those companies that make such an effort go beyond the confines of their IT department are more likely to succeed in shrinking their risk. CFOs in particular should take responsibility for toughening up the organization’s cyber defenses if they haven’t already.

Regulators are demanding it: Three years after requiring companies to disclose cybersecurity risks and incidents that are specific to them – and to stay away from generic language – the Securities and Exchange Commission continues to focus attention on the topic. In fact, the SEC hosted a roundtable earlier this year to discuss the challenges of cybersecurity on market participants and public companies, and how they’re getting handled. Just a couple of months later, the SEC’s Office of the Investor Advocate announced that it would study how the SEC and other market participants are actually protecting investors from cybersecurity threats, which further puts pressure on the Commission to keep tabs on the risks.

On top of all this regulatory introspection is a call on auditors to pay more attention to how companies deal with the problem and what they say about it. The Center for Audit Quality recently issued an alert outlining independent auditors’ responsibilities related to cybersecurity risks. Such an alert may cause auditors to up their scrutiny of their clients’ forthrightness about their risks and what they disclose about them.

Data breaches at larger companies make the headlines, but smaller companies are not immune from this threat. In fact, smaller companies may be easier targets because they have fewer resources to deploy in preventing a breach. Think what a treasure trove a hacker could find on your servers — employee information, customer information, engineering design information, your financial information, etc.

What CFOs can do
CFOs can play a critical role in all of this, as the keeper and protector of their business’ sensitive information and internal controls. While your IT gurus, data protection officers and security and privacy experts are addressing “defense in depth” strategies to thwart would-be hackers, here’s what you should be doing.

  • Identify the crown jewels: No matter how good your firewall is, let’s assume that everything can be hacked. Hackers are looking for valuable information that isn’t adequately protected, so the first thing to think about is “what are your crown jewels?” This can include information such as engineering and design data, financial information, employee and HR information, and customer or client information. You want to make sure the full scope of your company’s sensitive data has extra security layers around it. And you’ll need to get input from all areas of your company for identifying your most sensitive information.
  • Control who has access to that valuable and vulnerable info: Now that you have identified what the critical data is, make sure you know where it resides. It is important to limit access to only the specific individuals who need it to perform their job duties. Do you have proper controls in place to ensure proper authorization is obtained before access is granted? Do you monitor access on an ongoing basis to make sure no unauthorized individuals have access to this data? Is your data backed up so that you are not vulnerable to ransom demands for stolen data? Depending on the size and complexity of your business, you may need to confer with your CIO on what measures are currently in place or you may need to bring in outside expertise.
  • Review third parties critically: You can’t outsource your responsibilities. When you use third parties to host, store or process your data, you need transparency in how they are protecting your data and complying with privacy laws. Don’t assume any third party has it all under control. Obtain and critically review SSAE16 reports (depending on the nature of the work being outsourced, you will want to review a SOC 1 report for internal controls over financial reporting or a SOC 2 report for data protection, security and privacy). You may want to reconsider using a company that refuses to share this information or that has questionable results.
  • Encrypt like crazy: Is all of your sensitive data encrypted? Not only is it important to encrypt data during transit, but it is also important to encrypt critical data at rest, meaning that information sitting on computer drives, laptops, flash drives and the like. Encryption won’t protect your data from being intercepted, but it can protect the contents from getting read.
  • Engage everyone in the effort: Do you have formal, companywide policies around data protection and security? Are they effectively communicated to employees (i.e., not just shared with new staff but distributed periodically)? Employees can unknowingly violate a carefully created data security effort by simply sending an unencrypted email that includes sensitive information. Ongoing training and education are key ways of ensuring that the procedures you have created to safeguard your data are correctly implemented.

If you consistently review and update your policies and systems, train your employees on those policies, and allocate sufficient resources to cybersecurity, you will have taken significant steps to reduce your risk. This should be an ongoing process, not a one-time reaction to a headline about a data breach. In this fast-moving era of hacks and viruses, a protective effort that occurs outside of IT needs to be a matter of course.

Pat Voll is a vice president at RoseRyan, where she mentors and supports the dream team, and heads up client management, ensuring all our clients are on the road to happiness. She previously held senior finance level positions at public companies and worked as an auditor with a Big 4 firm. Melette Evans, a RoseRyan senior IT guru, contributed to this blog post.

/1 Comment/by
, , , ,

The new rev rec rules: Making estimates that minimize the likelihood of restatements

Get ready for scrutiny. One of the many challenges presented by the new revenue recognition rules is the need for companies to come up with an estimate of revenue for variable consideration instead of waiting until amounts are certain as they do under current GAAP. Determination of these estimates involves significant judgment.

If public companies recognize an estimated amount of revenue that subsequently turns out to be unjustifiably overstated, they won’t be dealing just with the problem of non-GAAP compliance. They will also face a decrease in credibility among financial analysts, possible restatement of their financials and the threat of shareholder lawsuits alleging fraud. To avoid such troubles, companies need to make their estimates as bullet-proof as possible and establish sound practices for documenting their basis for those estimates.

How to pull that off? Even though the new rules don’t go into effect until 2017, companies need to begin rethinking their revenue recognition process now to minimize their risk of off-track estimates. Yes, there’s a fair amount of work involved up-front, but there’s a payoff (hang on, we’ll explain).

The new five step process
The new rules direct companies to apply a five step process for analyzing contracts with customers and deciding when and how they should recognize revenue. Step 3 is “Determine transaction price,” which requires, for variable consideration, companies to estimate a transaction price as either the expected value of possible outcomes (a probability-weighted estimate) or as the “most likely amount” (from a range of possible outcomes). Here’s where the challenge comes in: However a company proceeds, the rules specify that the estimate must be an amount for which it is “probable that a significant reversal in the amount of cumulative revenue recognized will not occur when the uncertainty … is subsequently resolved.”

As an example, consider the difficulty of achieving that goal in a distributor model. Many technology businesses use distributors to sell and support their products across a broad customer base. To avoid overpaying for tech products amid short life cycles and constantly decreasing prices, distributors usually insist on having price protection in their agreements. That way, they can claim a price protection rebate from the manufacturer if they have to resell a product at a price below the initial, agreed-upon margin.

Under current GAAP, a company waits to recognize revenue until the price is “fixed and determinable.” A manufacturer recognizes revenue only when its distributor has sold the product to an end customer and requested its price protection, if needed, because that’s when the price is fixed and determinable. However, under the new rules, the manufacturer will often have to record a minimum amount of revenue at the time of shipment to the distributor, meaning it will have to estimate the impact of price protection it will have to grant.

Another example is found in licensing arrangements. Many such agreements include milestone payments that are contingent either upon performance of the licensor (a performance obligation under the new rules) or upon performance of the customer, such as when a drug-development customer achieves success in a critical trial (variable consideration that the licensor might receive after performance of its obligation for delivering the license but is only receivable if the customer achieves its goal). Under current GAAP, a company excludes contingent payments from the revenue allocated under a multiple-element arrangement and recognizes such contingent payments when the contingency is resolved. But with the new rules, when a milestone is considered probable, such payments become part of the transaction price and are allocated to performance obligations. This estimation and inclusion of contingent payments when they are considered probable — and not waiting until milestones are actually achieved — could result in earlier recognition of revenue if performance obligations have already been satisfied.

How to make good estimates
We’ve told you the “why,” now here’s the “how.” The following are principles for making estimates that will be defensible and limit the risk of a restatement.

Make estimating a team sport: Although it must lead the effort, finance should harness the expertise of other relevant functions within the company to make the best estimate. This means turning to sales and marketing personnel for their knowledge of customers, pricing and timing of sales milestones. The engineering team should weigh in on the readiness of a new product or confirm whether technical problems are causing returns or rework. The operations team will need to provide input on the probability of achieving performance milestones. Some companies will need to supplement this team of internal advisors with customer staff who are in direct touch with end customers (for example, this could be distributor personnel who manage the channel).

Use the best tools for the best results: Any company affected by the new rules will need robust systems to obtain up-to-the-minute volume and pricing information to prepare its estimates for financial close.

In the distributor example, large global distributors already have excellent systems that provide bookings, billings and backlog by customer and by part, in real time. Companies using smaller and regional distributors with less sophisticated systems may need to work with them to enhance information flow to the level they need. Online software tools from third parties that are specifically built to manage the manufacturer-distributor relationship can be very helpful as well.

In other industries, tools may not be in place to make estimates at all, or they may be focused on a specific step such as allocation of revenue to multiple elements in a software licensing arrangement at the start of the contract. For these circumstances, companies will need to develop tools to monitor contingent elements and determine their probability each reporting period.

Document and disclose: Companies should systematically document how they came up with each estimate — the process used, the historical information input, the personnel involved by function, the assumptions made and the risks mitigated. They should apply a consistent approach over time. If circumstances require a change in approach, then document the change and why it was required. All this information should be archived in such a way that it can be brought out any time to compare to actual figures and explain and justify differences to auditors, financial analysts and potentially the Securities and Exchange Commission.

The new rules require companies to disclose in notes to financial statements “sufficient information to enable users of financial statements to understand the nature, amount, timing and uncertainty of revenue,” along with existing requirements to provide disclosures about significant accounting policies and critical accounting estimates. Given the increase in estimates and judgments, companies should use these disclosures to provide information on the assumptions and risks inherent in their estimates. Taken together, the documentation and disclosures should reflect how the company made a competent good-faith effort to develop its estimate.

Watch what’s on the horizon: As part of their estimation process, companies need to identify current factors that differ from prior periods that may drive estimates away from prior trend lines. Broader economic and industry trends can overwhelm their prior revenue trajectory. The financial crisis of 2008 and the tech downturn of 2000 are examples of extreme events that had a tremendous impact on the revenue estimates of companies that had nothing to do with the downturns themselves. A rising tide can lift all boats, and a swift ebb tide can strand them all on the sand.

Technology companies need to focus in particular on the impact of newly introduced and end-of-life products. A strong new product ramp can drive volumes above the trend line and improve pricing. But it can also accelerate the decline of an older product. For both large external events and tech product changes, companies should be especially careful to state their assumptions about the events and the impact on their estimates, both in their documentation and financial statement disclosures.

The plus side of this additional work
Making good estimates to meet the new rev rec rules will require companies to apply more time and thought to their revenue recognition efforts. But there’s good news in here as well: Finance teams can use this challenge as an opportunity to better understand their business, customers and products, and communicate that understanding to investors. That’s the type of scrutiny we can all root for.

Ray Solari is a member of the RoseRyan dream team. He has served as the CFO/VP finance for private companies and managed SEC reporting for public companies. He began his career at Deloitte.

/by