In recent years, the importance of cybersecurity and risk management has grown significantly, with accountants playing a key role in assessing the resilience of organizations. Accounting firms, particularly during the preparation of annual reports, are increasingly focused on how companies manage their cyber risks. This trend aligns with frameworks such as the NBA’s guidance and legal standards like the NIS2 directive.

In this blog post, we’ll explore what accounting firms are looking for in annual reports regarding cybersecurity and risk management, and how your organization can proactively meet these expectations.

Why cybersecurity matters in financial reporting

Cybersecurity is no longer just an IT issue as it has become a business-critical concern with direct financial implications. For accounting firms, a company’s cybersecurity posture affects their evaluation of operational risks, liability exposures, and the company’s ability to remain compliant with regulatory requirements. Key areas of concern include:

• Impact of Cyber Incidents: Data breaches, ransomware attacks, or fines from non-compliance can significantly impact financial stability.
• Regulatory Requirements: Compliance with laws such as GDPR, NIS2, and sector-specific guidelines is now integral to financial accountability.
• Investor Confidence: Transparency about risks and mitigation strategies assures stakeholders that the company is managing its exposure effectively.

NBA guidelines on cybersecurity in financial reporting

The NBA (Nederlandse Beroepsorganisatie van Accountants) provides specific guidance for accountants to evaluate how companies integrate cybersecurity into their financial reporting. Key points include:

1. Risk Assessment: Companies should provide a clear overview of the cyber risks identified during the reporting period. This includes:
   
   • Nature of the risks (e.g., ransomware, phishing, supply chain risks).
   • Likelihood and impact of these risks on operations.
2. Governance and Controls: Annual reports must detail how governance structures address cyber risks. Accountants look for:
   
   • Clear roles and responsibilities in managing cybersecurity.
   • Policies and controls in place to mitigate identified risks.
3. Incident Disclosure: If the company experienced a cyber incident, the annual report should explain:
   
   • The nature and scope of the incident.
   • Steps taken to resolve it.
   • Lessons learned and implemented improvements.
4. Third-Party Risks: Increasingly, accountants are scrutinizing how companies manage risks in their supply chain. For example:
   
   • Do you monitor your suppliers’ cybersecurity posture?
   • Have you assessed dependencies that could expose your organization to indirect risks?
5. Alignment with Standards: Reports should reference adherence to recognized standards such as ISO 27001, NIST, or industry-specific frameworks.

How to prepare your annual report

To meet the expectations of accounting firms, companies should integrate the following practices into their annual reporting process:

1. Cyber Risk Documentation: Work with internal teams to identify and document cyber risks in your risk management framework. Include quantifiable data where possible to showcase thorough analysis.
2. Third-Party Monitoring: Implement tools like RiskStudio to continuously monitor the cybersecurity posture of your suppliers. Highlight these efforts in your governance disclosures.
3. Incident Response Reporting: Develop a standardized format for reporting cyber incidents, ensuring that your financial and legal teams align on the language and implications.
4. Engage Early with Your Auditor: Discuss cybersecurity topics proactively with your accounting firm to ensure alignment and avoid surprises late in the reporting process.
5. Leverage Compliance Frameworks: Demonstrate how your organization aligns with NBA guidance, NIS2 requirements, and other relevant standards.

How RiskStudio can help

RiskStudio offers robust tools to meet these requirements effectively:

• Supplier Monitoring: Continuous tracking of third-party suppliers for data breaches or cybersecurity incidents ensures your organization is informed and prepared.
• Cyber Rating Platform: Daily updated cyber ratings allow companies to benchmark their security posture and identify vulnerabilities proactively.
• Risk Transparency: RiskStudio simplifies organizing dependencies between critical assets and suppliers, enhancing reporting clarity.
• Automated Documentation: Automatically generate insights and reports aligned with the NBA-NOREA maturity model, saving time while ensuring accuracy in audits.

By leveraging RiskStudio, organizations can streamline compliance efforts, mitigate risks effectively, and provide auditors with the detailed insights needed for robust reporting.

Looking ahead: the NIS2 directive

Under the NIS2 directive, certain organizations will face stricter obligations to manage cyber risks, including mandatory incident reporting. Accounting firms are likely to use these regulations as a benchmark for evaluating your cybersecurity posture. Companies that adopt proactive measures today can stay ahead of regulatory changes and build trust with auditors.

Conclusion

Accounting firms now view cybersecurity as a critical component of financial and operational reporting. By aligning with NBA guidelines and demonstrating a robust risk management strategy, companies can provide the transparency auditors require while strengthening stakeholder confidence.