Cyber breaches surge in nonprofits: experts warn of financial statement risks
Cyber breaches are surging among not-for-profit organizations, with significant implications for financial statements, according to recent FASB advisory discussions, with one expert warning that "education is certainly very important here for the sector."
The problem is expected to intensify, potentially having very significant implications for financial statement users, said John Alfonso, partner and not-for-profit & education industry leader at CohnReznick LLP, during a meeting of the Not-for-Profit Advisory Committee (NAC) on September 10, 2024. He noted that "it's something we're going to see more of rather than less of."
Andy Gutierrez, chief financial officer at ProHealth Care, Inc., echoed the concerns, highlighting the unique risks faced by the healthcare sector. "I think there's different risks that lead to different diversity on how you disclose those," he said.
Gutierrez pointed out that cyber attacks can impact cash flows, reserving methods, and accounts receivable evaluation, particularly in the healthcare sector. However, he noted that the disclosure of these risks can be complex, especially when considering the potential disruption to patient care. "How do you really disclose both of those to the reader depending on the time frame so they're aware of what the future implications are?" he asked, citing the example of an Epic Systems Electronic Medical Record system being down and the impact on a going concern analysis.
Other NAC members weighed in on the lack of transparency and consistency in financial statement disclosures related to cyber breaches, which is a critical issue that needs to be addressed.
"I get the sense that there's diversity in practice in terms of those disclosures for business interruption contingencies impact on operations and financial position when you have an organization that might be still conducting business but has critical systems locked up," said Brian Conner, partner at Moss Adams.
The NAC is a group of experts that provides advice to the FASB on accounting and financial reporting issues specific to not-for-profit organizations. The remarks were part of discussions focused on emerging trends and notable concerns in the sector, including issues that are potentially troubling.
Existing guidance: a resource for navigating cyber breaches
Building on the remarks about education and guidance, FASB Chair Richard Jones observed that existing accounting standards can provide valuable guidance for entities navigating cyber breaches.
Jones noted that guidance on classifying business interruption insurance can be found in Accounting Standards Codification (ASC) 220, Reporting Comprehensive Income. He emphasized that this guidance can help entities understand how to account for losses and recoveries, and clarify when a contingent gain may arise.
Jones also stressed that liabilities to third parties versus disruptions to operations fall under contingency guidance, and encouraged entities to seek out this existing guidance, even if it's not located in a single, obvious place.
"Unfortunately, these are the kind of events that entities haven't experienced and then experience once and then have to go figure everything out," he said, adding that as cyber breaches become more commonplace, entities will become more accustomed to accounting for them.
We have partnered with Thomson Reuters to issue our monthly Accounting Insights. Please contact Baker Tilly if you have any questions related to these articles or Baker Tilly's Accounting and Assurance Services. ©2024 Thomson Reuters/Tax & Accounting. All Rights Reserved.
© 2024 Baker Tilly US, LLP
