Cybersecurity Risks in the Audit Process: New Threats and How Assurance Teams Are Responding

Article | July 14, 2025

Authored by Your Firm LLC

Headline: Four Days to Report: How the SEC’s New Cyber Rules Are Reshaping Audit Committee Oversight

Introduction
When the SEC’s cybersecurity incident disclosure rule took effect, it gave public companies just four business days to reveal a material breach and explain their cyber-risk governance. No surprise, audit committees have responded by putting cybersecurity at the top of their 2025 agendas; fully 31 percent of members now rank it among their three highest priorities, according to Deloitte’s latest Audit Committee Practices Report. The clock is ticking—both literally and figuratively—for boards, finance leaders, and assurance teams.

Main Point 1: The rule expands “materiality” into cyberspace
The SEC’s new Item 1.05 of Form 8-K treats a serious cyber incident much like any other material event that could affect investors’ decisions. That means audit committees must be ready to validate management’s materiality judgments, ensure incident response plans support four-day disclosure, and confirm that related internal controls over financial reporting (ICFR) can withstand PCAOB scrutiny. “Cybersecurity is now inseparable from financial statement integrity,” notes Antonina K. McAvoy, CISA, CISM, partner in MBN & Company’s Risk Advisory practice. “If a breach can hit revenue, reputation, or compliance costs, it is inherently a financial-reporting issue—and the audit committee owns that oversight.”

Main Point 2: New oversight challenges demand deeper expertise
The same Deloitte survey shows that only one-third of audit committees feel they currently have sufficient cybersecurity expertise. Yet the SEC rule requires committees to describe how they oversee cyber risk, and the IIA’s 2025 Cybersecurity Topical Requirement expects internal audit to provide independent assurance on the program. Together these mandates raise three immediate challenges: (1) Board-level fluency—directors need concise, risk-based metrics instead of technical jargon; (2) Real-time visibility—continuous monitoring and automated alerts, not annual snapshots, to detect incidents early; and (3) Stress-tested readiness—tabletop exercises that prove the enterprise can meet the four-day deadline. “A quarterly slide deck is obsolete the moment it’s printed,” warns Daniel J. Haynes, CPA, CFE, partner-in-charge of Audit & Assurance at MBN & Company. “Committees need dashboards that marry NIST control maturity with financial exposure so they can challenge management in real time.”

Main Point 3: An action plan for audit committees and assurance teams

• Embed cyber risk into the ERM framework. Use COSO’s updated guidance and map gaps against NIST or ISO 27001 to prioritize investments on a risk-weighted basis.
• Rehearse the four-day disclosure drill. Run cross-functional simulations that walk through breach detection, legal review, and 8-K drafting—then fine-tune playbooks based on lessons learned.
• Upgrade internal audit’s toolkit. Adopt automated vulnerability scanning and data analytics so auditors can validate control effectiveness continuously, not just during annual fieldwork.
• Strengthen talent and reporting lines. Add at least one cyber-literate director or outside advisor, and ensure the CISO has direct access to the audit committee for unfiltered briefings.

Conclusion & Call to Action
The SEC has shortened the breach-to-disclosure window, but proactive audit committees can close the readiness gap even faster by embedding cyber oversight into their core governance processes. MBN & Company’s integrated audit, risk, and cybersecurity teams help boards do exactly that—from incident-response war-gaming to real-time ICFR analytics. Ready to stress-test your cyber disclosure plan? Contact our Risk Advisory practice today to schedule a no-obligation readiness assessment and move your organization forward with confidence.