Yes! ITAD Falls Under Cybersecurity; Get Ready for What Comes Next!

The Oxford dictionary defines Cybersecurity as “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.”

Hard to argue with that; it’s succinct, clear, and broad.

So, with that definition in mind, it would be hard to argue that restricting access to the hardware (IT assets) on which electronic data is recorded does not fall under that definition. Not only are these devices full of electronic data, but they also may hold the key to accessing an organization’s network of active IT assets.

ITAD falls under Cybersecurity!

And it is not just the Oxford dictionary that agrees:

• The National Institute for Standards and Testing (NIST) Framework for Improving Critical Infrastructure Cybersecurity, for instance, mandates that, “Assets are formally managed throughout removal, transfers, and disposition.”
• The Association of International Certified Public Accountant (AICPA)—the body responsible for the SOC I & SOC II attestations—provides another example, saying in its Cybersecurity Checklist that organizations should, “document all firm-owned equipment, utilize inventory tags to track firm-owned equipment, document acquisitions, assignments, and dispositions, including procedures to properly dispose of devices that might contain client data.”
• In its Report on Cybersecurity Practices, the Financial Industry Regulatory Authority (FINRA) advises its members to create processes for the secure disposal of computer hardware listed in the firm’s inventory that may contain sensitive information.

Of course, ITAD service providers are all too happy to agree. Why not? If ITAD belongs to Cybersecurity, then its importance is dramatically increased within the business community.

ITAD living within the world of Cybersecurity means it has to be taken seriously.

But that is another side to this that creates both a challenge and an opportunity.

In May of 2022, deeming Cybersecurity exposures material to investor protection, the SEC released a proposal to require publicly-traded companies and investment firms to attest and affirm:

• Policies and procedures identifying and managing Cybersecurity risks
• Management’s role in executing those Cybersecurity policies and procedures
• Board of directors’ responsibility for Cybersecurity

Aware that SEC proposals rarely go unheeded, all of the major accounting firms are already citing this proposal, and have flagged Cybersecurity disclosures and related attestations as something for which their clients should be preparing. If ITAD lives in Cybersecurity (as we’ve already established), then it follows that ITAD practices will surely be put under a microscope insofar as such auditing fiduciaries are bound by law to sign off on such required “attestations and findings,” and similarly required to issue their dreaded “deficiencies” when their clients come up short.

The Rub

It is commonly known that client-side ITAD implementation is often logistically-oriented. And, while data security is certainly a consideration, strict attention to data protection regulatory compliance is often overlooked. It is also commonly known that ITAD inventories and reconciliations often do not account for missing IT assets during the disposition process.

Technically, every unreconciled IT asset qualifies as a potential breach incident requiring a incident investigation at minimum. This is not some future requirement. It’s right now. Today.

Does anyone reading this believe that ignoring missing IT assets will continue when fiduciary auditors are asked to sign off on their clients’ ITAD procedures? Or when Boards of Directors are held responsible? Or when every missing IT asset is considered to be a landmine floating uncontrolled and risking a data breach in perpetuity? The answer is NO!

When client ITAD succumbs to such high-level scrutiny—as is inevitable—ITAD will no longer serve as a plausible way to hide sloppy tracking, inaccurate reconciliations, or missing assets.

Is ITAD being elevated to the level of Cybersecurity a good thing? Yes! It’s about time. As for ITAD service providers, whether it’s good or not depends on their readiness to respond with policies, systems, and advice that does not mask the issue of inventorying and reconciliation, but instead, turns ITAD inventorying and reconciliation into a value-added service.