Recently the American Institute of Certified Professional Accountants (AICPA) issued guidance relating to a cybersecurity risk management reporting framework. The new "System and Organization Controls (SOC) for Cybersecurity" guidance provides a common language for organizations to use in describing their cybersecurity risk management program effectiveness. Put simply, it establishes baseline standards for auditors to confirm independently that an organization’s cybersecurity preparedness meets acceptable guidelines. Such attestation represents a new opportunity for gaining assurance about cybersecurity and it is not without cost. So why is it important, and to whom?
Many senior leaders and board members worry about the effectiveness of their organizations’ cybersecurity measures and desire verification to obtain assurance. The potential of significant financial and reputational risks outweighs the effort and cost of achieving greater confidence.
However, external stakeholders will likely drive the majority of initial interest in cybersecurity risk management reporting via the new SOC for Cybersecurity guidance. Those seeking to minimize risk – lenders, investors and analysts, M&A attorneys and advisors, insurance providers and regulators – may see an immediate benefit by obtaining a SOC for Cybersecurity as part of their due diligence.
Organizations that fail to prepare adequately for cybersecurity breaches expose themselves to substantial risks. Most cybersecurity experts agree that a breach is not a matter of “if,” but a matter of “when.” A recent survey of CEOs found 80 percent had experienced cybercrimes.[1] One could argue – quite reasonably, given the months and years it can take to recognize a breach – that the other 20 percent simply don’t know it yet.
Cybersecurity risk management reporting gives organizations the objective assurance that the appropriate systems, processes and controls exist to manage a cyberattack.
Broadly speaking, the risk posed by cybersecurity breaches takes on three key forms:
The AICPA’s SOC for Cybersecurity guidance provides an important tool for defining the increasingly valuable role providing controls assurance plays in effective cybersecurity. Practically speaking, the guidance helps organizations understand what they should have in place to evaluate their cybersecurity controls.
The guidance lays out nine categories to describe and assess an organization’s cybersecurity framework. These include:
Within each of the nine categories, the final guidance presents 26 related points of focus to help explain relevant aspects of the organization’s cybersecurity risk management program.
For example, a SOC 2© report enables service providers such as cloud storage, payroll or payment entities to report on the security processes designed to protect their customer’s data. SOC 2© reports enable customers to assess the security of their service organizations’ customer-facing systems and their ability to mitigate technical risks. Cybersecurity reporting, on the other hand, addresses enterprise-wide security and its ability to mitigate business risks.
Cybersecurity risk management reporting also strengthens governance approaches as outlined in the "Director’s Handbook on Cyber-Risk Oversight" by the National Association of Corporate Directors (NACD). The handbook lays out five principles for board-level oversight. These include understanding the risks, recruiting board-level expertise, hiring the right people, investing in solutions and understanding how to mitigate risk. Cybersecurity risk management reporting builds on these NACD principles to give boards and organization leadership the assurance that the organization delivers on the five principles at a practical level.
Cybersecurity risk management reporting does not provide a cure or panacea. It cannot guarantee that an organization won’t be breached. Instead, it demonstrates that an organization is prepared to effectively and efficiently prevent or detect, respond to and recover from a breach.
The financial, reputational and legal risks outlined above intensify in the context of inadequate preparation. If a breach goes undetected for an extended period of time, involves significant amounts of sensitive data or involves improper, ill-timed or insufficient notifications to affected parties, the associated costs increase dramatically.
Yahoo did not detect its widely publicized 2014 breach for two years. The U.S. Office of Personnel Management left government employees’ data exposed for a full year. In these cases, it wasn’t the breaches that did the damage, it was the time it took to detect, respond and recover.
Cybersecurity risk management reporting gives organizations the objective assurance that the appropriate systems, processes and controls exist to manage a cyberattack.
There are many stakeholders whose interests and decision-making depend on accurately assessing cybersecurity preparedness and risk. These parties will be well-advised to integrate cybersecurity risk management reporting into their due diligence. They include:
Certain industries and types of organizations may begin to feel greater pressure to undergo cybersecurity reporting. Financial institutions, information systems companies, insurance and healthcare providers, large retailers and publicly traded companies are just a few of the players already facing greater scrutiny of their cybersecurity frameworks.
Organizations of all shapes and sizes face cyber risks. As with most things related to cybersecurity, it is not a matter of if, but a matter of when. Some will seek to transfer these risks to insurance carriers. Others will create ad-hoc solutions or simply hope for the best. Those looking to ensure their own security controls and protect their business interests will stay ahead of the curve by making the necessary investments before a devastating breach occurs.
Whether or not an organization chooses to undergo cybersecurity risk management reporting proactively, stakeholder pressure to prove its cybersecurity risk management capabilities will continue to grow. The universe of possible circumstances and vested third parties demonstrates a clear need for objective cybersecurity reporting. Cybersecurity reporting will strengthen an organization’s profile and demonstrate that it proactively manages risk.
For more information on this topic, or to learn how Baker Tilly SOC reporting specialists can help, contact our team.
[1] 2015 Duke University/CFO Magazine Global Business Outlook Survey of CFOs.
[2] 2016 Cost of Data Breach Study: United States. IBM and Ponemon Institute.
[3] “86% of customers would shun brands following a data breach,” Semafone, 2014.