Cybersecurity risk management reporting framework can provide a key component of an organization’s risk management program

Recently the American Institute of Certified Professional Accountants (AICPA) issued guidance relating to a cybersecurity risk management reporting framework. The new "System and Organization Controls (SOC) for Cybersecurity" guidance provides a common language for organizations to use in describing their cybersecurity risk management program effectiveness. Put simply, it establishes baseline standards for auditors to confirm independently that an organization’s cybersecurity preparedness meets acceptable guidelines. Such attestation represents a new opportunity for gaining assurance about cybersecurity and it is not without cost. So why is it important, and to whom? 

Many senior leaders and board members worry about the effectiveness of their organizations’ cybersecurity measures and desire verification to obtain assurance. The potential of significant financial and reputational risks outweighs the effort and cost of achieving greater confidence.

However, external stakeholders will likely drive the majority of initial interest in cybersecurity risk management reporting via the new SOC for Cybersecurity guidance. Those seeking to minimize risk – lenders, investors and analysts, M&A attorneys and advisors, insurance providers and regulators – may see an immediate benefit by obtaining a SOC for Cybersecurity as part of their due diligence.

Breaches pose a significant risk

Organizations that fail to prepare adequately for cybersecurity breaches expose themselves to substantial risks. Most cybersecurity experts agree that a breach is not a matter of “if,” but a matter of “when.” A recent survey of CEOs found 80 percent had experienced cybercrimes.[1] One could argue – quite reasonably, given the months and years it can take to recognize a breach – that the other 20 percent simply don’t know it yet.

Cybersecurity risk management reporting gives organizations the objective assurance that the appropriate systems, processes and controls exist to manage a cyberattack.

Broadly speaking, the risk posed by cybersecurity breaches takes on three key forms:

• Financial: Irrespective of industry, organization size or type of attack, data breaches present substantial costs. These costs include everything from technology investments, legal fees, notification costs and lost sales. A 2016 study of 64 organizations that had experienced a data breach noted an average total cost per breach of $7 million.[2]
• Reputational: Cyberattacks can be public relations disasters and create intense fallout from a consumer standpoint. One survey found that 86 percent of consumers were unlikely to do business with an organization following a breach of sensitive data.[3]
• Compliance/legal: The labyrinth of complex cybersecurity laws varies based on a variety of factors, including location, industry, type of data and type of breach. Failure to comply exposes an organization to lawsuits, regulatory scrutiny and punitive action. Numerous federal agencies – from the Federal Trade Commission and Department of Defense to Health and Human Services, to name a few – can take action for failure to safeguard information adequately. Likewise, private sector suits brought by consumers and employees are becoming commonplace.

AICPA guidance adoption elevates confidence in an organization’s preparedness

The AICPA’s SOC for Cybersecurity guidance provides an important tool for defining the increasingly valuable role providing controls assurance plays in effective cybersecurity. Practically speaking, the guidance helps organizations understand what they should have in place to evaluate their cybersecurity controls.

The guidance lays out nine categories to describe and assess an organization’s cybersecurity framework. These include:

1. Nature of the business and operations
2. Nature of information at risk
3. Cybersecurity risk management program objectives
4. Factors that have a significant effect on inherent risks related to the use of technology
5. Cybersecurity risk governance structure
6. Cybersecurity risk assessment process
7. Cybersecurity communications and quality of cybersecurity information
8. Monitoring of the cybersecurity risk management program
9. Cybersecurity control processes

Within each of the nine categories, the final guidance presents 26 related points of focus to help explain relevant aspects of the organization’s cybersecurity risk management program.

Cybersecurity risk management reporting adds to existing resources

For example, a SOC 2© report enables service providers such as cloud storage, payroll or payment entities to report on the security processes designed to protect their customer’s data. SOC 2© reports enable customers to assess the security of their service organizations’ customer-facing systems and their ability to mitigate technical risks. Cybersecurity reporting, on the other hand, addresses enterprise-wide security and its ability to mitigate business risks.

Cybersecurity risk management reporting also strengthens governance approaches as outlined in the "Director’s Handbook on Cyber-Risk Oversight" by the National Association of Corporate Directors (NACD). The handbook lays out five principles for board-level oversight. These include understanding the risks, recruiting board-level expertise, hiring the right people, investing in solutions and understanding how to mitigate risk. Cybersecurity risk management reporting builds on these NACD principles to give boards and organization leadership the assurance that the organization delivers on the five principles at a practical level.

Cybersecurity risk management reporting improves preparedness

Cybersecurity risk management reporting does not provide a cure or panacea. It cannot guarantee that an organization won’t be breached. Instead, it demonstrates that an organization is prepared to effectively and efficiently prevent or detect, respond to and recover from a breach.

The financial, reputational and legal risks outlined above intensify in the context of inadequate preparation. If a breach goes undetected for an extended period of time, involves significant amounts of sensitive data or involves improper, ill-timed or insufficient notifications to affected parties, the associated costs increase dramatically.

Yahoo did not detect its widely publicized 2014 breach for two years. The U.S. Office of Personnel Management left government employees’ data exposed for a full year. In these cases, it wasn’t the breaches that did the damage, it was the time it took to detect, respond and recover.

Cybersecurity risk management reporting gives organizations the objective assurance that the appropriate systems, processes and controls exist to manage a cyberattack.

Cybersecurity reporting enhances due diligence

There are many stakeholders whose interests and decision-making depend on accurately assessing cybersecurity preparedness and risk. These parties will be well-advised to integrate cybersecurity risk management reporting into their due diligence. They include:

• Lenders: Providers of financing have an interest in confirming the stability of their debtors’ cybersecurity frameworks. In fact, some lenders already include third-party cybersecurity review as a condition of closing. Cybersecurity risk management reporting could fill such a need.
• Investors and analysts: Cybersecurity preparedness provides an indicator of an organization’s overall health and certainly a predictor of any issues that could arise in the near-term. As such, analysts are likely to take an interest in cybersecurity as part of overall efforts to assess vulnerabilities.
• M&A attorneys and advisors: With the value of data at a premium and a well-documented gap between the time of a breach and detection, those involved in M&A transactions could see cybersecurity risk management reporting as an element of due diligence in understanding the value and risks associated with the transaction.
• Insurance providers: While important, insurance isn’t the foolproof safety net some organizations think it is. Sony, Cottage Healthcare Systems and P.F. Chang’s have all been involved in costly legal battles with their insurers over what losses their cyber insurance policies actually cover. As costly cyberattacks continue, insurance companies are likely to step up efforts to assess the risk of cyber policies. Cybersecurity risk management reporting could serve as a valuable tool in such efforts.
• Regulators: Cybersecurity risk management reporting can provide a layer of compliance documentation for government agencies responsible for protecting national security, consumer interests, infrastructure and trade practices. 

Certain industries and types of organizations may begin to feel greater pressure to undergo cybersecurity reporting. Financial institutions, information systems companies, insurance and healthcare providers, large retailers and publicly traded companies are just a few of the players already facing greater scrutiny of their cybersecurity frameworks.

Bottom line: Cybersecurity reporting improves an organization’s risk profile

Organizations of all shapes and sizes face cyber risks. As with most things related to cybersecurity, it is not a matter of if, but a matter of when. Some will seek to transfer these risks to insurance carriers. Others will create ad-hoc solutions or simply hope for the best. Those looking to ensure their own security controls and protect their business interests will stay ahead of the curve by making the necessary investments before a devastating breach occurs.

Whether or not an organization chooses to undergo cybersecurity risk management reporting proactively, stakeholder pressure to prove its cybersecurity risk management capabilities will continue to grow. The universe of possible circumstances and vested third parties demonstrates a clear need for objective cybersecurity reporting. Cybersecurity reporting will strengthen an organization’s profile and demonstrate that it proactively manages risk.

Download this article >

For more information on this topic, or to learn how Baker Tilly SOC reporting specialists can help, contact our team.

[1] 2015 Duke University/CFO Magazine Global Business Outlook Survey of CFOs.

[2] 2016 Cost of Data Breach Study: United States. IBM and Ponemon Institute.

[3] “86% of customers would shun brands following a data breach,” Semafone, 2014.