The SEC recently released a new cyber disclosure rule requiring public companies to disclose information about their cybersecurity governance practices as well as impacts associated with material cyber incidents. While they include information on what is required to be disclosed, they don’t address how organizations might design their processes and controls to accurately address those disclosure requirements. One approach may be to utilize the American Institute of Certified Public Accountants (AICPA) cybersecurity risk management framework. The framework was published in anticipation of an increased need for more organizations to disclose what their cybersecurity risk management programs look like.
While organizations have several options for how best to address and comply with the new SEC rule, leveraging AICPA’s robust framework may prove to be the most helpful and direct approach when implementing cyber governance, oversight and risk management activities.
Through 19 different description criteria, the AICPA framework presents a broad focus covering the entire cyber risk management governance structure — including the policies, processes and controls that tie it all together.
The advantage of the AICPA framework is it makes you put pen to paper on this question. It forces you to think about your inherent cybersecurity risk, your cybersecurity risk governance structure and assessment process, your cybersecurity communications (and the quality of information therein), how you monitor your cybersecurity risk management program, your control processes and much, much more.
But the true benefit of such a robust framework is that it aligns nicely with SEC disclosure requirements. The AICPA cybersecurity risk management reporting framework addresses topics consistent with the adopted SEC cyber disclosure rule, including:
In short, utilizing the AICPA framework to develop, define and optimize your cyber risk management program in accordance with the SEC disclosure rule allows you to:
True, working through the AICPA framework is often a daunting process filled with tough questions — but this process and these questions help you discover a better understanding where you may need to shore things up, or dedicate further management attention, or better educate your board, or bring in different expertise at different levels to permeate through your entire organization.
Analyze and document your existing cybersecurity risk management program against both the AICPA description criteria and the SEC cyber disclosure rule (which should come up naturally as you dig through the AICPA framework).
Through the comparison process, discover potential gaps and weaknesses in your program measured against the AICPA criteria and SEC requirements.
Rectify the gaps and weaknesses identified above and implement improvements to mitigate these risks in your program moving forward.
After you’ve identified and remediated any gaps between your current program and the AICPA/SEC guidance, regularly monitor and evaluate the maturity of your program controls, execution processes and testing/optimization efforts.
Through a continual process of the above steps, implement necessary improvements to your program on an ongoing basis according to your risk appetite. It’s important to note, you’ll probably never be “done” with your cyber risk management program. Every year is simply a new iteration in which emerging risks, new landscapes, organizational changes, market changes and the like necessitate an ongoing, proactive effort to this end.