While organizations today enjoy the benefits from having systems connected to cyberspace, they must contend with the significant risks of theft, fraud, and abuse. Therefore, organizations must take an active role in mitigating these risks. As potential threats become more sophisticated and frequent, cybersecurity has become a top issue for management, boards of directors, and audit committees. There is an interest in timely and useful information to validate that organizations have adequately identified and mitigated risks and that processes are in place to minimize damage, recover data, and ensure continuous operations in the event of a breach.
Recognizing these trends, the American Institute of Certified Public Accountants (AICPA) has recently issued the Cybersecurity Risk Management Reporting Framework. This guidance helps organizations develop and communicate their cybersecurity risk management programs. Organizations can now engage CPAs to examine and provide an opinion on the design and effectiveness of their cybersecurity risk management programs. This examination service is part of the System and Organization Controls (SOC) set of attestation services. Organizations may already be familiar with SOC 1, 2, and 3 services.
The Cybersecurity Risk Management Reporting Framework comprises the following components:
Management’s Description of an Entity’s Cybersecurity Risk Management Program (Description Criteria)
This criteria has been developed as a tool to help an organization explain its risk management program in a consistent and understandable manner. The description criteria is categorized into various sections, a few of which address the nature of information at risk, program objectives relating to confidentiality and integrity of data, significant cybersecurity risk, and cybersecurity risk governance structure.
Trust Services Control Criteria for Security, Availability and Confidentiality (Control Criteria)
This criteria is a tool for organizations and CPAs to use in evaluating the effectiveness of controls within an organization’s cybersecurity risk management program. This tool will be quite valuable for an organization’s management in developing and monitoring its cybersecurity risk program, whether or not the organization plans to report externally.
As potentially damaging cyberattacks continue to affect more organizations, and as news about cybersecurity, hacking, ransomware, and data breaches becomes commonplace, organizations are becoming increasingly concerned about their susceptibility.
Here are some questions organizations should answer to evaluate their risk:
- Have we identified all the types of sensitive data in our organization, and do we have an inventory of where that data resides?
- How well-protected is our high-value and sensitive information?
- How often do we assess our susceptibility to compromised data, and what were the results of the most recent test?
- How quickly would we know if we had a security breach?
- Do we have a plan of action in place in the event of a breach?
- Do we have cybersecurity insurance coverage and what are its limitations?
- Do our cybersecurity functions have access to adequate resources?
In our ongoing efforts to ensure that we provide relevant and valuable services, Windes has developed a cybersecurity practice that can help identify, evaluate, measure, and manage cybersecurity risks. In addition, we encourage you to explore the AICPA’s Cybersecurity Resource Center, which is hosted on the AICPA website and contains a number of tools, training, and relevant articles that are useful to organizations and their boards.