While organizations today enjoy the benefits from having systems connected to cyberspace, they must contend with the significant risks of theft, fraud, and abuse. Therefore, it is necessary for businesses to take an active role in mitigating these risks. As potential threats become more sophisticated and frequent, cybersecurity has become a top issue for boards of directors, management, investors, customers and other key stakeholders. These stakeholders have an interest in timely and useful information to validate that risks are adequately identified, properly mitigated, and that processes are in place to minimize damage, recover data, and ensure continuous operations in the event of a breach.
Recognizing these trends, the American Institute of Certified Public Accountants (AICPA) has recently issued the Cybersecurity Risk Management Reporting Framework. This guidance helps organizations develop and communicate on their cybersecurity risk management program. Organizations can now engage CPAs to examine and provide an opinion on the design and effectiveness of their cybersecurity risk management program. This examination service is part of the System and Organization Controls (SOC) set of attestation services. Organizations may already be familiar with SOC 1, 2, and 3 services.
The Cybersecurity Risk Management Reporting Framework is comprised of the following components:
- Management’s Description of an Entity’s Cybersecurity Risk Management Program (Description Criteria) – This criteria has been developed as a tool to help an organization explain its risk management program in a consistent and understandable manner. The description criteria is categorized into various sections, a few of which address the nature of information at risk, program objectives relating to confidentiality and integrity of data, significant cybersecurity risk, and cybersecurity risk governance structure.
- Trust Services Control Criteria for Security, Availability and Confidentiality (Control Criteria) – This criteria is a tool for organizations and CPAs to use in evaluating the effectiveness of controls within an organization’s cybersecurity risk management program. This tool will be quite valuable for an organization’s management in developing and monitoring its cybersecurity risk program, whether or not the organization plans to report externally.
As potentially damaging cyberattacks continue to affect more organizations, and as news about cybersecurity, hacking, ransomware, and data breaches become commonplace, organizations are becoming increasingly concerned about their susceptibility.
Here are some questions organizations should answer to evaluate your risk:
- Have we identified all the types of sensitive data in our organization, and do we have an inventory of where that data resides?
- How well-protected is our high value and sensitive information?
- How often do we assess our susceptibility to compromise data, and what were the results of the most recent test?
- How quickly would we know if we had a security breach?
- Do we have a plan of action in place in the event of a breach?
- Do we have cybersecurity insurance coverage and what are its limitations?
- Do our cybersecurity functions have access to adequate resources?
In our ongoing efforts to ensure that we provide relevant and valuable services, Windes has developed a cybersecurity practice that can help identify, evaluate, measure, and manage cybersecurity risks.