The American Institute of Certified Public Accountants (AICPA) recently released two exposure drafts on criteria for cybersecurity. The first Proposed Description Criteria for Management's Description of an Entity's Cybersecurity Risk Management Program is entirely new. This draft gives organizations guidelines on how to create and document their cybersecurity risk management program. This guidance also sets forth standards for public accounting firms to report on such programs. In other words, this provides clear guidance for CPAs to provide assurance on cybersecurity.
The other exposure draft is a revision. The Proposed Revision of Trust Services for Criteria for Security, Availability, and Processing Integrity, Confidentiality, and Privacy will replace the current criteria used by public accounting firms to perform SOC 2 and SOC 3 examinations. With the proposed revision, these firms will also be able to perform the newly proposed cybersecurity examination.
There are a number of cybersecurity frameworks but none of them were specifically designed to prepare a description of an organization’s cybersecurity risk management program such as those required by the proposed standards. The proposed AICPA criteria are primarily based on the Internal Control – Integrated Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), most recently revised in 2013.
There are five COSO components: control environment, communication and information, risk assessment, control activities, and monitoring. Within these five components, the framework sets forth 17 principles. The proposed examination utilizes all of these, but also adds three additional criteria focusing on cybersecurity risks: logical and physical access controls, system operations, and change management.
A number of items should be included in a cybersecurity risk management program, including:
- Comprehensive policies covering all areas of your organization’s information systems
- All of the processes involved in the operation of your information systems
- Controls to protect digital information and systems
- How those controls address the risks facing your organization
- How security events are detected, responded to, and mitigated
- How your organization recovers (on a timely basis) from security events that aren’t prevented
The proposed cybersecurity examinations will be performed in accordance with the AICPA Statements on Standards for Attestation Engagements. If your organization has ever had a SOC 2 report engagement performed, the cybersecurity examination will follow many of the same principles. Even if your organization hasn’t had a SOC 2 examination performed, you may be able to request one from a vendor. Payroll is one of the most commonly outsourced functions, so your organization may have a copy of your payroll vendor’s SOC 2 report available.
The AICPA is soliciting comments on both of these exposure drafts. Firms and organizations alike have an opportunity to influence the final version of both sets of criteria. Each organization and industry has a unique array of challenges, objectives, and opportunities. The greater the diversity of entities that comment, the more robust and comprehensive the set of criteria and guidance will be. The comment period closes on December 5th, 2016.