During 2017, the AICPA issued a formal framework to allow independent accounting firms to attest to the cybersecurity related posture for companies. In connection with this issuance, firms are able to help companies assess their current environment prior to the actual audit. The goal of this assessment is to allow companies to prepare for the audit to ensure their control environment is sufficient to pass the rigorous SOC for Cybersecurity audit. Ultimately, this will allow for an annual SOC for Cybersecurity report to be provided to its customers, vendors, and investors showing that the company has adequate internal controls in place around cybersecurity.
As is the case with implementing any new security framework, companies need to gauge where they stand with regards to their policies and controls before being formally reviewed. A readiness assessment is typically suggested in order to go through each area of the control framework and determine whether the company has adequate controls and policies in place. Because no one is perfect, the readiness assessments usually point out areas where improvements need to be made. I always tell clients that ‘Rome was not built in a day.’
Over the past year, we have been fortunate to help several clients with their SOC for Cybersecurity readiness assessments with the intention of working toward formal SOC reports in the near future. The readiness assessment process has been enlightening and has pointed out lessons that may help other companies as they consider the SOC for Cybersecurity. Here’s what we've learned:
- Companies haven’t identified the cybersecurity-related controls that they have in place and formally created policies/procedures to reflect these. Management typically thinks that cybersecurity is just an issue handled by the IT department, but in actuality, it has to be widely embraced by the whole organization. It should be emphasized that cyber risk is business risk. A variety of departments should be involved with the development of policies/procedures to ensure a thorough understanding and management should encourage organization-wide buy-in.
- Companies have inadequate processes in place to monitor network and application activity/audit logs. With companies relying so heavily upon their network and applications recently, risks related to inappropriate administrative activity, excessive vendor access, reviews of sensitive company information by unauthorized employees, and potential hacking activity are at the forefront. Automated logging tools or services are a necessity for companies to proactively monitor activity and be alerted if something suspicious may occur. Manual reviews of thousands of pages of network and application logs are not effective, and the majority of issues will never be identified.
- Executive management and boards of directors are not highly educated on the topic of cybersecurity. The SOC for Cybersecurity framework encourages boards of directors to bring on members that have dedicated knowledge and experience related to cybersecurity to help guide future decisions. These board members also help educate other members on more complicated topics, such as the importance of security, while advocating for future initiatives. Board members should also be provided annual training related to cybersecurity to help better make future decisions on behalf of the company.
- Companies have not taken the initiative to purchase cyber insurance. With the barrage of news stories focused on malicious hacking and data breaches, no company is immune. Executive management should perform adequate research related to their cyber insurance options and ensure that adequate coverage is provided. Forensic investigation related services should also be considered when reviewing the insurance policies.
- Disaster Recovery and Incident Response plans have either not been created or have not been updated in many years. With cyber risks affecting the continuity of operations for a company, it is imperative for management to develop and test disaster recovery and incident response plans that take into consideration this type of risk. From a review of many plans,we have observed that they only focus on how a company would react to environmental risk, such as tornadoes and storms. Management should redirect their focus when developing or updating plans and include information on how to respond to cyberattacks.
- Cybersecurity risk hasn’t been considered when managing vendors. With vendor management being a hot button topic, many companies haven’t considered asking their vendors how they handle the security of information. Management should consider amending vendor contracts to stipulate that sensitive company data be handled in a secure fashion, such as encryption of data at rest and in transit, and that vendors provide annual assurance that controls are in place (e.g., through SOC related reports or risk assessments). Management should also ensure that verbiage related to data breach notification be included in vendor contracts and Business Associate Agreements (“BAAs”), specifying that a vendor will contact the company within a specified period of time if a breach occurs.
- Companies are not performing consistent comprehensive network penetration tests. The SOC for Cybersecurity framework focuses heavily upon the need for proactive threat monitoring and having independent assessments performed by qualified service providers. We have observed that many companies have either never performed a network penetration test or only do so every few years. Inconsistent penetration testing puts a company at greater risk. Cyber threats are ever evolving and it is difficult to employ staff with sufficient knowledge and experience to address these threats. In order to meet the requirements spelled out in the framework, management should be able to show that penetration tests are being performed at least annually and that an adequate remediation process is in place for addressing identified vulnerabilities. Management may also consider implementing a monthly process where vulnerability scans are performed and high-risk patches/updates are reviewed and installed on the company’s network.
With the state of the business world and the never-ending news of cyberattacks, the issuance of an annual SOC for Cybersecurity report offers assurance that a company is taking the topic of cybersecurity seriously and is making regular strides in keeping security at the forefront. Cybersecurity is no longer a topic relegated to the dark corners of the IT department but should be a companywide initiative as it affects reputation, continuity of operations, business relationships, and investor confidence.