Earlier this year, the AICPA’s Center for Audit Quality (CAQ) released their Cybersecurity Risk Management Oversight: A Tool for Board Members. In this document are questions to help direct a conversation to understand the relationship between cybersecurity risk oversight and disclosures.
These questions are grouped into four areas:
I. Understanding how the financial statement auditor considers cybersecurity risk
II. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures
III. Understanding management’s approach to cybersecurity risk management
IV. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management.
When viewed in order of importance, these areas may be slightly out of order. While numbers I. and II. are very important and necessary, this regulatory reporting comes after the fact and relate to a recounting of the previous period. Of course, number IV. is the sales pitch. However, number III. stands out as potentially the most important.
This third area is about the organization as a whole.To get to the point of reporting on cybersecurity disclosures during the year, one must first understand their current cybersecurity posture and what management is doing to manage the cybersecurity risk.A key point to remember is that cybersecurity risks are not one dimensional. Cybersecurity is an enterprise-wide issue and a cybersecurity incident can:
- Cause lasting damage to the organization’s reputation
- Lead to a loss of intellectual property
- Cause downtime in the operations of the business
- Have significant direct financial costs through fines, penalties and legal remediation
Those charged with governance of an organization must be more technologically savvy than ever before. They must truly understand the risks and processes that management has in place to combat that risk. To address this, the AICPA has designed the System and Organization Controls for Cybersecurity (SOC for Cybersecurity). As opposed to the more limited audience of something like a SOC 2 examination, the SOC for Cybersecurity is intended for a broader range of users that include management, directors, and ultimately anyone whose decisions may be impacted by the organization’s cybersecurity posture.
The information presented by the SOC for Cybersecurity examination is much more informative in nature and provides a comprehensive view of the risk management program by considering the:
- Nature of information at risk
- Cybersecurity risk management program objectives
- Factors that have a significant effect on inherent cybersecurity risks
- Cybersecurity risk governance structure
- Cybersecurity risk assessment process
- Monitoring of the cybersecurity risk management program
- Cybersecurity control process
As technology environments continue to increase in complexity and regulatory agencies continue to focus on cybersecurity, directors need to arm themselves with the knowledge and expert support necessary to mitigate the risk. Designed from the ground up as an effective means of identifying weaknesses in the design of a risk management program, the SOC for Cybersecurity is designed to help provide insights into the enterprise cyber environment and help to make informed decisions going forward.
For lessons learned from SOC for Cybersecurity readiness assessments, check out an article by my colleague, Bryan Allison.