The Age of Cybersecurity
In today’s world, information systems are incredibly interconnected, but this comes with a price. Because most organizations conduct some portion of their business in cyberspace, they open themselves up to a new level of risk. Who they are, what they do, and what information they possess can make businesses targets for malicious attackers. Reputational damage, disruption of business operations, fines, litigation, and loss of business can all be consequences of a cybersecurity attack. It’s more important than ever to demonstrate the extent and effectiveness of your organization’s cybersecurity risk management program.
The amount of senior management that acknowledge the new risks coming from doing business in cyberspace is increasing every day; we can see that just from the more prevalent use of the term cybersecurity instead of information security. Senior management needs information about their organization’s cybersecurity risk management program in order to meet business and cybersecurity objectives. Boards of directors, analysts, investors, business partners, industry regulators, and users may also ask for this information to fulfill their own oversight responsibilities. But what can senior management provide that outlines the effectiveness of their organization’s cybersecurity risk management program?
The AICPA saw a need in the industry that it could fill: a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls. Thus, SOC for Cybersecurity was created. In April 2017, the AICPA announced its new cybersecurity risk mangement reporting framework, paired with a market-driven, voluntary SOC for Cybersecurity examination. Could your organization benefit from a SOC for Cybersecurity examination? Let’s find out.
What is the Cybersecurity Risk Management Framework?
Before we dive in deeper, let’s define some terms set out by the AICPA, including:
- Cybersecurity: The processes and controls implemented to manage cybersecurity risks.
- Cybersecurity Risks: A subset of information security risks, specifically related to the connection to and use of cyberspace.
- Cybersecurity Risk Management Program: The set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of an organization’s cybersecurity objectives and to detect, respond to, mitigate, and recover from security events that are not prevented.
- Cybersecurity Risk Management Framework: A way for CPAs to examine and report on management-prepared information on their cybersecurity risk management program.
If you’ve already implemented a cybersecurity risk management program at your organization, you probably realized that there’s no widely-accepted approach for cybersecurity assessments. You may have found useful information from other frameworks, such as the NIST Cybersecurity Framework or ISO 27001, but piecing together which information is best practice or which applies to your organization is difficult. The AICPA recognized the burden placed on organizations that are trying to develop an effective cybersecurity risk management program. The objective of the AICPA’s new cybersecurity risk management framework is to reduce that compliance burden by providing common criteria for assessing a cybersecurity risk management program’s effectiveness and establishing best practices. This cybersecurity risk management framework is beneficial to a broad range of users, scalable, and evolving alongside the threat landscape.
The cybersecurity risk management framework is a key component of the newest addition to the AICPA’s System and Organization Controls (SOC) suite of services.
What is SOC for Cybersecurity?
A SOC for Cybersecurity examination is how a CPA reports on an organization’s cybersecurity risk management program. Its intent is to communicate information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users an entity-wide perspective and confidence in an organization’s cybersecurity risk management program.
A SOC for Cybersecurity examination reports on three elements:
- Management’s Description: The management-prepared description of an organization’s cybersecurity risk management program, including key cybersecurity policies and procedures, how the organization manages cybersecurity risks, and how it determines which systems and information are sensitive. This gives readers context and an understanding of the organization’s cybersecurity risk management program.
- Management’s Assertion: Management must also make an assertion on whether the cybersecurity risk management program controls are effective and meet cybersecurity objectives, and whether the description meets description criteria.
- Practitioner’s Opinion: This element will issue a CPA’s opinion on management’s description and whether the controls in place are effective and achieve cybersecurity objectives.
A SOC for Cybersecurity examination does not report on the details of controls, the list of tests of controls performed, or the results, which is why it is a general use report. A SOC for Cybersecurity examination also does not result in an expressed opinion on compliance with laws and regulations or privacy and processing integrity criteria. It does, though, validate cybersecurity controls that are in support of compliance, privacy, and processing integrity.
Managing cybersecurity risks is challenging, even with a sophisticated cybersecurity risk management program. Organizations should do everything possible to prevent, detect, and mitigate cybersecurity risks. Could your organization benefit from a SOC for Cybersecurity examination? If you’re interested in proactive, voluntary cybersecurity efforts, contact us today.