Posts

Rebuilding Trust After a Data Breach

American Perspective on Data Breaches

According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. Even more so, 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. Why am I being shown this ad? How much does Facebook know about me? Has my data been sold? Is Google tracking me?

At KirkpatrickPrice, we talk a lot about how to prevent a data breach and put a heavy focus on the “before,” rather than the “after.” But, what happens after a data breach has occurred? How can your business recover? Let’s take a look at three advertising campaigns that aim to rebuild trust after a breach.

Facebook Data Scandal

With GDPR enforcement on the rise and data privacy at the top of digital consumers’ minds, the Facebook-Cambridge Analytica data breach has become one of the largest of all time. Out of the 2.2 billion Facebook users, 78 million were impacted by this breach. The data was used to build a software program that predicts, profiles, and influences voter choices. Now that Facebook’s data privacy practices are in the spotlight, more and more questionable practices are rising up.

The scandal is still unfolding, as Mark Zuckerberg is questioned by Congress and the GDPR enforcement date has officially passed. In an effort to win back user trust, Facebook launched a major advertising campaign, “Here Together,” which promises to protect users from spam, click bait, fake news, and data misuse.

How has the Facebook scandal impacted your use of the platform?

Uber Cover-Up

When Uber announced its breach in 2017, it hit close to home for the millions of drivers and riders who use the app every day. Uber reported that not only did hackers steal 57 million credentials (phone numbers, email addresses, names, and driver’s license numbers) from a third-party cloud-based service, but Uber also kept the data breach secret for more than a year after paying a $100,000 ransom.

The New York Times points out, “The handling of the breach underscores the extent to which Uber executives were willing to go to protect the $70 billion ride-hailing giant’s reputation and business, even at the potential cost of breaking users’ trust and, perhaps more important, state and federal laws.” Uber recognizes that driver and rider trust is the core of their business, and when they announced this cover-up and breach, they knew they’d be facing major backlash.

In response to the breach, Uber began their “Moving Forward” campaign in an effort to rebuild trust. What do you think of this commercial – have they regained your trust? Would you still use the app?

Wells Fargo Incentives

The 2016 Wells Fargo breach was incredibly eye-opening to many consumers because it wasn’t a malicious hacker taking data; it was Wells Fargo. The bank was fined $185 million because of the 5,300 bank employees who created over 1.5 million unauthorized bank and credit card accounts on behalf of unsuspecting customers. Their reason for doing this was incentives; bank employees were rewarded for opening new bank and credit card accounts.

What is Wells Fargo doing now? In an effort to rebuild trust, Wells Fargo completely restructured its incentive plans by ending sales goals for branch bankers. Do you think that firing the 5,300 guilty bank employees and restructuring their incentive program is enough?

We believe that client trust is one of the most valuable benefits of compliance. Undergoing information security audits can help your organization maintain customers and attract new ones, distinguish your business from the rest, avoid fines for non-compliance, and answer to any sort of regulatory body.

How do you perceive this trend of public rebranding – is it convincing? Do you believe that companies like Facebook, Uber, and Wells Fargo have changed enough to rebuild trust?

More Resources

Turning Audit Into Enablement

Incident Response Planning: 6 Steps to Prepare your Organization

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

When Will You See the Benefit of an Audit?

Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.

What are the Advantages to Auditing?

Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.

However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.

Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period?

Get the full report now.

SOC for Cybersecurity FAQs

What is SOC for Cybersecurity?

Because most organizations conduct some portion of their business in cyberspace, they open themselves up to a new level of risk. Who they are, what they do, and what information they possess can make businesses targets for malicious attackers. Reputational damage, disruption of business operations, fines, litigation, and loss of business can all be consequences of a cybersecurity attack. It’s more important than ever to demonstrate the extent and effectiveness of your organization’s cybersecurity risk management program. Understanding this, the AICPA created SOC for Cybersecurity, a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls. Take a look at some of the most frequently asked questions about SOC for Cybersecurity.

What is SOC for Cybersecurity?

In April 2017, the AICPA announced a new cybersecurity risk management reporting framework, paired with a market-driven, voluntary SOC for Cybersecurity examination. Because this framework and examination are so new, many still have questions about what it is and if their organization could benefit from it.

What is the Purpose of a SOC for Cybersecurity Report?

A SOC for Cybersecurity report is a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls, which can help stakeholders make informed decisions and can address vendor or supply chain risk management practices.

Who Needs a SOC for Cybersecurity Report?

Any organization who wishes to provide their board of directors, analysts, investors, business partners, industry regulators, or users with perspective and confidence in their cybersecurity risk management program.

How is a SOC for Cybersecurity Report Different than a SOC 1 and SOC 2 Report?

A SOC 1 engagement is an audit of the internal controls at a service organization that may be relevant to their client’s internal control over financial reporting. SOC 2 reports help service organizations cultivate confidence in their service delivery processes and controls, based on the Trust Services Criteria. A SOC for Cybersecurity report, though, fosters confidence in an organization’s cybersecurity risk management program.

Get the answers to all SOC for Cybersecurity FAQs.

What’s the Difference Between SOC for Cybersecurity and SOC 2?

Newest Addition to the SOC Suite

The AICPA recently added a new offering to its SOC suite: SOC for Cybersecurity. The difference between SOC 1, SOC 2, and SOC 3 has always been fairly clear-cut based on factors like internal control over financial reporting, the Trust Services Criteria, and restricted report use. Now, we have a new player in the game.

What’s the Difference Between SOC for Cybersecurity and SOC 2?

How does SOC for Cybersecurity differ from the other SOC reports? Where a SOC 1 is focused on ICFR and is based on the SSAE 18 standard, SOC for Cybersecurity is completely concentrated on cybersecurity risk management programs. SOC 2 is where it goes a little more complicated. In general, SOC for Cybersecurity and SOC 2 engagements have four key differences: purpose and use, audience, report types, and subject matter.

What’s the Difference Between SOC for Cybersecurity and SOC 2?SOC 2 audits help to address any third-party risk concerns by evaluating internal controls, policies, and procedures as they relate to the security, availability, processing integrity, confidentiality, and privacy of a service organization’s systems. SOC 2 compliance is intended to give a wide range of service organizations the information security assurance that they need to address security.

What’s the Difference Between SOC for Cybersecurity and SOC 2?

A SOC for Cybersecurity examination is how a CPA can report on an organization’s cybersecurity risk management program. This program is an organization’s set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives. The AICPA’s intent was to provide organizations with a consistent language to report on their cybersecurity efforts and establish a widely-accepted approach for cybersecurity assessments.

Purpose and Use

A SOC for Cybersecurity report communicates information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users perspective and confidence in an organization’s cybersecurity risk management program. SOC for Cybersecurity reports are meant to be used during decision-making processes.

SOC 2 compliance can be a major factor in vendor management; no one wants to work with an at-risk vendor. For service organizations wanting to demonstrate their due diligence and information security efforts, a SOC 2 report will communicate how their internal controls are designed and operating.

Audience

SOC for Cybersecurity engagements may be performed for any type of organization, regardless of size or the industry in which it operates. A SOC for Cybersecurity report is for general use, specifically designed to be used by stakeholders, management, directors, analysts, investors, business partners, industry regulators, users, or anyone else whose decisions are directly impacted by the effectiveness of the organization’s cybersecurity controls.

A SOC 2 report is intended for an audience who has prior knowledge and understanding of the system, such as management of a service organization or user entity. In order to communicate the attestation in a SOC 2 report, service organizations must have a SOC 3 report. A SOC 3 does not give a description of the service organization’s system, but can provide interested parties with the auditor’s report on whether an entity maintained effective controls over its systems as they relate to the Trust Services Criteria.

Report Types

When undergoing a SOC 2 audit, a service organization can choose one of two types. Typically, we recommend that service organizations begin with a SOC 2 Type I. A Type I report is an attestation of controls at a service organization at a specific point in time, unlike a Type II, which is an attestation of controls over period of time. In a Type I, there is no testing of controls, but in a Type II, the auditor will report on the “suitability of the design and operating effectiveness of controls.”

Similar to a SOC 2 Type I, service organizations can choose a design-only SOC for Cybersecurity examination. Design-only examinations do not provide the audience with enough information to assess the effectiveness of cybersecurity controls, only to know the description of the cybersecurity risk management program and the suitability of the design of controls to meet cybersecurity objectives. A service organization may choose to undergo a design-only SOC for Cybersecurity examination if they have not been in operation for a sufficient length of time or if they’ve recently made significant changes to their cybersecurity risk management program.

It’s important to note that in the future, there will be three types of SOC for Cybersecurity report levels to meet all the needs of the market: entity, service provider, and supply chain. The guidance currently available all related to entity-level engagements.

Subject Matter

The contents of a SOC for Cybersecurity report and SOC 2 report have a similar structure, but different subject matter. Each report contains management’s description, management’s assertions, and the practitioner’s opinion.  In a SOC for Cybersecurity report, each of these components will be related to the entity’s cybersecurity risk management program and the effectiveness of controls to meet cybersecurity objectives. In a SOC 2 report, each of these components will be related to the service organization’s system and the effectiveness of controls as the relate to the Trust Services Criteria.

The main difference to remember between SOC for Cybersecurity and SOC 2 is the reporting on a cybersecurity risk management program versus a system and the Trust Services Criteria. Want more help deciding if a SOC for Cybersecurity engagement is right for your organization? Contact us today.

More Resources

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

Everything You Need to Know About SOC 1 Audits

SOC 2 Compliance Checklist

Selecting SOC 2 Criteria

The Purpose of SOC for Cybersecurity

The Age of Cybersecurity

In today’s world, information systems are incredibly interconnected, but this comes with a price. Because most organizations conduct some portion of their business in cyberspace, they open themselves up to a new level of risk. Who they are, what they do, and what information they possess can make businesses targets for malicious attackers. Reputational damage, disruption of business operations, fines, litigation, and loss of business can all be consequences of a cybersecurity attack. It’s more important than ever to demonstrate the extent and effectiveness of your organization’s cybersecurity risk management program.

The amount of senior management that acknowledge the new risks coming from doing business in cyberspace is increasing every day; we can see that just from the more prevalent use of the term cybersecurity instead of information security. Senior management needs information about their organization’s cybersecurity risk management program in order to meet business and cybersecurity objectives. Boards of directors, analysts, investors, business partners, industry regulators, and users may also ask for this information to fulfill their own oversight responsibilities. But what can senior management provide that outlines the effectiveness of their organization’s cybersecurity risk management program?

The AICPA saw a need in the industry that it could fill: a general use report that describes an organization’s cybersecurity risk management program and verifies the effectiveness of its controls. Thus, SOC for Cybersecurity was created. In April 2017, the AICPA announced its new cybersecurity risk mangement reporting framework, paired with a market-driven, voluntary SOC for Cybersecurity examination. Could your organization benefit from a SOC for Cybersecurity examination? Let’s find out.

What is the Cybersecurity Risk Management Framework?

Before we dive in deeper, let’s define some terms set out by the AICPA, including:

  • Cybersecurity: The processes and controls implemented to manage cybersecurity risks.
  • Cybersecurity Risks: A subset of information security risks, specifically related to the connection to and use of cyberspace.
  • Cybersecurity Risk Management Program: The set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of an organization’s cybersecurity objectives and to detect, respond to, mitigate, and recover from security events that are not prevented.
  • Cybersecurity Risk Management Framework: A way for CPAs to examine and report on management-prepared information on their cybersecurity risk management program.

If you’ve already implemented a cybersecurity risk management program at your organization, you probably realized that there’s no widely-accepted approach for cybersecurity assessments. You may have found useful information from other frameworks, such as the NIST Cybersecurity Framework or ISO 27001, but piecing together which information is best practice or which applies to your organization is difficult. The AICPA recognized the burden placed on organizations that are trying to develop an effective cybersecurity risk management program. The objective of the AICPA’s new cybersecurity risk management framework is to reduce that compliance burden by providing common criteria for assessing a cybersecurity risk management program’s effectiveness and establishing best practices. This cybersecurity risk management framework is beneficial to a broad range of users, scalable, and evolving alongside the threat landscape.

The cybersecurity risk management framework is a key component of the newest addition to the AICPA’s System and Organization Controls (SOC) suite of services.

What is SOC for Cybersecurity?

A SOC for Cybersecurity examination is how a CPA reports on an organization’s cybersecurity risk management program. Its intent is to communicate information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users an entity-wide perspective and confidence in an organization’s cybersecurity risk management program.

A SOC for Cybersecurity examination reports on three elements:

  1. Management’s Description: The management-prepared description of an organization’s cybersecurity risk management program, including key cybersecurity policies and procedures, how the organization manages cybersecurity risks, and how it determines which systems and information are sensitive. This gives readers context and an understanding of the organization’s cybersecurity risk management program.
  2. Management’s Assertion: Management must also make an assertion on whether the cybersecurity risk management program controls are effective and meet cybersecurity objectives, and whether the description meets description criteria.
  3. Practitioner’s Opinion: This element will issue a CPA’s opinion on management’s description and whether the controls in place are effective and achieve cybersecurity objectives.

A SOC for Cybersecurity examination does not report on the details of controls, the list of tests of controls performed, or the results, which is why it is a general use report. A SOC for Cybersecurity examination also does not result in an expressed opinion on compliance with laws and regulations or privacy and processing integrity criteria. It does, though, validate cybersecurity controls that are in support of compliance, privacy, and processing integrity.

Managing cybersecurity risks is challenging, even with a sophisticated cybersecurity risk management program. Organizations should do everything possible to prevent, detect, and mitigate cybersecurity risks. Could your organization benefit from a SOC for Cybersecurity examination? If you’re interested in proactive, voluntary cybersecurity efforts, contact us today.

More Resources

Cybersecurity Risk Management Reporting Fact Sheet

5 Ways to Defend Your Business from Cyber Threats

What’s the Difference Between SOC 1, SOC 2, and SOC 3?

The 3 Objectives of COSO