SOC for Cybersecurity: An Answer to Leadership’s Cybersecurity Responsibilities
Posted on 11.02.17
By Christopher Moschella, CPA, CISA | Risk Advisory Services Senior Manager | Cybersecurity Team Leader
Business leaders, executives, and directors are understandably uneasy about the state of cybersecurity in their companies. Each week, another company’s good name is dragged through mud by the press on news of a cyberattack. Not only do these organizations spend a great deal of hard-earned money responding to the breach, but the long-term impact of brand damage and lost customers is where most companies feel the biggest hurt.
- Class-action lawsuits against Equifax will reportedly seek as much as $70 billion in damages, which likely exceeds their cyber insurance coverage levels by several thousand percent. In the days following the disclosure of the data breach, Equifax hemorrhaged over 36% of its market capital. As if that wasn’t enough, the press coverage continued as their CEO was hauled before Congress where he faced a firing squad of lawmakers eager to endlessly alternate between wagging and pointing their fingers, further adding to the negative press.
- Deloitte claims that its recent data breach only impacted six clients; however, they are likely to lose at least some of their clients as their brand continues to appear in negative press coverage, especially now that New York’s Attorney General, Eric Schneiderman, probes the breach.
- In another emerging trend that is giving many leaders nightmares that would make Pennywise scream, some executives and directors are being personally targeted through derivative shareholder lawsuits arising out of cyber-attacks. Notably, former Yahoo! executives are being personally sued following their mega-breach of three billion accounts.
These cases and the many others we hear about each week are forcing organizational leaders to the conclusion that they must do more to demonstrate that the organization as a whole and they as individuals are doing enough to guard against the cyber threat.
To do more, they first need a clear understanding of what cyber defenses are in place today and how well they function. But what can and should they do?
The AICPA has an answer.
Recently published and apparently sparing no words in the title, the AICPA’s “Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program,” outlines a standard format for organizations to document and communicate information about their cyber defenses to leaders and other stakeholders.
The Description Criteria’s standardized format is intended to ease the burden on boards and leaders who may need to review a variety of these cybersecurity risk management program descriptions. If they all look the same, they will be easier to parse. Additionally, the standardized format will allow CPA firms with cybersecurity expertise to efficiently assist management in preparing these descriptions while not re-inventing the wheel with each new engagement.
The AICPA recognizes that cybersecurity frameworks, such as the NIST Cybersecurity Framework and CIS Top 20 Controls for Cyber Defense, have proliferated. Different organizations and different industries may use different cybersecurity frameworks to guide their cyber risk management programs. As a result, the AICPA’s new guidance is framework agnostic. It allows organizations to use any framework that is “suitable and available” when describing their cybersecurity risk management program.
Some stakeholders, internal or external, may require additional assurances, beyond the description provided by management, that an independent party has evaluated the cybersecurity risk management program. Again, the AICPA has provided guidance that is not dissimilar from the System and Organization Controls (SOC) audits that CPAs have been performing in some form for decades. Like the popular SOC 1 and SOC 2, this new examination level report is called the SOC for Cybersecurity. Like its siblings, it requires a management assertion that the internal controls within the cybersecurity risk management program are operating effectively. The auditor then tests those controls and issues an opinion covering two areas:
- That management’s description is presented in accordance with the AICPA’s description criteria
- That the controls within the risk management program were effective enough to achieve management’s cybersecurity risk management goals
The AICPA has invested heavily in creating the truly forward-thinking Description Criteria and associated assurance products. They recognize that full-service accounting firms have been deeply involved with organizational information technology controls since Sarbanes-Oxley, and that the firms with a strong IT and cyber skillset are well-equipped to meet many of their clients’ cybersecurity needs. As the cyber threat grows, organizational leaders, officers, and directors will be expected to have taken an active role in the cybersecurity of the organizations they control, and the new products developed by the AICPA appear to be an excellent step towards meeting those expectations.
Our Risk Advisory Services practice is designed to assist companies with the identification of risks that have a significant impact on their business including financial, operational and compliance risks, and with developing sound, cost effective controls to mitigate those risks. We provide integrated services, including SOC audits and cybersecurity services that help public and private companies to identify and manage their risks. Contact us. Our Risk Advisory Services team can help.