With cyberattacks on the rise, organizations are looking at how to best protect client and customer information—and inform stakeholders of the extent and effectiveness of their cybersecurity risk management efforts. This is critical when you consider the cybersecurity community and major media have largely concurred on the prediction that cybercrime damages will cost $6 trillion annually worldwide by 2021. The U.S. certainly is not immune to cybercrimes, with nearly 1,600 data breaches occurring in 2017 alone.
In response to the rising number of cyberattacks, the Association of International CPAs (AICPA) unveiled its voluntary cybersecurity risk management reporting framework in 2017, referred to as System and Organization Controls (SOC) for Cybersecurity. While similar in nature to a SOC 2 report, certain differences, such as intended purpose, intended users, control criteria and content of the practitioner’s report, distinguish these reports from each other. The new framework provides organizations with an avenue to demonstrate the organization is managing cybersecurity threats and that it has effective processes and controls in place to mitigate, detect, respond to and recover from a security breach. Rooted in the cybersecurity risk management reporting framework are three components:
- Management’s Description of an Entity’s Cybersecurity Risk Management Program – Management’s comprehensive description of the organization’s cybersecurity risks and the processes and controls in place to mitigate those risks
- Management’s Assertion – Management’s assertion, as of a point in time or for a specified period of time, of the design and operating effectiveness of an organization’s cybersecurity control framework to achieve the entity’s cybersecurity objectives based on the control criteria
- CPA’s Report – Practitioner’s report, containing an opinion, addressing whether management’s description was presented in accordance with the description criteria and whether the controls within the entity’s cybersecurity risk management program were effective
What Should Companies Do to Prepare for SOC for Cybersecurity?
Companies should begin by thoroughly analyzing their current processes and control environment to mitigate the risk of a cybersecurity breach. The "Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program" provides nine categories management should address to thoroughly document their current environment:
- Nature of Business and Operations
- Nature of Information at Risk
- Cybersecurity Risk Management Program Objectives (Cybersecurity Objectives)
- Factors That Have a Significant Effect on Inherent Cybersecurity Risks
- Cybersecurity Risk Governance Structure
- Cybersecurity Risk Assessment Process
- Cybersecurity Communications and the Quality of Cybersecurity Information
- Monitoring of the Cybersecurity Risk Management Program
- Cybersecurity Control Processes
The AICPA provides description criteria implementation guidance with important considerations for each of the nine aforementioned categories. As a company documents its comprehensive description of the organization’s cybersecurity risk management program, it’s advisable to thoroughly address the applicable additional considerations within each of the description criteria. In advance of engaging a practitioner to opine on the organization’s cybersecurity descriptions and control environment, it may be advisable to engage a CPA firm to help assess the company’s readiness.
The AICPA isn’t the only organization focusing on cybersecurity. In 2014, the National Association of Insurance Commissioners (NAIC) Executive Committee appointed the Cybersecurity (EX) Working Group to serve as the central focus for insurance regulatory activities related to cybersecurity. In 2017, the NAIC adopted the Insurance Data Security Model Law (Model Law), which creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach. The Model Law requires insurance companies to establish and maintain cybersecurity programs to protect consumers’ private data. Key components include:
- Maintaining an information security program that’s based on a cybersecurity risk assessment
- Evaluating and addressing cybersecurity risks that are posed by third-party service providers
- Requiring oversight by the company’s board of directors
- Establishing a written incident response plan
- Providing an annual certification of compliance to departments of insurance
- Investigating and providing notice of cybersecurity events to departments of insurance within 72 hours of the event
While meeting the objectives of the AICPA and NAIC’s cybersecurity initiatives can be daunting, cybersecurity advisors are well versed in advising clients to be prepared. Many public accounting firms, including BKD, have expertise and devote significant resources toward helping companies prevent a cybersecurity breach. Services offered can vary, but generally include:
- Cybersecurity Risk Assessment – Review to identify possible cybersecurity threats
- Review of Management’s Cybersecurity Assessment – Independent evaluation of management’s methodology, documentation and conclusions reached
- Advanced Threat & Vulnerability Testing – Thorough testing to identify vulnerabilities and weaknesses in company networks
- Advanced Social Engineering – Simulated pretext phone calling, spoofing, phishing and physical access attempts and the use of malware and counterfeit websites to obtain confidential information
- Incident Response, Analysis & Investigation – Extracting and analyzing physical and digital evidence to help identify and document key incident information
- Dark Web Reviews – Review of the dark web to assess whether company data may have been compromised
Contact Ricky or visit BKD’s Cybersecurity & IT Risk page for more information on the services BKD offers to help your company with cybersecurity concerns.