In recent months, sweeping global cyberattacks have taken thousands of businesses offline, compromising valuable data and blocking access to critical services and information assets. If it wasn’t clear before, it is now: cybersecurity is a business imperative with direct implications for overall company value. Prior to this spring, and without a common language or benchmark for cybersecurity, how do you quantify and communicate your cybersecurity risk in a meaningful way?
Enter the AICPA’s cybersecurity risk management reporting framework. Unveiled in April, the framework is intended to standardize the way organizations define their cybersecurity objectives and report against those standards in a format that works for all stakeholders.
At BDO, we work with clients to leverage the reporting framework in two key ways:
1) to design and assess a comprehensive cybersecurity risk management program, taking into account industry best practices and regulatory requirements; and
2) to undertake an examination-level attestation engagement, known as a SOC (system and organization controls) for cybersecurity examination.
BDO has been providing advisory services on cybersecurity strategy and risk management for some time. Before the new AICPA cybersecurity engagement guidance was even released, client questions started rolling in—how do we evaluate our cybersecurity risk management program? How do we talk with our board about it? What can we do to convince our clients and investors their data is safe with us?
Although a number of strong frameworks and standards have been in the cybersecurity space for some time, they are designed for an IT-savvy audience and are difficult for nontechnical stakeholders to understand. Unlike other frameworks, the AICPA’s reporting framework was designed to enable users to compare an entity’s cybersecurity efforts to that of other organizations while maintaining a degree of flexibility.
BDO uses the AICPA’s reporting framework when performing a SOC for Cybersecurity examination, which takes an enterprise-wide look at cybersecurity risk management, as opposed to focusing in on system controls relevant only to a service provided to an outside party. A SOC for Cybersecurity examination is a natural extension of the work CPAs are already trained to do: We look at controls and processes and quantify risk in a standardized way. In our traditional attestation work, we’re already assessing cybersecurity risk in terms of the potential financial impacts. Now, we’re looking a level deeper, examining cybersecurity controls not just in terms of financial risk, but to the extent that they can help the entity achieve its cybersecurity objectives.
Many companies will find they haven’t yet reached the level of maturity necessary to receive an unqualified opinion in a SOC for Cybersecurity examination—which is why we recommend most companies start with an internal readiness assessment before undertaking that engagement. An internal readiness assessment gives companies a snapshot of their current overall cybersecurity health—for example, whether their cybersecurity controls align with their overarching cybersecurity objectives, if resources are concentrated in the right places, and whether there are gaps in their existing controls that need to be remediated. After performing the internal assessment, we work with the organization to develop remediation strategies or to reprioritize cybersecurity investments as needed, and communicate those changes across the organization.
In addition to SOC for Cybersecurity, the AICPA has announced plans to address other system and organization (SOC) engagements. First, the AICPA is in the process of updating the SOC 2® Guide, Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy, to align it to the clarified attestation standards and to the 2017 Trust Services Criteria, which are used as measurement criteria for the engagement. The SOC 2 guide is expected to be issued by year end.
Second, the AICPA is developing a new attestation examination and related guide addressing vendor supply-chain cybersecurity risk that will enable CPAs to examine and report on controls relevant to the security, availability, information processing, confidentiality, and privacy of manufacturers and distributors to enable entities who use their services to assess the risks in their supply chain and distribution networks. The vendor/supply chain guide is expected to be issued in 2018.
We see the AICPA’s SOC for Cybersecurity examination, which is performed using the cybersecurity reporting framework, as the beginning of a rapidly growing new practice, bringing together the discipline of an auditor with the tech savvy of our cybersecurity professionals. Firms can explore this opportunity by accessing the AICPA’s Private Companies Practice Section (PCPS) Building a Cybersecurity Practice toolkit. You’ll find resources that help you assess clients’ cybersecurity needs.
To find the AICPA’s cybersecurity risk management reporting framework, visit aicpa.org/cybersecurityriskmanagement. For more information on cybersecurity, visit the AICPA’s Cybersecurity Resource Center at aicpa.org/cybersecurity.
Jeff Ward heads BDO’s AICPA SOC for Cybersecurity/Third-Party Attestation National Practice and is a member of the AICPA’s Assurance Services Executive Committee’s (ASEC) Cybersecurity Working Group, which developed the new cybersecurity risk management reporting framework.
Gregg Garrett is the Head of International Cybersecurity in BDO’s Technology and Business Transformation Services practice.
Cybersecurity courtesy of Shutterstock.