When was the Last Time you Assessed your Business’s Cyber-Security Risk? Now is the Time to Get Started by Steve Nouss, CPA, CGMA
Posted on July 20, 2018
The frequency and sophistication of cybersecurity attacks continue to intensify leaving businesses, governments and not-for-profits with an ever-present risk of falling victim to data breaches. Cyberattacks not only disrupt normal business operations, they also erode public trust and can lead to irreparable reputational damage, loss of customers and intellectual property, litigation, and significant fines and penalties. Even as businesses race to invest in the latest technologies to improve operational efficiencies and protect critical information assets, many are woefully lacking formal programs to communicate with and reassure stakeholders of the effectiveness of their cybersecurity risk-management activities. To change this, the American Institute of Certified Public Accountants (AICPA) has developed a standard cybersecurity risk-management reporting framework for entities in all industries across the globe to use in the future.
Cybersecurity Risk Management Reporting Framework
The new AICPA Cybersecurity Risk Management Reporting Framework focuses on 19 criteria categories that businesses must address to demonstrate that they are effectively managing cybersecurity threats and have in place suitable policies, processes and controls to protect data and to detect, respond to, mitigate and recover from a security breach. It builds upon the globally accepted internal control framework established by the Committee of Sponsoring Organizations (COSO) and is incorporated into the new system and organization controls (SOC) reporting guidance that helps entities build trust with their constituents, and document their efforts to protect and secure information and technology. Its intent is to help businesses ensure that all of their stakeholders, including senior management, members of the board of directors, business partners and customers, have documentation to help them understand and make informed decisions based on how an organization manages its cybersecurity risks. Investors and analysts may also benefit from receiving this insight into the potential threats to an organization’s operational, reporting and/or compliance objectives, which, subsequently, can affect the business’s value.
SOC cybersecurity exam reports, which must be prepared by certified public accountants (CPAs) to provide independent and unbiased assessments of a risk management program’s effectiveness, include three sections:
- Assertion of Management, which describes an entity’s cybersecurity risk-management program and its inherent limitations;
- Independent Accountant’s Report detailing the entity’s risk-management responsibilities, the responsibilities of the accountant preparing the report, and his or her opinion on the entity’s program;
- Management’s Description of an entity’s cybersecurity risk-management program, including details about how the entity “identifies its information assets, the ways in which it manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks.” The report can focus on “a point in time” initially and subsequently cover a longer 12-month “period of time.”
Readiness Review Provide Short-Term Cybersecurity Risk Assessment
SOC reports should reduce entities’ communication and compliance burdens, minimize their risk of vulnerabilities and provide a vehicle for sharing this information with a broad range of stakeholders. Nonetheless, businesses that do not want to invest the time or dollars into a thorough audit or SOC report have a short-term option to evaluate their existing cybersecurity processes and consider steps they may need to take to enhance and bolster those controls.
A “readiness review” is more of a cursory check-up of the security, availability and confidentiality of an entity’s existing information and technology based on more than 230 “points of focus” identified by the AICPA to measure the effectiveness of an organization’s internal controls. The informal evaluation aims to detect potential weaknesses and recognize opportunities to enhance security by employing a broad range of best practices when designing, implementing and initiating an effective cybersecurity risk-management program that meets their unique needs, objectives and business structure.
No longer can the responsibility to protect confidential business data be relegated solely to an information technology expert or a single team. Cybersecurity must be an enterprise-wide priority involving every level of an organization, including senior management, members of the board of directors and even individual employees who regularly connect to the network and have access to an organization’s knowledge base. While it is nearly impossible to eliminate the threat of a cyberattack, businesses can be proactive and take steps to minimize their risk of falling victim to these security breaches and putting their brands and reputations in danger. Time is of the essence.
The professionals with Berkowitz Pollack Brant’s Business Consulting Group have deep experience working with businesses to address the rising challenges of cybersecurity risks and help them to instill confidence and security among their vendors, customers and business partners. The firm holds certification on completion of cybersecurity training and is registered with the AICPA to provide service businesses with SOC audits and reports that help improve transparency and build trust among service organization’s current and prospective customers.
About the Author: Steve Nouss, CPA, CGMA, is a director with Berkowitz Pollack Brant’s Consulting Services practice, where he provides profit-enhancing CFO services, operational reviews, enterprise risk management, internal audit and anti-fraud services for businesses of all sizes. In addition, Nouss is a System and Organization Controls (SOC) specialist who holds AICPA certification in cybersecurity. He can be reached at the CPA firm’s Ft. Lauderdale, Fla., office at (954) 712-7000 or via email at email@example.com.