Cyberattacks are undoubtedly onthe rise. Companies are no longer concerned about whether an attackwill occur, but rather when and how their most valuable data willbe breached. Increasing in sophistication, today's cyberattacks canimpact all areas of an organization for years after the initial attack and can cost millions—if notbillions—in damages.

A number of regulations focused on improving cybersecurityprograms have been introduced over the past few years, including arecent regulation finalized by the New York Department of FinancialServices (NYDFS) requiring banks, insurance companies, and otherNYDFS-regulated entities to establish and maintain an effectivecyber risk management program. Still, the magnitude of stoleninformation remains staggering, and the challenges associated withprotecting data continue to grow.

Not all cyberattacks are made public, but it seems as though anew breach makes headlines every day. Only recently has acomprehensive framework for reporting cyber risk managementactivities become available: The American Institute ofCertified Public Accountants (AICPA) recently released a newattestation reporting framework intended to help organizationsevaluate and report on their cyber risk management programs.Designed to expand cyber-risk reporting to a broad range ofinternal and external users, including the C-suite and the board,the AICPA's new reporting framework aims to provide in-depth,easily consumable information about an organization's cyber riskmanagement program.

The attestation reporting framework is voluntary. It's intendedto establish a common underlying language for cyber risk managementreporting and to provide corporate executives, board members, andother key stakeholders with the visibility into the organization'scyber risk management program that they need in order to improvethe program's overall effectiveness and address gaps requiringremediation. The cybersecurity reporting framework allows forflexibility in the control criteria used, is appropriate forgeneral use, and can be applicable to any entity, regardless ofsector, in contrast with reporting mechanisms like a ServiceOrganization Controls (SOC) 2 report.

|

Key Elements of the AICPA's CybersecurityFramework

There are three key elements of the AICPA's cybersecurityattestation reporting framework:

1. Management's description of the entity's cybersecurity riskmanagement program (the subject matter of the engagement);
2. Management's assertion on (a) the presentation of thedescription and (b) the operating effectiveness of the controls toachieve the cybersecurity objectives; and
3. Practitioners' report on (a) the presentation of thedescription and (b) the operating effectiveness of the controls toachieve the cybersecurity objectives.

While the decision about which description criteria is appliedas part of the framework is more flexible than other types ofattestation reporting (e.g., SOC 2), the description criteria areintended to promote consistency and comparability of cybersecurityinformation provided by different entities and to arm those chargedwith governance with information needed for appropriate oversight.One example criteria that organizations are able to utilize whenadopting the AICPA's cybersecurity attestation reporting frameworkis the AICPA's Trust Services Criteria (TSC) for Security,Availability, Processing Integrity, Confidentiality, and Privacy.The TSC has been expanded and enhanced as part of the AICPA'scybersecurity attestation reporting framework and can be used whenreporting on the organization's cybersecurity program.

Since application of, andadherence to, the reporting framework is voluntary, eachorganization should consider the benefits to key internal andexternal stakeholders of receiving a report on the organization'scybersecurity risk management program. Then management candetermine the best tool and frequency by which to addressstakeholder expectations for greater transparency, as well as theneed to provide in-depth information about what the company isdoing to address cyber threats and improve responsiveness in theevent of an incident.

For many organizations, preparing for a cybersecurity riskmanagement examination would begin by performing a readinessassessment over their cybersecurity risk management programutilizing the AICPA's cybersecurity attestation reporting frameworkas the basis.

|

Cybersecurity at the Organization's HighestLevels

As the complexity of cyber risk management continues to evolve,practices for addressing cyber threats must evolve as well so thatorganizations are prepared to respond to cybersecurity eventsfaster and more effectively. Data at risk from today's cyberthreats includes far more than the personal identifiers (likeSocial Security numbers), payment data, and personal healthinformation that are commonly front and center in discussions ofcybersecurity. In fact, the greatest damage to companies oftencomes from the less obvious—and sometimes undetected—cyber threats,such as theft of intellectual property, espionage, destruction ofdata, attacks on core operations, or attempts to disable criticalinfrastructure. While more difficult to understand and quantify,these business impacts can cause long-lasting damage to a company'sbrand and reputation, not to mention significant financial damagesacross the entire organization.

Senior executives and boards are beginning to recognizecybersecurity as an issue critical to business performance, asopposed to an issue for IT to manage alone. As breaches increase involume, and as the time and cost that it takes to identify,mitigate, and recover from them escalates, cybersecurity has risento the top of the business agenda, leaving boards demanding greatervisibility into their organization's cyber risk management programand expecting to see proof of the program's effectiveness.

Active involvement and oversight from the board can ensure thatan organization is paying adequate attention to cyber riskmanagement. The board can help shape expectations for reporting oncyber threats, while also advocating for greater transparency andassurance around the effectiveness of the program.

In companies that implement the AICPA's new attestationreporting framework, boards will have access to information from anindependent third-party firm that they can use to objectivelyevaluate and report on the effectiveness of the company's cyberrisk management program to key stakeholders, including investors,analysts, customers, business partners and regulators. Byleveraging this information, boards can challenge management'sassertions around the effectiveness of their cyber risk managementprograms while also credibly communicating any related findings toother key stakeholders.

|

Cyber Risk Management Examination

A cyber-risk management examination engagement conducted by anindependent, AICPA-licensed audit firm can help a company improvethe transparency of its approach to cybersecurity, as well asimproving operational efficiency by using a single, standardizedreporting mechanism.

Because of the rapidly evolving nature of cyber risks and thevarying levels of maturity of corporate cyber risk managementprograms, an organization should consider performing an internalassessment of its readiness for the cyber risk managementexamination prior to transitioning to an independent third-partyattestation. The internal assessment should include thefollowing:

• Selection of an appropriate cyber control framework such asNIST CSF, ISO 27001, or the AICPA's Trust Services Criteria;
• Identification of the company's most critical IT assets;
• Evaluation of the effectiveness of current-state internalcontrols included within the company's cyber risk managementprogram, leveraging the cyber control framework adopted bymanagement;
• Identification of potential gaps in, and enhancementopportunities for, key cyber risk processes and related internalcontrols; and
• Development of a remediation plan and subsequent execution ofkey remediation activities.

With the pressure and scrutiny continuing to mount onorganizations to report on the effectiveness of their cyber riskmanagement programs and related controls, this type of report canbe vital in helping the board effectively fulfill theircybersecurity oversight responsibilities.

Ultimately, building a strong foundation for addressingcybersecurity—before regulatory mandates or a crisis demands it—canprovide a strategic competitive advantage for a company byenhancing its brand and reputation. The time to act is now.

——————————————

Gaurav Kumar is a principal in Deloitte &Touche LLP, where he advises clients on managing risk and internalcontrols, including those around IT risk management, identityaccess management, and management's corresponding compliance withSarbanes-Oxley/Model Audit Rule regulations. Kumar currently leadsDeloitte's Risk and Financial Advisory services, supportingcompanies' implementations of the revised COSO framework for theinsurance industry, and serves on the American Institute ofCertified Public Accountants (AICPA) task force for the developmentof the cybersecurity risk management attestation reportingframework.

Jeff Schaeffer is a senior manager inDeloitte & Touche LLP with more than 14 years of experiencespecializing in risk management, corporate governance andcompliance, and controls transformation within the financialservices industry. In this role, Jeff leads efforts to designcompanywide processes and controls to support various complexglobal transformation programs, including working with clients toperform risk assessments across in-scope business processes andsystems, design and validate internal control frameworks, identifygaps requiring remediation, and help design governance structuresto sustain internal controls programs.