Understanding cybersecurity to be one of the leading risks facing enterprises, the American Institute of Certified Public Accountants (AICPA) recently released its exposure draft for public comment, “Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.” The proposed guidance, will provide a common language for companies to use in describing cybersecurity risk management processes, and will serve as the basis for CPAs to examine and report on an entity’s cybersecurity measures. The comment period for this exposure draft is through December 2016, with guidance expected to be released in the first quarter of 2017.
Why this is important
The new cyber attestation will give organizations the ability to better understand elements for an effective cybersecurity risk management, and will allow organizations to report to external stakeholders on their cybersecurity programs with the credibility associated with an independent auditor’s report. The new criteria provides an important framework for organizations to communicate useful information about their cybersecurity risk management programs to stakeholders.
What you need to know
The exposure draft defines the following two elements of subject matter to be addressed in the cybersecurity examination:
- A description of the entity’s cybersecurity risk management program in accordance with the description criteria
- An assessment of the effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives based on the control criteria
The exposure draft lays out nine categories that the entity must address in its cybersecurity description. These categories are intended to provide the reader with a comprehensive understanding of the cybersecurity risks affecting a particular entity and the processes and controls the entity has implemented to address those risks.
- Nature of operations
- Nature of information at risk
- Cybersecurity risk management program objectives
- Inherent risks related to the use of technology
- Cybersecurity risk governance structure
- Cybersecurity risk management process
- Cybersecurity communications and the quality of cybersecurity information
- Monitoring of the cybersecurity risk management program
- Cybersecurity control activities
Within each of the nine categories, the exposure draft identifies more specific description criteria for a total of 32 description criteria that must be addressed.
The exposure draft organizes control criteria and specific points of focus within each of the 32 description criteria. The points of focus are intended to provide management with guidance and flexibility when describing its criteria. It’s important to note that in the preparation of its description, management may not need to address each point of focus. The exposure draft recognizes that certain points may “not be suitable or relevant” in every circumstance and management “may identify and consider other characteristics based on specific circumstances of the entity.” However, the auditor will still need to render an opinion on whether the description is fairly presented in accordance with the description criteria.
Several points within the AICPA’s cybersecurity exposure draft make reference to cybersecurity controls that should be in place. Management should leverage a cybersecurity control framework when implementing cybersecurity controls. The AICPA has also released description criteria via a revised exposure draft of the existing Trust Services Principles and Criteria that could be used as a cybersecurity control framework, or management could use other recognized cybersecurity frameworks if they meet the definition of “suitable criteria.” These controls are necessary to include in the description in order to describe how the entity detects, responds to, mitigates, and recovers from cybersecurity incidents.
How is this different from a SOC 2?
The recently released exposure drafts provide the framework for an entity-wide cybersecurity examination engagement. In addition to the additional description criteria related to cybersecurity, the scope of the cyber attestation would be broader and encompass the entire organization, not just the systems processing customer data. In many instances for an organization that already obtains a SOC 2 we anticipate the majority of the controls applicable to the SOC 2 would also be applicable to the cyber examination; however, the cyber examination would likely include a much broader scope and require additional controls as well.
What to do now
- Understand stakeholder expectations for transparency and comprehension of your organization’s cybersecurity measures. Board members, customers, business partners, analysts, investors, and industry regulators may have slightly different perspectives, but all are concerned with cybersecurity. Make sure you factor in the expectations of each type of stakeholder and how you will communicate details of your cybersecurity management program.
- Evaluate the description criteria and your current cybersecurity management program in the context of your ability to address the proposed components.
- Ensure that your organization has adopted a security control framework to help guide the design and implementation of controls to address cybersecurity risks.
- Consider engaging a CPA firm to assess your readiness for a cybersecurity controls examination.
For more information on this topic, or to learn how Baker Tilly cybersecurity and information technology risk practice specialists can help, contact our team.