It’s Time to Speak the Same Language on Cybersecurity
Recent massive ransomware attacks on organizations around the world demonstrate how disruptive—and in some cases destructive—cyberattacks can be. The “WannaCry” malware incident is just the latest alarm on the ever-urgent call for companies to immediately address and manage their cybersecurity risks. Every organization is susceptible to cyber assaults, making a clearly defined, flexible and robust risk management program essential to a business’s ongoing success.
Addressing an Increasing Market Need
With cyberattacks on the rise, organizations are not only reinforcing their ability to prevent attacks, but also taking steps to demonstrate that they are doing all they can to detect, respond to, mitigate and recover from attacks on a timely basis. Customers, investors, boards of directors and even government officials want to know more about what companies are doing to address cybersecurity.
At the AICPA, we saw the emerging market need several years ago. We recognized that there hasn’t been a consistent, common language for describing and reporting on the cybersecurity risk management programs organizations put in place. This lack of transparency makes it difficult for stakeholders to determine whether an organization’s cybersecurity risk management plan effectively addresses potential threats. We asked our Auditing Standards Board (ASB) and Assurance Services Executive Committee (ASEC) to work together to develop a voluntary, agile, market-driven solution.
Cybersecurity Reporting Framework Creates a Common Language
The AICPA has released a cybersecurity risk management reporting framework developed by a group of ASEC members representing a broad swath of CPA practitioners providing IT security services to clients in a wide range of businesses and industries. The framework consists of a description of the entity’s cybersecurity program prepared by management, a management’s assertion, and a CPA’s opinion. Together with two sets of related criteria, the framework provides a common language for organizations to describe their cybersecurity risk management efforts (in the description) and for CPAs to report on those efforts.
The framework is designed to meet the information needs of a broad range of third-party users. It provides organizations with a common language to use when evaluating and reporting on their cybersecurity efforts, and gives them a level of comfort that they’ve adequately considered best practices when designing, implementing and operating their programs.
Because the framework is aligned with security frameworks and standards organizations frequently use internally to manage their cybersecurity risks, it offers a way for companies in all industries to evaluate and report on the effectiveness of cybersecurity controls, regardless of the security standards or frameworks they use internally.
The Accounting Profession’s Critical Role
The accounting profession plays a vital role in the many facets of cybersecurity risk management, and our reporting framework facilitates this work in the following ways:
- Within their organizations, management accountants can help colleagues understand the importance of the role all staff members play in helping the organization achieve its cybersecurity goals. Management accountants more directly involved with the organization’s cybersecurity efforts can promote awareness and use of the framework as a means of communicating those efforts, both internally and externally, and of evaluating the effectiveness of the organization’s controls in achieving its cybersecurity objectives.
- CPAs can help their clients by providing cybersecurity risk management advisory services, such as an assessment of clients’ cybersecurity readiness to prepare those considering an examination. Of course, the framework is used by CPAs with significant experience assessing IT controls in a cybersecurity examination. As in a financial statement audit, a CPA’s opinion is designed to enhance stakeholders’ confidence in the cybersecurity information prepared by company management.
The AICPA today released the final component of the new cybersecurity risk management framework. Reporting on an Entity’s Cybersecurity Risk Management Program and Controls is the attestation guide for CPAs engaged to examine and report on their client’s cybersecurity risk management programs and controls. The guide presents a new offering to help firms protect clients, their stakeholders and the public interest.
For more information on the AICPA’s cybersecurity risk management reporting framework, visit aicpa.org/cybersecurityriskmanagement. You’ll find the reporting framework’s free description criteria, plus a fact sheet, backgrounder, illustrative report and other valuable free resources. In addition, the site contains links to the framework’s control criteria (2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy).
The AICPA’s cybersecurity risk management reporting framework and related criteria are a critical tool in the arsenal against today’s biggest business threat. Here are just a handful of other existing and upcoming resources to broaden accountants’ understanding of cybersecurity risks and implement the new cybersecurity risk management reporting framework:
- This CGMA Risk Management Tool provides essential information on what companies need to monitor and manage the risk of cybersecurity threats, and respond to potential breaches.
- The Private Companies Practice Section (PCPS) Cybersecurity Toolkit helps firms assess clients’ risk levels and implement the framework.
- This free podcast provides an overview of ransomware attacks and how to mitigate them.
- Various cybersecurity-related sessions at upcoming AICPA conferences address cybersecurity, including AICPA ENGAGE, Not-for-Profit Conference and Governmental Accounting and Auditing Update Conference.
I hope you’ll join me and the rest of the accounting profession in contributing to more effective ways to combat and conquer cyber assaults. Visit aicpa.org/cybersecurity for more information.
Susan S. Coffey, CPA, CGMA, Executive Vice President – Public Practice, Association of International Certified Professional Accountants
Cybersecurity courtesy of Shutterstock.
- Introducing a New Framework for Reporting on Cybersecurity Risk Management
- 5 Emerging Services Set to Transform the Accounting Profession
- 5 Data Backup Gaps and How to Fix Them