Viewing cyber-security through a COSO lens

Cyber-security is a constant source of concern for businesses as high-profile breaches make headlines almost daily.

Nation states, organised crime, hacktivists, and even terrorists have demonstrated the ability to compromise technology and systems used by businesses as well as individuals.

A new report released Wednesday, COSO in the Cyber Age, describes how the popular internal control framework updated in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) can help organisations evaluate and manage cyber-risks.

Cyber-security can be viewed through the lens of the principles of the COSO framework, according to the report, in some of the following ways:

Principle 6: Organisations specify objectives with sufficient clarity to enable the identification of risks relating to objectives. In applying this principle, management can determine the levels of risk tolerance acceptable to the organisation and focus on protecting the most critical information systems.

Principle 7: The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed, and Principle 8: The organisation considers the potential for fraud in assessing risks to the achievement of objectives. Senior management, business, and IT personnel evaluate risks in the application of these two principles. They must understand what information systems are valuable to potential cyber-attackers and understand how these attacks are likely to occur.

Principle 9: The organisation identifies and assesses changes that could significantly impact the system of internal control. Updating risk assessments on a continuous basis to reflect changes that could impact cyber controls is a key to applying this principle.

Principles 10, 11, and 12: In following these principles, the organisation selects, develops, and deploys control activities. Careful design and implementation of appropriate controls – after consideration of likely attack methods used by hackers – can help fulfil these principles.

Principle 13: The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control. Formally documenting information requirements – and the related risk analysis and response – can help make sure that processes and controls will be executed consistently.

Principle 14: The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Effective communications will educate all personnel on their responsibilities, as well as those responsible for managing cyber-risks, and the board of directors.

The report also suggests that organisations should ask:

• Are we focused on the right things?
• Are we proactive or reactive?
• Are we adapting to change?
• Do we have the right talent?
• Are we incentivising openness and collaboration?
• Can executive management articulate its cyber-risks and explain its approach and response to such risks?

“There is growing concern at all levels of industry about the challenges posed by cyber-crime,” COSO Chairman Robert Hirth said in a news release. “This new guidance helps put organisations on the right path toward confronting and managing the frightening number of cyber-attacks.”

COSO is a joint initiative of five private-sector organisations dedicated to providing thought leadership on enterprise risk management, internal control, and fraud deterrence. The American Institute of CPAs is a member of COSO.

—Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine editorial director.