A new path for cyber risk management

A new framework that businesses would use to evaluate their cybersecurity risk management programmes is one objective of two exposure drafts issued Monday by the American Institute of CPAs Assurance Services Executive Committee (ASEC).

The proposed frameworks are designed to lead to:

• A common set of criteria for management to use to design and describe their cybersecurity risk management programmes.
• The introduction of a new engagement that public accountants will be able to use to serve boards of directors, senior management, and others as they evaluate the effectiveness of an organisation’s cybersecurity risk management programmes. The engagement would be known as a “cybersecurity examination.”

Evolution of technology and the sophistication of hackers have made cybersecurity one of the most important areas of risk management for businesses. More than 95% of CGMA designation holders participating in a 2015 survey said their companies are concerned with the threat of database breaches, distributed denial of service (DDoS) attacks, phishing scams, and other cyberattacks.

The first ED, Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program, proposes a framework that company management would be able to use to design and describe their cybersecurity risk management programme. The proposed framework also would be used by public accounting firms to report on management’s description using the new cybersecurity examination engagements.

The second ED, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, proposes revising AICPA trust services criteria used by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management programme—or SOC 2 engagements.

Management may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls.

The proposed frameworks represent an effort by the auditing profession and the AICPA to develop a common foundation for CPAs’ services in response to the growing market demand for information about the effectiveness of cybersecurity risk management programmes.

“Our primary objective is to propose a reporting framework through which organisations can communicate useful information regarding their cybersecurity risk management programmes to stakeholders,” said Sue Coffey, CPA, CGMA, AICPA executive vice president–Public Practice.

The new cybersecurity examination engagement that would be enabled by these frameworks would be voluntary, flexible, and comprehensive. Assisted by the Center for Audit Quality, the AICPA has sought feedback on the proposed engagement from interested groups.

As market conditions evolve, the AICPA will continue to seek input.

“The existence of multiple, disparate frameworks and programmes for evaluating security programmes and their effectiveness, as well as different stakeholders’ preferences for each, has created a chaotic environment that only increases the burden on organisations trying to communicate how they design, implement, and maintain an effective cybersecurity risk management programme,” said Chris K. Halterman, CPA, executive director, advisory services for EY LLP and chair of ASEC’s Cybersecurity Working Group.

Halterman said accountants will benefit from the creation of a uniform, market-driven approach for examining and reporting on measures that entities take to bolster cybersecurity.

Public comments on the EDs are due Dec. 5. Comments about the proposed Description Criteria should be emailed to Mimi Blanco-Best at mblancobest@aicpa.org. Comments on the proposed revision of Trust Services Criteria should be emailed to Erin Mackler at emackler@aicpa.org.

—Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine editorial director.