Gone are the times when it turned into breaking news that a cyber security breach had happened. We’ve become accustomed – even desensitized – to cyber occasions, while extensive losses in our capital markets hold. Not only are cyber security assaults and breaches here to stay for the foreseeable future, but the frequency in which they arise, as well as the sophistication tiers of the incidents, continue to grow at an accelerated tempo. Handling those risks is daunting, as is staying informed with all the new legislation and regulations designed to help standardize the ways in which data security and cyber security breaches are managed and reported. That’s the bad news. the better news? Addressing cyber security danger is a higher priority now than ever before, with the C-suite and Board of Directors becoming more and more engaged. Considering cyber security is an or-wide problem impacting many areas within an organization, it is essential that it’s “owned” by a person or team with the correct line-of-sight, authority and access to the board. So, what, precisely, is the role of the CFO on the subject of cyber security?
C-suite executives and board members are more and more finding themselves in increasing number in a cyber security oversight function, and as such, are increasing their involvement in management’s improvement, implementation, and monitoring of comprehensive, organization-wide cyber security risk programs. Clearly, the CFO is chargeable for the fiscal aspects of the organization, including evaluating the processes and controls that are implemented to ensure information is produced in a reliable manner. Cyber security is frequently taken into consideration by the CFO, but typically for functions restricted to the amounts inside the financial statements and related disclosures. Though, in addition to monetary approaches and disclosures, the CFO – a function that is becoming increasingly involved in the organization’s overall digital transformation must be in tune with the company’s cyber security risk management program, a program that should encompass an organization’s overall IT environment, including systems, networks, and related data – not only addressing financial reporting needs but also operational and compliance needs – all of which are susceptible to a cyber event. Given that cyber security is an organization-wide endeavor, and that a breach occurring in operations will cause an organization financial loss – potentially a significant one, the CFO must find a better way to more accurately monetize the cyber risks in the enterprise.
Enter SOC for Cyber Security. In April 2017, the AICPA introduced a brand new cyber security risk management exam – SOC for Cyber Security – designed to assist organizations meet the growing challenge of communicating to interested parties, both internally and externally, the design and effectiveness of their cyber security risk control programs. In a SOC for Cyber Security examination, an organization’s cyber security risk management program is defined as the set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the organization’s cyber security objectives, and to detect, respond to, mitigate, and recover from –on a timely basis – security events that are not prevented.
A SOC for Cyber Security exam assesses management’s description of their cyber risk management program against the subsequent areas:
- Nature of Operations
- Nature of Information Risk
- Cyber Security Risk Management Program Objectives
- Inherent Risk Related to the use of Technology
- Cyber Security Risk Governance Structure
- Cyber Security Risk Management Process
- Cyber Security Communications and Quality of Cyber Information
- Monitoring of the Cyber Security Risk Management Program
- Cyber Security Control Activities
A SOC for Cyber Security report enables a better understanding of how the organization identifies its information assets, the ways in which the organization manages cyber security risks, and the key security policies and processes implemented and operated to protect the organization’s information assets against these risks.
Once completed, the SOC for Cyber Security report provides clear, concise, and relevant cyber security information to relevant stakeholders and provides the needed information in a transparent manner, yet maintains the necessary security and confidentiality of the system. For instance, senior management, as well as others within the organization, receive information about the effectiveness of the organization’s cyber security risk management program, including the controls designed, implemented, and operated to mitigate threats against the organization’s sensitive information and systems. Boards of Directors receive information about the cyber security risks facing the organization, as well as the cyber security risk management program implemented by management and designed to help fulfill oversight responsibilities. SOC reports also include information from independent third-party assessors that help evaluate management’s effectiveness in mitigating cyber security risks – all of which better position stakeholders to make informed decisions. As for the CFO and the rest of the C-Suite? They now have a tool to help measure and monetize cyber security risk.