Managing Cybersecurity Risk: Internal and External Assurance

Transcription

1 Managing Cybersecurity Risk: Internal and External Assurance William Dilla, Ph.D., CPA Union Pacific / Charles B. Handy Professor Chair, Department of Accounting

2 How NOT to manage cybersecurity Source: Rudy Giuliani Says Twitter Sabotaged His Tweet. Actually, He Did It Himself." New York Times. Dec. 5, 2018.

3 What we won t talk about today

4 What we will do today Discuss research by Ivy CoB faculty and others that addresses: Who cares about cybersecurity risk management? What motivates cybersecurity attackers? How do the cybersecurity lines of defense (management, information security specialists, and internal audit) work together? Provide brief a update on external cybersecurity assurance and reporting Complete and discuss a survey about other types of assurance Ivy College of Business

5 First, some definitions Cybersecurity risk management program Addresses threats to achieving an organization s cybersecurity objectives Consistent with three categories of COSO internal control objectives (AICPA, 2017a, SOC for Cybersecurity, ) Operations Reporting Compliance Assurance Internal ISACA calls this a cybersecurity audit (ISACA, 2017) External AICPA SOC refers to cybersecurity risk management assurance

6 Who cares about cybersecurity risk management? Management Customers Investors

7 Do customers really care? Not really Research by ISU faculty member Rui Chen and colleagues (Valecha et al. 2016; ISU News Service, 2018) Examines 2015 data breach at the U.S. Office of Personnel Management Reactions on Twitter proceed through anxiety, anger, and sadness stages Then they taper off, indicating either acceptance of or apathy about the breach

8 Do investors care? Voluntary disclosures about infosec policy have a positive impact on market value (Gordon, et al. 2010; Berkman, et al. 2018) Wang, Kannan, and Ulmer (2011) find that: Firms that disclose security risk-mitigation factors are less likely to report breaches When breaches do occur, risk-mitigating firms have smaller negative market reactions Amir, et al. (2018) find that Disclosed attacks result in an 0.7% decline in equity values, on average Undisclosed attacks result in a 3.6% decline

9 Another reason that management should care Yen, et al. (2018) find that Audit fees are higher after an information security breach The following mitigate the audit fee increase The audit firm s industry experience Big 4 firms Length of audit firm tenure

10 What motivates cybersecurity attackers? Not much objective information out there How do you interview anonymous attackers? MICE framework (Dorminey, et al. 2010, 2012) Money Ideology Coercion Ego / entitlement

11 Do trade secrets increase the risk of attack? Ettredge, Guo, and Li (2018) find that firms with 10-K disclosures of trade secrets are more likely to be breached Results are stronger for Newer firms Firms with fewer employees Firms operating in less concentrated industries

12 Cybersecurity Lines of Defense Research Also in ISACA (2017) Three studies 1. Interviews with IT security managers and internal auditors 2. Survey of IT security professionals about perceived security outcomes 3. Survey of internal auditors, external auditors and consultants about actual security outcomes Ivy College of Business Department of Accounting

13 1. The relationship between internal audit and information security: An exploratory investigation (Steinbart, Raschke, Gal, and Dilla, 2012) Respondents are internal auditors and IT personnel from: Two large state universities One mid-sized private university One for-profit higher ed institution Directing attention to high risk areas; Increased security policy compliance Organization subject to S-OX; Type of communication channel between IA and IS Ivy College of Business Department of Accounting

14 2. Information security professionals perceptions about the relationship between the information security and internal audit functions (Steinbart, Raschke, Gal, and Dilla, 2013, 2014) Information security effectiveness: respondent perceptions of whether information security is improving

15 3. The influence of a good relationship between the internal audit and information security functions on information security outcomes (Steinbart, Raschke, Gal, and Dilla, 2018) Indicators of information security effectiveness Leading Security-related IC weaknesses reported to the Board of Directors Employee non-compliance with IT policies Lagging Security incidents detected and stopped before causing material harm Security incidents detected and stopped after causing material harm

16 Influence of IA / InfoSec Relationship on Outcomes Two types of influence Collaborative detection Knowledge transfer Effects on leading indicators Collaborative detection effect always positive Knowledge transfer may taper off over time Can t make a directional prediction Effects on lagging indicators Should have a positive influence on number of attacks detected before causing material harm Can t make a directional prediction on number of attacks detected after causing material harm

17 What we did Surveyed AICPA IMTA section members: 110 usable responses Internal audit respondents rated their organization s information security program ( A through F ) External audit / consultant respondents were told to respond for a client with either high ( A or B ) or low ( C, D, or F ) quality information security

18 Antecedents of a Good IA / InfoSec Relationship These factors positively influence the IA / InfoSec relationship Whether CISO reports independently of CIO Top management support for information security However, neither has a direct effect on security outcomes

19 Leading indicator results Controls %age of IT Function Time Devoted to InfoSec IA / InfoSec Relationship Quality + Leading InfoSec Quality Indicators + Number of Employees

20 Lagging indicator results Controls Controls IA / InfoSec Relationship Quality + Incidents Detected Prior to Causing Harm + + %age of IT Function Time Devoted to InfoSec Number of Employees IA / InfoSec Relationship Quality + Incidents Detected After Causing Harm - + %age of IT Function Time Devoted to InfoSec Number of Employees Ivy College of Business Department of Accounting

21 Summary All three lines of defense are important in assuring the success of a cybersecurity risk management program Top management indirect effects Facilitate a good relationship between IA and the InfoSec functions Provide adequate resources to IT function for information security

22 Summary Percentage of time spent on information security Does not affect leading indicators Increases number of stopped incidents / decreases number of harmful incidents Relationship between IA and information security Positive influence on leading indicators Increases number of stopped incidents Also increase number of incidents detected after causing harm This is not necessary a bad thing. Why? Results show different roles of InfoSec vs. the IA function

23 External Cybersecurity Assurance AICPA Issued SOC for Cybersecurity May 2017 Intent is to provide an attestation report for a broad range of users Contrasts to SOC2 reports, which are intended for service organization users (AICPA, 2017b) Provider reports on whether: The entity s description of its cybersecurity risk management program is in accordance with the description criteria The controls implemented within the program were suitably designed to achieve the entity s cybersecurity objectives Note the carefully defined scope Compare to PCAOB internal control over financial reporting opinion No real updates since SOC issuance

24 Updated disclosure requirements New SEC (2018) guidance includes Updated disclosure guidelines regarding cybersecurity risks and material events Specifies requirement for disclosure controls and procedures related to cybersecurity Consideration of effects of cybersecurity risks and incidents on financial statements So far, no separate cybersecurity assurance required Center for Audit Quality (CAQ, 2018) has issued a guide regarding current audit implications

25 References AICPA, 2017a, Guide: Reporting on an entity s cybersecurity risk management program and controls. AICPA, 2017b, SOC 2 examination and SOC for Cybersecurity examinations: Understanding the key distinctions. Available at: /cybersecurity/soc-2-vs-cyber-whitepaper-web-final.pdf Amir, E., Levi, S., & Livne, T. (2018). Do firms underreport information on cyber-attacks? Evidence from capital markets. Review of Accounting Studies, Berkman, H., Jona, J., Lee, G., & Soderstrom, N. (2018). Cybersecurity awareness and market valuations. Journal of Accounting and Public Policy. Center for Audit Quality (2018). Cybersecurity risk management oversight: A tool for board members. Available at: Dorminey, J. W., Fleming, A. S., Kranacher, M. J., & Riley Jr, R. A. (2010). Beyond the fraud triangle. The CPA Journal, 80(7), 17. Dorminey, J., Fleming, A. S., Kranacher, M. J., & Riley Jr, R. A. (2012). The evolution of fraud theory. Issues in Accounting Education, 27(2), Ettredge, M., Guo, F., & Li, Y. (2018). Trade secrets and cyber security breaches. Journal of Accounting and Public Policy. Gordon, L. A., Loeb, M. P., & Sohail, T. (2010). Market value of voluntary disclosures concerning information security. MIS quarterly,

26 References ISACA (2017). Auditing Cyber Security: Evaluating Risk and Auditing Controls. Available at: Iowa State University News Service (2018, January 23). Combating data breach fatigue. Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2012). The relationship between internal audit and information security: An exploratory investigation. International Journal of Accounting Information Systems, 13(3), Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2013). Information security professionals' perceptions about the relationship between the information security and internal audit functions. Journal of Information Systems, 27(2), Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2014). Internal Audit s Contribution to the Effectiveness of Information Security (Parts 1 and 2). ISACA Journal, Volumes 2 and 3 Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2018). The influence of a good relationship between the internal audit and information security functions on information security outcomes. Accounting, Organizations and Society. 71, Valecha, R., Bachura, E., Chen, R., & Rao, H. R. (2016, December). An Exploration of Public Reaction to the OPM Data Breach Notifications. In Workshop on E-Business (pp ). Springer. Wang, T., Kannan, K. N., & Ulmer, J. R. (2013). The association between the disclosure and the realization of information security risk factors. Information Systems Research, 24(2),