The value of visibility. Cybersecurity risk management examination

Similar documents
SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC for cybersecurity

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Headline Verdana Bold

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Exploring Emerging Cyber Attest Requirements

The Deloitte-NASCIO Cybersecurity Study Insights from

Focusing the lens on cyber reporting The AICPA cybersecurity risk management examination one year later

Cybersecurity and the role of internal audit An urgent call to action

Achieving third-party reporting proficiency with SOC 2+

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

ISACA Cincinnati Chapter March Meeting

Cyber Security is it a boardroom issue?

Anticipating the wider business impact of a cyber breach in the health care industry

Cyber Risks in the Boardroom Conference

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

Cyber Security Incident Response Fighting Fire with Fire

MITIGATE CYBER ATTACK RISK

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Cybersecurity and Data Protection Developments

Risk-based security in practice Turning information into smart screening. October 2014

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

SOLUTION BRIEF Virtual CISO

Building a BC/DR Control Library and Regulatory Response Program

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Are we breached? Deloitte's Cyber Threat Hunting

INTELLIGENCE DRIVEN GRC FOR SECURITY

CENTER for REGULATORY STRATEGY AMERICAS. Global cybersecurity compliance integrity A daunting but manageable challenge

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

NOW IS THE TIME. to secure our future

Run the business. Not the risks.

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Cybersecurity & Privacy Enhancements

Building and Testing an Effective Incident Response Plan

Achieving effective risk management and continuous compliance with Deloitte and SAP

Cyber Security and Cyber Fraud

Cybersecurity and the Board of Directors

Addressing Cybersecurity Risk

M&A Cyber Security Due Diligence

Peer Collaboration The Next Best Practice for Third Party Risk Management

Cybersecurity The Evolving Landscape

Why you should adopt the NIST Cybersecurity Framework

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Effective Cyber Incident Response in Insurance Companies

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

CYBER RESILIENCE & INCIDENT RESPONSE

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Adopting SSAE 18 for SOC 1 reports

GDPR: A QUICK OVERVIEW

Cybersecurity in Higher Ed

From Dabbling to Doing The Age of the Intuitive Enterprise

CFOs in a new global environment Sandy Cockrell, Deloitte

DHS Cybersecurity: Services for State and Local Officials. February 2017

Cybersecurity Fortification Initiative (CFI) infrastructure whitepaper

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Turning Risk into Advantage

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

Cyber Partnership Blueprint: An Outline

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

ISO 27001:2013 certification

Cybersecurity and the role of internal audit An urgent call to action

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

Emerging Technologies The risks they pose to your organisations

Webcast title in Verdana Regular

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Safeguarding unclassified controlled technical information (UCTI)

Sage Data Security Services Directory

Risk Advisory Academy Training Brochure

Security and Privacy Governance Program Guidelines

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

Big data privacy in Australia

State of South Carolina Interim Security Assessment

Financial Regulations, Enforcement & Cybersecurity

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Demonstrating Compliance in the Financial Services Industry with Veriato

falanx Cyber ISO 27001: How and why your organisation should get certified

The SOC 2 Compliance Handbook:

Rethinking Information Security Risk Management CRM002

EY s Data Privacy Services. January 2019

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

NCSF Foundation Certification

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Transcription:

The value of visibility Cybersecurity risk management examination

Welcome to the "new normal" Cyberattacks are inevitable. In fact, it s no longer a question of if a breach will occur but when. Cybercriminals are becoming more sophisticated and the cost of cybercrime is becoming increasingly intolerable. And stakeholders including boards, regulators, investors, analysts, business partners, and customers expect greater visibility into an organization s cybersecurity risk management program. Taking a cursory look at what your organization is doing today to guard against cyberattacks is no longer enough to prove the readiness of your program and the effectiveness of your controls and processes. That alone should be reason enough to act. But taking a proactive approach to cyber preparedness offers additional benefits beyond providing stakeholders with reasonable assurance that your risk management program is both designed appropriately and operating effectively. It s a means to help your stakeholders gain confidence and improve business performance as well. Implementing a sound cybersecurity risk management program is essential to protecting your brand. It s also critical for advancing your brand in the marketplace by empowering executives, including boards and audit committees, to make better informed and strategic decisions. Such a program can give your organization a jump in addressing mounting regulatory requirements regarding cybersecurity risk management reporting. (See the sidebar, Regulation on the horizon. ) In short, when it comes to evaluating and reporting on your organization s cybersecurity risk management program and related controls, greater transparency and uniformity is becoming the new normal. Regulation on the horizon A number of regulations are being developed in parallel with the AICPA s cybersecurity examination guidance. (See Figure 1.) The NYDFS is a recent participant in this movement, having issued a cybersecurity proposal on September 13, 2016. Among other actions, the proposed regulation would require banks, insurance companies, and other NYDFS-regulated entities to establish a cybersecurity program, adopt a written cybersecurity policy, and designate a chief information security officer, who must report to the board at least biannually to provide an assessment of the information systems. The NYDFS s proposal is just one example of increasingly broad regulatory pressure to tighten controls and visibility around cyber risks. Figure 1. Recent US regulatory and compliance drivers Proposed legislation to amend Sarbanes- Oxley (SOX) to expand internal controls reports and disclosures to include cybersecurity The Cybersecurity National Action Plan puts a particular emphasis on protecting not only governmental systems but also private sector systems The Federal Financial Institutions Examination Council (FFIEC) release of a Cybersecurity Assessment Tool (CAT) The Office of Foreign Assets Control s (OFAC) released sanctions regime to persons pursuing cyberenabled activities 2015 Executive Order Blocking the Property of Persons Engaging in Significant Malicious Cyber-Enabled Activities The Commodity Futures Trading Commission (CFTC) proposed rules governing the testing of cybersecurity capabilities of certain regulated entities The Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Risk Management Examination Initiative to assess cybersecurity preparedness in the securities industry New York State Department of Financial Services (DFS) proposed cybersecurity regulation Cybersecurity Information Sharing Act (CISA) of 2015 to promote sharing of cyber threat information between private business and the government 2

There s no single approach for providing this level of transparency and uniformity today. Therefore, a new standard one that goes well beyond the types of reports and mechanisms currently available is needed to gain visibility into an organization s cybersecurity risk management practices. (See the sidebar, A closer look: Cybersecurity risk management examination versus SOC 2 engagement. ) In response to stakeholders increasing need to know about cybersecurity preparedness, the American Institute of Certified Public Accountants (AICPA) is developing new attestation guidance that focuses on evaluating and reporting on an entity s cybersecurity risk management program.¹ The proposed cybersecurity risk management examination is intended to expand reporting to address stakeholder expectations for greater transparency, providing in-depth information about what a company is doing to address cyber threats and improve responsiveness in the event of an incident. (See the sidebar, Satisfying the needs of a variety of users. ) A closer look: Cybersecurity risk management examination versus SOC 2 engagement While the AICPA governs both the SOC 2 engagement and the proposed AICPA cybersecurity risk management examination engagement, there are distinct differences between the two. In general, the proposed cybersecurity risk management examination, which applies to the management of any entity and is appropriate for general use, will be broader and more robust than a SOC 2 examination. A SOC 2 examination applies to the management of a service organization and can only be distributed to certain parties. The following table further articulates these and other distinctions: Purpose Cybersecurity risk management examination engagement Provide a variety of users with information about an entity s cybersecurity risk management program SOC 2 engagement To provide existing or prospective customers (system users) with information about controls at a service organization related to the Trust Services Criteria Intended users Management, directors, regulators, analysts, and third parties Management of the service organization and other specified parties with sufficient knowledge and understanding of the system Criteria Flexible (National Institute of Standards and Technology s Cybersecurity Framework - NIST CSF, 800-53, ISO 27001, Revised Trust Services Criteria, etc.) Trust Services Criteria Responsible party Management of any entity Management of a service organization Appropriate for general use? Yes No Report contents Description of the cybersecurity risk management program, management assertion, practitioners opinion Description of the service organization s system, management assertion, practitioners opinion, description of tests of controls and results ¹ AICPA Cyber Security Initiative, American Institute of Certified Public Accountants, http://www.aicpa.org/interestareas/frc/ assuranceadvisoryservices/pages/aicpacybersecurityinitiative.aspx 3

Mind the gap In their risk oversight role, boards today are using a variety of cyber risk monitoring and reporting mechanisms, such as risk and control self-assessments, internal audits, and cyber crisis simulations. But these mechanisms only partially meet the needs of an ever-growing audience of stakeholders, and they may not provide adequate visibility and enough relevant information for both internal and external parties to make well-informed decisions about an organization s cyber risk posture. The proposed AICPA cybersecurity risk management examination engagement aims to address this information gap through independent and objective reporting on the effectiveness of cyber security processes and controls throughout an organization. These reports, which will describe and assess a company s efforts to manage cybersecurity risk, won t completely replace existing mechanisms, nor will they provide guarantees that an organization won t be breached in the future. But they will use broader and more flexible criteria, provide greater objectivity, and be more widely distributable. They will also be more flexible in scope, and they can be conducted for certain business units or segments. These characteristics are relevant to various stakeholders, including the C-suite and the board. A cybersecurity risk management examination may offer a number of potential benefits, such as: Greater stakeholder transparency into the effectiveness of an organization s cybersecurity risk management program Independent and objective reporting, providing a higher degree of assurance to key stakeholders Greater economic value for users of the report, as obtaining more and higher quality information about an organization s cyber risk management program can drive better informed and strategic decisions Strategic competitive advantage and enhancement of the organization s brand and reputation in the marketplace, obtained by proactively establishing a strong foundation for addressing cybersecurity, before protocols are mandated by regulation or a crisis hits Operational efficiencies derived from a single reporting mechanism that addresses the information needs of a broad range of users Directors don t need to be technologists to play an effective role in cyberrisk oversight but every board can take the opportunity to improve the effectiveness of their cyber-oversight practices. NACD Director's Handbook on Cyber-Risk Oversight, National Association of Corporate Directors (NACD), 2017 4

Satisfying the needs of a variety of users The proposed AICPA cybersecurity risk management examination engagement guidance is being developed to establish a standardized reporting mechanism. This mechanism is designed to provide a broad range of users with valuable information about an entity s cybersecurity risk management program to support informed decision making. Internal stakeholders. Boards, audit committees, and management have an important oversight role relative to cybersecurity. They need to understand a company s cybersecurity risk posture, monitor ongoing compliance with internal and external requirements and regulations, and gauge the effectiveness of cybersecurity controls. do this, they need in-depth information about its cybersecurity risk management processes and controls. Media/general public. Cyberattacks, which continue to be high-profile and costly for companies, have become a mainstream media issue. The media and the public alike are asking companies about their cybersecurity environments, including any history of breaches, preparedness to respond to the current threat environment, and potential impacts upon customers. Investors and analysts. The financial impact of cyberattacks and the perception of how well executives are managing cybersecurity risks can affect investor and analyst behavior and, potentially, their confidence. Regulators/federal agencies. Companies will need to demonstrate to regulators that they re complying with applicable cybersecurity laws, regulations, and guidance (e.g., New York Department of Financial Services (NYDFS), Executive Order 13636²). Existing and prospective clients. Existing and potential clients of service organizations want to be sure they re engaging an organization that takes cybersecurity seriously, including addressing the cybersecurity risks inherent in outsourcing functions to a third party. Vendors and business partners. Vendors and business partners want to be able to assess and manage the risk to their business operations when working with a particular company. To ² New York State Department of Financial Services Proposed 23 NYCRR 500, http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf 5

Ready or not, here it comes The exact timeline has yet to be determined. But the final cybersecurity risk management examination engagement guidance is coming, and organizations should begin to prepare now to gain maximum competitive advantage. This advantage will diminish over time, as the visibility afforded by the examination transitions from a differentiating benefit to a must-have. Every organization is at a different place when it comes to the maturity of its cybersecurity risk management program. In addition, the nature and magnitude of cyber risks are continuously evolving and so are practices for staying ahead of these threats. That s why it s important to understand where you stand today by proactively investing in a readiness assessment. This assessment can help you gauge the maturity of your controls and processes and determine how well they re functioning across multiple security domains. More specifically, it can help you select an appropriate cyber-control framework, identify gaps, highlight improvement opportunities, and develop a remediation plan. (See Figure 2.) Figure 2. Recommended approach for performing a readiness assessment 6

Under the proposed cybersecurity examination engagement guidance, an organization should be able to demonstrate that its cybersecurity risk management program has been designed to mitigate risk to a level that s acceptable to a broad range of stakeholders. While a sound governance structure is the glue that holds a cybersecurity risk management program together, an active board and engaged leadership must supply the energy to enliven it. This means holding the organization accountable and helping to shape expectations for improved cybersecurity risk management reporting. Without both structure and oversight, a cybersecurity risk management program will fall short of its full potential to deliver the visibility expected by stakeholders and create value by aligning with corporate strategy and elevating business performance. Imagine a world in which all types of entities could convey the effectiveness of their cybersecurity risk management in a standardized, non-technical way, appropriate to each entity s size and other business characteristics. Think about the power of such assurance. Boards, shareholders, customers, counterparties, and regulators could gauge the relative effectiveness of organizations cybersecurity and resiliency. If done right with independence, objectivity, appropriate expertise, and professional skepticism such an assurance process would be a vehicle by which greater cybersecurity and resilience could be achieved. Remarks by Deputy Secretary Sarah Bloom Raskin at the Public Company Accounting Oversight Board International Institute on Audit Regulation, December 14, 2016 7

Get ahead of the curve Starting on a cybersecurity examination readiness assessment today can help your organization understand the current state of its cybersecurity risk management program and be better prepared for a future state examination. It can also put you ahead of the curve in addressing the requirements of expanding regulations around cybersecurity risk management reporting. Such an assessment serves to both protect and create value by improving operational efficiencies and strengthening brand image helping your stakeholders gain confidence and obtain reliable information to support informed and strategic decision making. The cyber threat landscape remains exceptionally complex, and your organization s brand and reputation are at stake. The time to act is now. 8

Contacts Sandy Herrygers Partner Deloitte Risk and Financial Advisory Deloitte & Touche LLP sherrygers@deloitte.com +1 313 396 3475 Gaurav (GK) Kumar Principal Deloitte Risk and Financial Advisory Deloitte & Touche LLP gukumar@deloitte.com +1 212 436 2745 John Clark Partner Deloitte Risk and Financial Advisory Deloitte & Touche LLP johclark@deloitte.com +1 312 486 3985 Jeff Schaeffer Managing Director Deloitte Risk and Financial Advisory Deloitte & Touche LLP jschaeffer@deloitte.com +1 973 602 5518 9

This document contains general information only and Deloitte Advisory is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Advisory shall not be responsible for any loss sustained by any person who relies on this document. As used in this document, Deloitte Advisory means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2017 Deloitte Development LLC. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback