Rubin Brown CyberSecurity by Audrey Katcher

RubinBrown_Logo___Source.png

Audrey Katcher, Partner, RubinBrown   audrey.katcher@rubinbrown.com

Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events.   Organizations are being required to demonstrate their cyber and security risk management strengths through independent reporting in order to obtain or retain clients and other supply chain partners.

To address this market need, the AICPA has developed a cybersecurity risk management reporting framework that assists organizations as they communicate relevant and useful information about the effectiveness of their cybersecurity risk management programs. The framework is a key component of a new System and Organization Controls (SOC) for Cybersecurity engagement, through which a CPA reports on an organizations’ enterprise-wide cybersecurity risk management program. This information can help senior management, boards of directors, analysts, investors and business partners gain a better understanding of organizations’ efforts.

Note, this is a voluntary, market-based solution to enhance executive reporting on cyber security risk from an independent third-party assessor and is based on a robust reporting framework and attestation standards.

Please see below the three levels of information security reporting in SOC framework:

Reporting Level Report Category Intended Audience Benefit
Entity SOC for Cybersecurity

(performed/reported on under consulting or attest standards)

  • Board
  • Management
  • Investor
  • Regular
  • ü  Analysts
Transparency regarding the entity’s cyber risk management
Service Provider SOC2

(New guide coming soon)

  • Business unit management
  • Vendor risk management
  • Accounting / internal audit
  • CISO
  • BCP
Transparency for the services provided, with detail
Supply Chain New guide coming
  • Business unit management
  • Vendor risk management
  • Accounting / internal audit
  • CISO
  • BCP
Transparency for the services provided, with detail

Background

The American Institute of Certified Public Accountants (AICPA) released its guidance relating to a cybersecurity risk management reporting framework on April 26, 2017.

What to do now

See the “What to do now” section in the link below for a further SOC Briefing  and links to the latest guidance.

https://www.rubinbrown.com/article/5326/Focus-on-Cyber-Security-A-New-Cybersecurity-Risk-Management-Reporting-Framework.aspx?articlegroup=1117