Cybersecurity issues continue to pose a very real challenge for businesses of all sizes and industries. As threats become more complex and invasive, so too must the measures organizations put in place to safeguard their data. The proliferation of the Internet of Things, cloud-based technologies, and interconnected devices are revolutionizing the way we do business, but they’re also increasing our vulnerability.
The American Institute of Certified Public Accountants (AICPA) recently held a cybersecurity advisory and attestation training on the development and implementation of SOC for Cybersecurity – a comprehensive and defined set of criteria created by the AICPA to communicate and evaluate cyber risks to investors.
The need to validate internal cybersecurity controls has become an essential aspect of corporate risk management. Implementing these types of controls are proven to be an effective value add to provide stakeholder and consumer trust, and ultimately confidence.
Jeff Bathurst, Director of SC&H’s Technology Advisory, and Anthony DiGiulian, Principal of the Risk Management and IT Audit Practice, attended the AICPA conference and share their thoughts on SOC for Cybersecurity in the latest edition of the Now to Next podcast series.
If you’d like to learn more about how a SOC for Cybersecurity audit could help your organization better manage risk, contact us.
Welcome to SC&H Group’s Now to Next podcast. Today’s topic is one that is applicable to all business owners, cybersecurity. Organizations are under increasing pressure to demonstrate that they are managing cybersecurity threats and that they have effective processes and controls in place to detect, respond to, mitigate, and recover from breaches and other security events.
The AICPA recently held a cybersecurity advisory and attestation training, which took a deeper dive into this topic. I am here today with Anthony DiGiulian who is a Principal within our Risk Management and IT Audit practice, as well as Jeff Bathurst Director of our Technology Advisory Team.
Could you tell us a little bit more about some of the takeaways from the conference and how they are applicable to our listeners?
Anthony: Absolutely. So, I think one of the important takeaways from the training before we dive a little bit deeper into some of the value-added topics, it really is around the SOC for Cybersecurity Audit that the AICPA recently released. It’s a third party attestation report that will change the way that organizations really communicate and effectively evaluate their cybersecurity risk management programs to their investors, to board of directors. It’s the first reporting framework, a third party attestation, that’s been developed across cybersecurity controls and frameworks.
Previously organizations were focused on implementing and developing cybersecurity controls, but there was no way to really report on the effectiveness of those controls to upper management. So the AICPA has designed this framework for just that purpose and it gives opportunity for consistency across reporting and accountability to those controlling frameworks whether it’s NIST or ISO or trust service principles. They all have a set of define criteria that they have to be held to in reporting.
And so it gives organizations of different industries, of different sizes, a consistent way to report on the effectiveness of those controls.
Jeff: Yeah. It’s one of the interesting points of this particular conference was how organizations can leverage fundamental cybersecurity practices regardless of whether they’re trying to obtain the SOC for cyber attestation to help improve their security posture. You know, one of the things that we think will come out of this is as organizations continue to acquire cybersecurity insurance that we think that this SOC for cyber attestation may actually help facilitate the acquisition and standardization of that cybersecurity insurance product.
But one of the things that organizations can take away from this particular standard is around their policies and procedures as well as their personnel. Organizations don’t necessarily have to invest a ton of money in terms of technology products or services, to improve cybersecurity. There’s got to be security health. And I think that’s something that organizations regardless of size, regardless of level of organization maturity, these are things that can be put into place with the help of a technology advisor or an organization who specializes in this to help improve your awareness as well as reduce enterprise risk.
Anthony: Yeah. And similar to what Jeff has mentioned, the SOC for cyber reporting framework is a very mature requirement and we don’t expect mid-level or small organizations to be at a point in their maturity where they’re ready to undergo an audit. But what we really took from the training is what can those organizations do right now? How can those organizations learn from the requirements of this framework to better bring reliability and accountability internally to protect their data and their security?
One of those areas we covered a lot before even going down the path of a SOC for security audit report is to implement an internal risk program. You know, making sure that your framework and your program is well designed, bringing in an organization to perform a risk assessment to really ensure that you have the right people and you have the right controls in place to protect the integrity of your organization data, you know, going forward. And how do you develop that program? What’s the right framework for your organization? And going forward from there there’s a lot of other audits and reviews that are necessary before you even think about going down the path of a formal audit.
Jeff: Yeah. One of the things that is important for folks to understand is that this risk assessment – working with an organization like SCH can help an organization identify just what is needed for them to be prudent and to be effective with their cybersecurity posture because it doesn’t mean the same thing to every organization. You know, for small to medium-sized businesses you only may implement a certain fraction of the controls in order to protect what you identify as valuable information. Information that if compromised could be of significant harm to your constituents, your customers, your donors, and your organization.
So, that’s really important for companies to understand, is what has value. And then what do they need to do to in terms of their people and their processes, and then, in turn, their technology to help address those concerns. One of the things, for example, organizations can do today is, you know, with respect to employee turnover. You know, every company experiences…are you coordinating your technology department with your HR department to ensure that people who enter the organization and when they leave the organization or they change roles, that you are in turn modifying their access to information and data appropriately?
It’s something that’s very simple, but one that’s often missed in an organization and it can lead to information being put in the wrong hands. So, that’s a concrete example of what any size of organization can do as one of their procedures to help improve their posture.
Anthony: Yeah. And it all comes down to program design. How as an organization are you able to implement a program that is sustainable because a lot of the frameworks that are out there today, as you mentioned, their requirements are very lengthy, they’re more than what most organizations in the mid to small size require…
Jeff: Require a ton of overhead.
Anthony: Yeah. But it’s not necessarily the right fit for your organization. So up front doing the right due diligence on program designs you may find this may not be the right approach for you, but pieces of it may be, pieces of ISO. It’s not necessarily that you have to follow one framework from start to finish 100%. If it doesn’t make sense it isn’t applicable to your organization. Finding the right approach up front when you design your cybersecurity risk management program is probably the most critical step at this point for organizations and having, you know, the right level of experience in helping to do that, you know, is probably where a lot of organizations that are smaller and midsized fail, because they’re implementing controls and procedures that are just too difficult to sustain over a long period of time.
Jeff: Yeah. That’s one unfortunate thing around the cybersecurity space, is there’s not a lack of standards regarding information security. But to Anthony’s point, it’s finding a partner who can take those documented standards that are used in global fortune 50 companies and pairing it down to an appropriate solution for your organization. And that’s where, you know, finding the right partner to do that is imperative because you wanna be, you know, prudent with your resources, with your time, with your money, but you also are responsible…every organization is responsible for protecting the data either of their firm in terms of IP…
Anthony: Or the customer data.
Jeff: Or their customer information whether it’s PII, personal identity information, PHI or health information, credit card transactions, social security numbers, whatever it is that you think that has value that if it was compromised could be a detriment to your organization or to your customers. That’s what you’re responsible for and every organization is responsible for. And that’s where you have to then understand what level of program, what level of risk you have and then what level of remediation and activity you need to implement to address it.
Anthony: And that’s really where I think the AICPA got things right this time around. Is that they’re not forcing organizations into a specific set of criteria. They’re really allowing them the flexibility to figure out what makes the most sense. So, you know, whether it’s NIST, whether it’s ISO or High Trust, or a combination, organizations when they’re developing their cybersecurity risk management program, they have the option of really creating whatever program makes the most sense for them. And then, you know, describing that program is where the consistency comes in. The description criteria that are included within the actual formal report are consistent no matter what your framework is.
And so, it’s really taking…you know, allowing organizations that flexibility upfront and then bringing them together consistently so that the reporting looks the same across the organizations.
Jeff: Anthony makes a great point. The AICPA did get this right in terms of providing the controls and the frameworks. It’s really up to a company and its technology advisory partner to be able to customize it for that organization. And again without being concerned about overspending the technology you really need to focus on what it is that’s appropriate for you, what level of controls can you adopt, what level of controls are actually too onerous to take on. Because we see a lot of organizations where they try to implement these big frameworks and they realize that they’re having to add tremendous overhead in terms of labor, in terms of people, in terms of dollars spent, and in the end, they’re no more protected than they necessarily were if they did nothing. And that’s an extreme example, but we’ve seen it time and time again. And that right fit is as you pointed out, Anthony, that’s’ imperative.
Anthony: And there’s a lot of immediate value in the short run even if the SOC for cyber audit report is your long-term goal. What’s different about this than some of the other standards is that the things you have to do now as an organization to put yourself in the place for an audit, they bring immediate value – risk assessments, policy development, whether it’s vulnerability assessments, and penetration testing. A lot of the things that make up a program are things that bring immediate value to an organization. Whether or not you’re getting ready for the audit you’re putting safeguards in place over your data, you know, industry best practice as well.
Jeff: I have one question Anthony, as it wasn’t covered while I was there at the conference. For SOC for cyber does it have a SOC one or SOC two prerequisite attached to it or is it completely independent?
Anthony: It’s completely independent. Primarily, because the focus is on the entity, the organizational data, SOC one, SOC two really are focused on just your client data so, you’re looking primarily at a system or a specific application or business unit whereas the SOC for cyber is really more organizational entity focused, but there is no type one necessarily. So, you are looking at a period of time so you do want to assess the operating effectiveness of controls not just the design. You want to make sure that you have those controls in place and operating…as we mentioned before, the importance of sustainability, being able to provide audit evidence over a period of time that those controls are effective.
Jeff: You know, that’s a really important distinction – SOC for cyber is internally facing. It’s internally focused in terms of your policies, your procedures, your entitlement reviews, your user attestations, your access to data, what are your proactive and reactive activities and procedures regarding the monitoring and control of information as opposed to like you said SOC 1 and SOC 2 is more client data facing.
Anthony: It’s much more focused for investors, for board of directors, and you mentioned insurance. I think that’s another big one as well that we’ll see down the road…
Jeff: That’ll develop. The cybersecurity insurance issuers are having a challenge with quantifying the policy and the level of liability and coverage, okay. And I think seeing a SOC for cyber attestation might really help move forward in a large leap the standardization of that offer.
Anthony: It’s an added level of confidence…
Jeff: Absolutely. Because now you have something to measure against, because there isn’t official control…
Anthony: And a third party assessment from a CPA firm, is held to a separate level of accountability from the PCAOB or audit standpoint on themselves that these reviews could be audited as well. So you have that additional level of accountability by having a CPA firm issue these reports.
Jeff: Yeah. The last thing I think I would state on this whole topic is that it’s really important to note that the AICPA is making such a concerted effort to communicate cybersecurity and the cybersecurity programs to its constituents and to its membership. Because it demonstrates and signifies just how seriously the AICPA is taking not just the accounting controls, but also things that can affect accounting controls like cybersecurity or even in some cases I know technology, specific pieces of technology are being discussed by the AICPA. And I think it’s an indication to the AICPA membership this is not a plug for them, but I think as a member you benefit greatly by not only understanding the security of the accounting standards, but then things associated with it like cybersecurity or other technology pieces.
Anthony: And I think that’s driven primarily from, you know, the board of directors, what are they asking about, what are the things that are keeping them up at night, and what are the things that they are concerned about? And, you know…
Jeff: Cyber being number one…
Jeff: …In almost all cases.
Anthony: Right. Exactly. So, how do we give those boards of directors and those investors sufficient accountability and reliability that as an organization we’ve got a hold of things and we can show that through an attestation from a third party.
Download our eBook, “A Comprehensive Guide to SOC Reports” to learn additional pertinent information around SOC examinations, report types, finding the right auditor, and much more.