As a relentless wave of cyberattacks continues, organizations are under intense pressure from key stakeholders and regulators to implement and enhance their cyber security programs to protect customers, employees and the valuable information in their possession. According to research from IBM Security and the Ponemon Institute, the average total cost per company, per event of a data breach is US $3.62 million.1 Initial damage estimates of a single breach, while often staggering, may not take into account less obvious and often undetectable threats such as theft of intellectual property, espionage, destruction of data, attacks on core operations or attempts to disable critical infrastructure. These effects can last for years and have devastating financial, operational and brand ramifications.
Given the broad regulatory pressures to tighten cyber security controls and the visibility surrounding cyberrisk, a number of proposed regulations focused on improving cyber security risk management programs have been introduced in the United States over the past few years by various governing bodies. One of the more prominent is a recently issued regulation by the New York Department of Financial Services (NYDFS) that prescribes certain minimum cyber security standards for those entities regulated by the NYDFS. Based on the entity’s risk assessment, the NYDFS law has specific requirements around data encryption, protection and retention, thirdparty information security, application security, incident response and breach notification, board reporting, and annual certifications.
However, organizations continue to struggle to report on the overall effectiveness of their cyber security risk management programs. The American Institute of Certified Public Accountants (AICPA) released a new cyber security risk management reporting framework2 intended to help organizations expand cyberrisk reporting to a broad range of internal and external users, including the C-suite and the board of directors (BoD). The AICPA’s new reporting framework is designed to address the need for greater stakeholder transparency by providing in-depth, easily consumable information about an organization’s cyberrisk management program. The cyber security risk management examination uses an independent, objective reporting approach and employs broader and more flexible criteria. For example, it allows for the selection and utilization of any control framework considered suitable and available in establishing the entity’s cyber security objectives and developing and maintaining controls within the entity’s cyber security risk management program—whether it is the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, the International Organization for Standardization (ISO)’s ISO 27001/2 and related frameworks, or internally developed frameworks based on a combination of sources. The examination is voluntary, and applies to all types of entities, but should be considered a leading practice that provides the C-suite, boards and other key stakeholders clear insight into an organization’s cyber security program and identifies gaps or pitfalls that leave organizations vulnerable.
Who can benefit from a cyber security risk management examination report? Such a report can be vital in helping an organization’s BoD establish appropriate oversight of a company’s cyber security risk program and credibly communicate its effectiveness to stakeholders, including investors, analysts, customers, business partners and regulators (figure 1). By leveraging this information, boards can challenge management’s assertions around the effectiveness of their cyberrisk management programs and drive more effective decision making. Active involvement and oversight from the BoD can help ensure that an organization is paying adequate attention to cyberrisk management. The board can help shape expectations for reporting on cyberthreats while also advocating for greater transparency and assurance around the effectiveness of the program.
Organizations that choose to utilize the AICPA’s cyber security attestation reporting framework and perform an examination of their cyber security program may be better positioned to gain competitive advantage and enhance their brand in the marketplace. For example, an outsource service provider (OSP) that is able to provide evidence that a well-developed and sound cyber security risk management program is in place in its organization can proactively provide the report to current and potential customers, evidencing that it has implemented appropriate controls to protect the sensitive IT assets and valuable data over which it maintains access. At the same time, current and potential customers of an OSP want the third parties with whom they engage to also place a high level of importance on cyber security. Requiring a cyber security examination report as part of the selection criteria would offer transparency into outsourcers’ cyber security programs and could be a determining factor in the selection process.
Insurance carriers that write cyberinsurance policies could use information from customers’ cyber security examination reports during the underwriting and risk assessment process to help them evaluate the company’s risk posture and potential exposure by more effectively determining coverage needs. They could further use the information to enhance their competitive advantage by potentially offering benefits to customers that demonstrate an effective cyber security program. Conversely, customers and prospects could leverage their own cyber security examination reports to demand better pricing on cyberinsurance policies based on their preparedness in the event of a cyberattack.
The value of addressing cyber security concerns and questions by conducting a cyber security risk management examination before regulatory mandates are established or a crisis occurs is quite clear. Organizations can view the new cyber security attestation reporting framework as an opportunity to enhance their existing cyber security programs and gain competitive advantage. The attestation reporting framework addresses the needs of a variety of key stakeholder groups and, in turn, limits the communication and compliance burden. Organizations that view the cyber security reporting landscape as an opportunity can use it to lead, navigate and disrupt in today’s rapidly evolving cyberrisk environment.
Endnotes
1 Ponemon Institute, 2017 Cost of Data Breach Study, IBM Security, June 2017, http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN
2 American Institute of Certified Public Accountants, System and Organization Controls for Cybersecurity, USA, 2017, www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPACybersecurityInitiative.aspx
Sandra Herrygers
Is a partner at Deloitte & Touche LLP and is the global assurance leader.
Gaurav Kumar
Is a principal at Deloitte & Touche LLP, specializing in assurance and risk and controls transformation services.
Jeff Schaeffer
Is a managing director at Deloitte & Touche LLP, specializing in risk management, corporate governance, and compliance and controls transformation within the financial services industry.
Disclaimer
This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this article.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2017 Deloitte Development LLC. All rights reserved.