Last April, the AICPA introduced a new tool for risk management: the SOC for Cybersecurity examination and report. Included in this was the cybersecurity risk management reporting framework, which was meant to standardize risk mitigation efforts across organizations
Although the exam is not mandatory, the main goal of the release was to enable anyone with access to private information (PI) to start taking a proactive approach to protecting it and begin incorporating cybersecurity risk management. In this blog post, we will introduce the SOC report by running through four W’s (who, what, when and why) and let you make an informative decision as to whether it is right for your organization.
Who is it meant for?
In contrast to previous releases, the SOC for Cybersecurity report is not tailored to service organizations specifically. In an effort to standardize cybersecurity frameworks across the map, the AICPA designed the new SOC report as a useful tool for any type of organization looking to exhibit its controls. In regards to its intended users, the SOC for Cybersecurity is also not as confidential as the SOC 2 report and is instead designed to be accessible by a broad audience. It is most useful for anyone attempting to ensure / prove that their organization has proper controls in place, such as the board of directors, top executives, and especially CFO’s and CRO’s. It is also largely accessible by external users looking to examine such controls, such as investors, analysts, regulators, customers, and potential creditors.
What is it?
By definition, the SOC for Cybersecurity is a reporting framework through which organizations can communicate relevant information about the effectiveness of their cybersecurity risk management programs (CRMP’s). Basically, this allows organizations to better understand, and better report on, their cybersecurity controls by establishing transparency into their policies. The report consists of the following three main components:
- Management’s Assertion – Management provides insight into the goal of the report as well as their own role in maintaining oversight of cybersecurity
- Practitioner’s Report – Auditor expresses an opinion on management’s assertion
- Management’s Description of the Cybersecurity Risk Management Program – Management provides a specific description of controls & risks in CRMP
When was it released?
The framework was released last April by the AICPA. However, since this report is optional, it’s never too late to adopt it within your own organization. It may also be a wise decision to begin collecting these reports from your own vendors to ensure your information is in safe hands.
Why is it necessary?
The past five years have witnessed a changing landscape in cybersecurity. Investing in controls to protect your company from exposure was once almost a luxury. But over a short period of time, this perspective has shifted. Data breaches have impacted some of the world’s most prominent organizations; from Target, to Yahoo, to Equifax. These breaches carry consequences – fines, lawsuits, settlement fees, damaged reputation, etc. – and these consequences are becoming more serious as regulators pass cybersecurity laws such as GDPR.
Moreover, the differences between each organization’s approach to risk management has created confusion both internally and externally. According to Verizon’s 2017 Data Breach Investigations Report, 27% of data breaches in 2017 were discovered by 3rd parties, meaning that organizations were unaware that they had been breached until another party informed them.
What we found even more interesting in this report was the fact that 25% of the breaches were caused by internal attackers, by means of employee error or a vendor’s lack of risk management. In response to such incongruities and events, the AICPA established the cybersecurity framework to provide uniformity within the business world’s risk management programs.
The time for taking an ad-hoc approach to cybersecurity is no more. Organizations are now taking a proactive approach, and the SOC for Cybersecurity framework and report is one tool assisting them with this goal.
For more information on the SOC for Cybersecurity framework or examination, we recommend visiting the AICPA website or contacting us here.
Author: Tom Rogers
Job Title: CEO
Organization: Vendor Centric
Tom is the founder and CEO of Vendor Centric, he has been a trusted advisor to nonprofit organizations for 30 years, with a focus on helping them align the right people, processes and systems to mitigate third-party risk and drive more value from third-party contracts and relationships.