Skip to Content
SOC reporting
Article

Assess enterprise-wide risk management with SOC for Cybersecurity

August 15, 2017 / 6 min read

SOC for Cybersecurity offers businesses a general-purpose attestation report on the design and effectiveness of cybersecurity risk management programs. Here's what you should know to meet business objectives, satisfy stakeholder expectations, and allay their cybersecurity concerns.

Most people think of General Motors (GM) as a "car company." Others may consider it an American manufacturing icon or an engineering pioneer that produced a fully electric car, the EV-1, before its time.

But, a technology company?

Absolutely — ask GM. Company representatives are likely to tell you its technology is so important to its business that a breach or disruption of its information systems poses a real threat.

In its most recent 10-k filed with the SEC, GM discloses risk factors that could have a material adverse effect on its business and operations. In reference to cybersecurity risk, the company stated the lengths to which it relies on information technology networks and systems and how critical the secure operations of these IT networks is to its business operation and strategy.

Just about any entrepreneur or executive could apply that sentiment to their own business, given the heightened sensitivity to protecting customer or internal data, increased connectivity and interdependency of information systems among customers and suppliers, and the increasing complexity of the technology we use in our daily operations.

Cybersecurity is a business issue, not an IT issue

A company like GM — and, very likely, your own — has many stakeholders: consumers, investors, dealers, suppliers, employees, a board of directors, market analysts, and regulators. These stakeholders rely on GM’s ability to implement a robust and reliable cybersecurity risk management program to reduce risk. Cyberattacks are on the rise across the globe and the cost of these attacks is ever-increasing. At stake to all types of companies is a loss of brand reputation, the ability to operate efficiently, competitive advantage, and proprietary information or assets. What companies gain is, unfortunately, financial and legal liability. The cost of an average data breach has reached approximately $4 million, according to data from the Ponemon Institute, and it can quickly escalate from there based on the type of breach and volume of data imperiled.

Management of companies large and small alike, in all industries, are realizing cybersecurity isn't just an IT issue, but a critical business issue. And, in order to fulfill their oversight responsibilities and meet business objectives effectively, leaders charged with governance are evaluating cybersecurity risk and their organization's responses to it. To do so, they must have information about the specific cybersecurity risks an entity faces and the effectiveness of the cybersecurity risk management program management implements.

We envision SOC for Cybersecurity reports becoming an important tool for companies to gain assurance about the strength of their cybersecurity risk management program.

Other stakeholders — customers, investors, vendors to name only a few — also benefit from information about the strength of a company’s cybersecurity risk management program before investing, using or purchasing products, or conducting business transactions.
The next evolution of SOC reporting (Systems and Organization Controls), SOC for Cybersecurity, provides such information.

SOC for Cybersecurity

The SOC for Cybersecurity was introduced in April 2017 by the American Institute of Certified Public Accountants (AICPA) to enable CPA firms to provide a business with a general-purpose attestation report on the design and effectiveness of its enterprise-wide cybersecurity risk management program. This new examination is an additional offering under the AICPA’s existing SOC suite of services:

And, the AICPA isn’t stopping here. In 2018, it plans to introduce a new examination service, SOC for Vendor Supply Chains, which is intended to help businesses better understand and manage external risks, including cybersecurity risk, given the increasing connectivity among vendor, distribution, and customer information systems and devices.

Multiple uses and diverse stakeholders

Any company, public or private, large or small, can benefit from obtaining or issuing an SOC for Cybersecurity report; it's an important tool to help you gain assurance about the strength of your cybersecurity risk management program and effectively communicate these controls to key stakeholders.
Here are some examples:

Breaking it down: the examination and attestation

The SOC for Cybersecurity examination assesses and reports on:

  1. The entity’s cybersecurity risk management program.
  2. The effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives.

Together, these two areas touch on all significant and material aspects of a company’s IT infrastructure: its people, its processes, and its technology.
The examination focuses on how a business deploys its cybersecurity risk management program to accomplish its business objective; it doesn't focus narrowly on any specific service line or business unit.

The attestation addresses nine major topics, including:

  1.  Nature of the business and operations
  2. Nature of information at risk
  3. Cybersecurity risk management program objectives
  4. Factors that have a significant effect on inherent risks related to the use of technology
  5. Cybersecurity risk governance structure
  6. Cybersecurity risk assessment process
  7. Cybersecurity communications and quality of cybersecurity information
  8. Monitoring of the cybersecurity risk management program
  9. Cybersecurity control processes

The details of these broad topics include a focus on company level controls and how the cybersecurity risk management program addresses the company’s ability to meet its business objectives.

Built-in flexibility

The AICPA has made this new attestation flexible to account for various widely accepted internal control frameworks — Trust Services Criteria, NIST Cybersecurity Framework, COBIT 5, ITIL, ISO 27001, HITRUST, NAIC Cyber Framework, and others.

One of the nice attributes of SOC for Cybersecurity is a company’s ability to select the underlying framework for the report. Businesses can select a control framework that’s relevant and publicly available and that management and its auditors believe are suitable to achieve the description criteria and business objectives.

Cybersecurity risk as a significant business risk will only continue to grow. More than 10 billion connected devices are in use, and forecasts indicate that number will double by 2020. It’s also anticipated that 99 percent of everything we manufacture will connect to the internet. But, the internet wasn't designed around security.

Your best bet is to maximize your own diligence and prepare for the next generation of compliance and reporting to ensure you not only meet your business objectives, but satisfy stakeholder expectations and allay their all-too-valid cybersecurity concerns.

Related Thinking

Business professionals discussing their retirement system cybersecurity.
September 26, 2024

Cybersecurity: Protecting your retirement system from hidden threats

Article 7 min read
Technology professional discussing strategic IT integration.
September 10, 2024

M&A and technology integration: Value creation starts during due diligence

Article 5 min read
Parents and their children smiling and taking a selfie.
September 9, 2024

Cybersecurity for families: 5 ways to help protect children and adults

Article 10 min read