Most people think of General Motors (GM) as a "car company." Others may consider it an American manufacturing icon or an engineering pioneer that produced a fully electric car, the EV-1, before its time.
But, a technology company?
Absolutely — ask GM. Company representatives are likely to tell you its technology is so important to its business that a breach or disruption of its information systems poses a real threat.
In its most recent 10-k filed with the SEC, GM discloses risk factors that could have a material adverse effect on its business and operations. In reference to cybersecurity risk, the company stated the lengths to which it relies on information technology networks and systems and how critical the secure operations of these IT networks is to its business operation and strategy.
Just about any entrepreneur or executive could apply that sentiment to their own business, given the heightened sensitivity to protecting customer or internal data, increased connectivity and interdependency of information systems among customers and suppliers, and the increasing complexity of the technology we use in our daily operations.
Cybersecurity is a business issue, not an IT issue
A company like GM — and, very likely, your own — has many stakeholders: consumers, investors, dealers, suppliers, employees, a board of directors, market analysts, and regulators. These stakeholders rely on GM’s ability to implement a robust and reliable cybersecurity risk management program to reduce risk. Cyberattacks are on the rise across the globe and the cost of these attacks is ever-increasing. At stake to all types of companies is a loss of brand reputation, the ability to operate efficiently, competitive advantage, and proprietary information or assets. What companies gain is, unfortunately, financial and legal liability. The cost of an average data breach has reached approximately $4 million, according to data from the Ponemon Institute, and it can quickly escalate from there based on the type of breach and volume of data imperiled.
Management of companies large and small alike, in all industries, are realizing cybersecurity isn't just an IT issue, but a critical business issue. And, in order to fulfill their oversight responsibilities and meet business objectives effectively, leaders charged with governance are evaluating cybersecurity risk and their organization's responses to it. To do so, they must have information about the specific cybersecurity risks an entity faces and the effectiveness of the cybersecurity risk management program management implements.
We envision SOC for Cybersecurity reports becoming an important tool for companies to gain assurance about the strength of their cybersecurity risk management program.
Other stakeholders — customers, investors, vendors to name only a few — also benefit from information about the strength of a company’s cybersecurity risk management program before investing, using or purchasing products, or conducting business transactions.
The next evolution of SOC reporting (Systems and Organization Controls), SOC for Cybersecurity, provides such information.
SOC for CybersecurityThe SOC for Cybersecurity was introduced in April 2017 by the American Institute of Certified Public Accountants (AICPA) to enable CPA firms to provide a business with a general-purpose attestation report on the design and effectiveness of its enterprisewide cybersecurity risk management program. This new examination is an additional offering under the AICPA’s existing SOC suite of services:
- SOC 1®—SOC for Service Organizations: ICFR. The performance and reporting requirements for an examination of controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting
- SOC 2®—SOC for Service Organizations: Trust Services Criteria. The performance and reporting requirements for an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy
- SOC 3®—SOC for Service Organizations: Trust Services Criteria for General Use Report. The performance and reporting requirements for an examination of controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy resulting in a general-use report
- SOC for Cybersecurity. The performance and reporting requirements for an examination of an entity’s cybersecurity risk management program and related controls
And, the AICPA isn’t stopping here. In 2018, it plans to introduce a new examination service, SOC for Vendor Supply Chains, which is intended to help businesses better understand and manage external risks, including cybersecurity risk, given the increasing connectivity among vendor, distribution, and customer information systems and devices.
Multiple uses and diverse stakeholdersAny company, public or private, large or small, can benefit from obtaining or issuing an SOC for Cybersecurity report; it's an important tool to help you gain assurance about the strength of your cybersecurity risk management program and effectively communicate these controls to key stakeholders.
Here are some examples:
- Board members of a public, private, or not-for-profit entity use a SOC for Cybersecurity attestation report to gain a better understanding of the organization's cybersecurity risk management program and how it influences decision-making in ways that minimize risk.
- A procurement officer obtains a SOC for Cybersecurity attestation report as part of a prudent vendor management program to gather information about prospective vendors that will handle sensitive data.
- Partners of a legal firm look for a SOC for Cybersecurity attestation report to help them evaluate the strength of their enterprisewide cybersecurity risk management program and the level to which they are protecting client data and communications.
- A private equity or venture capital group, high-net-worth individual, or other significant investor obtains a SOC for Cybersecurity attestation report during due diligence to help determine whether the risks of the investment opportunity are tolerable.
Breaking it down: the examination and attestation
The SOC for Cybersecurity examination assesses and reports on:
- The entity’s cybersecurity risk management program.
- The effectiveness of the controls within that program to achieve the entity’s cybersecurity objectives.
Together, these two areas touch on all significant and material aspects of a company’s IT infrastructure: its people, its processes, and its technology.
The examination focuses on how a business deploys its cybersecurity risk management program to accomplish its business objective; it doesn't focus narrowly on any specific service line or business unit.
The attestation addresses nine major topics, including:
- Nature of the business and operations
- Nature of information at risk
- Cybersecurity risk management program objectives
- Factors that have a significant effect on inherent risks related to the use of technology
- Cybersecurity risk governance structure
- Cybersecurity risk assessment process
- Cybersecurity communications and quality of cybersecurity information
- Monitoring of the cybersecurity risk management program
- Cybersecurity control processes
The details of these broad topics include a focus on company level controls and how the cybersecurity risk management program addresses the company’s ability to meet its business objectives.
The AICPA has made this new attestation flexible to account for various widely accepted internal control frameworks — Trust Services Criteria, NIST Cybersecurity Framework, COBIT 5, ITIL, ISO 27001, HITRUST, NAIC Cyber Framework, and others.
One of the nice attributes of SOC for Cybersecurity is a company’s ability to select the underlying framework for the report. Businesses can select a control framework that’s relevant and publicly available and that management and its auditors believe are suitable to achieve the description criteria and business objectives.
Cybersecurity risk as a significant business risk will only continue to grow. More than 10 billion connected devices are in use, and forecasts indicate that number will double by 2020. It’s also anticipated that 99 percent of everything we manufacture will connect to the internet. But, the internet wasn't designed around security.
Your best bet is to maximize your own diligence and prepare for the next generation of compliance and reporting to ensure you not only meet your business objectives, but satisfy stakeholder expectations and allay their all-too-valid cybersecurity concerns.