Cybersecurity is among the top issues currently on the minds of boards of directors, managers, investors, customers and other stakeholders of organizations of all sizes—whether public or private. Managing cybersecurity concerns is especially challenging because even an organization with a highly mature risk management program is susceptible to breaches that may not be detected in a timely manner. Users need timely, useful information about how organizations are managing these threats and whether organizations have effective processes and controls in place to prevent and detect breaches that could disrupt their business, result in financial losses, or destroy their reputation.
SOC for Cybersecurity is a market-driven, flexible, and voluntary reporting framework that helps organizations communicate about their cybersecurity risk management programs and the effectiveness of program controls and for CPAs to examine and report on such information. It uses a common, underlying language, or framework, for cybersecurity risk management reporting, almost akin to US GAAP or IFRS for financial reporting, to enable all organizations, in all industries, to communicate relevant information about their cybersecurity risk management programs. Use of this common language brings comparability to the disclosures and enhances and complements disclosures based on other commonly used security frameworks, such as NIST or ISO’s 27001, that are in the market today. A CPA examination report on an organization’s prepared cybersecurity risk management information enhances the trust and confidence that users can place on such information.
What is a SOC for Cybersecurity examination?
SOC for Cybersecurity is an examination engagement performed by CPAs (practitioners) on an entity’s cybersecurity risk management program. In a cybersecurity risk management examination, there are two distinct but complementary subject matters: (a) the description of the entity’s cybersecurity risk management program and (b) the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives. A cybersecurity risk management examination results in the issuance of a cybersecurity risk management examination report that is for general use.
The cybersecurity risk management examination report includes the following three key components:
Management’s description of the entity’s cybersecurity risk management program
. The first component is a management-prepared narrative description of the entity’s cybersecurity risk management program (description). This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks. The description provides the context needed for users to understand the conclusions, expressed by management in its assertion and by the practitioner in his or her report. Management uses description criteria the to prepare and evaluate an entity’s cybersecurity risk management program.
. The second component is an assertion provided by management, which may be as of a point in time or for a specified period of time. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. The AICPA has developed control criteria for use when evaluating whether the controls within the program were effective to achieve the entity’s cybersecurity objectives.
Practitioner’s report. The third component is a practitioner’s report, which contains an opinion, which addresses both subject matters in the examination. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
Potential users & benefits
Senior management: A cybersecurity risk management examination report provides senior management with information about the effectiveness of an organization’s cybersecurity risk management program, including the controls designed, implemented and operated to mitigate threats against the entity’s sensitive information and systems.
Boards of directors: A cybersecurity risk management examination report provides board members with information about the cybersecurity risks the entity faces and the program that management has implemented to help them fulfill its oversight responsibilities. It also helps them evaluate management’s effectiveness in managing cybersecurity risks.
Analysts and investors: A cybersecurity risk management examination report provides analysts and investors with information about an entity’s cybersecurity risk management program. This information is intended to help them understand the cybersecurity risks that could threaten the achievement of the entity’s operational, reporting, and compliance (legal and regulatory) objectives and, consequently, have an adverse impact on the entity’s value and stock price.
Business partners: A cybersecurity risk management examination report provides business partners with information about the entity’s cybersecurity risk management program as part of their overall risk assessment. This information may help determine matters such as whether there is a need for multiple suppliers for a good or service and the extent to which they choose to extend credit to the entity. Some business partners may need a detailed understanding of controls implemented by the entity and the operating effectiveness of those controls to enable them to design and operate their own control activities. For example, business partners whose information technology (IT) systems are interconnected with systems at the entity may need to understand the specific logical access protection over the interconnected systems implemented by the entity.