Strategy

The Board Wants To Know: What Can The Organization Do To Bypass Cyber Program Ineffectiveness?


by Andrew Morrison and Sandy Herrygers

According to a Deloitte poll, corporate boards may be more likely than regulators to scrutinize cybersecurity program effectiveness this year.

©Bannosuke/ISTOCK/THINKSTOCK

Corporate boards are increasingly putting cybersecurity program effectiveness under a microscope. In a 2018 Deloitte poll, 62.7 percent of C-suite and other executives expect board of director requests for reporting on cybersecurity program effectiveness to increase in the next 12 months. When it comes to developing more effective cybersecurity programs, the pressure exerted by corporate boards may even exceed the formal demands of regulators, from whom a marginally lower 57.3 percent of executives expect to receive increased cybersecurity regulatory scrutiny during the same period.

Uncertainty abounds around existing cybersecurity controls 

Even though boards are seeking a higher level of confidence in the effectiveness of their organizations’ cyber risk management programs, executives are hard pressed to deliver it. On the whole, they are largely unsure about where their programs stand, with just 16.7 percent of executives saying they are highly confident in the effectiveness of their organization’s current cyber program. The vote of high confidence drops even lower in industries such as financial services (14.3 percent); technology, media and telecoms (11.8 percent); and energy and resources (5.6 percent). 

There are a variety of possible reasons for this uncertainty. The rapid pace of technological change and the continuous evolution of attack patterns can present a challenge to even the most mature organizations, especially when skilled cyber talent is in high demand. To add to the uncertainty, ownership of cybersecurity effectiveness measures can often be unclear, since reporting structures for chief information security officers (CISOs) vary by organization. In fact, 28.5 percent of responding executives say their CISOs report to the CIO, 25.4 percent say their CISOs report to CEOs, 9.7 percent say their CISOs report to chief compliance officers or chief risk officers and three percent say their CISOs report to chief legal officers. Some (12.9 percent) of executives don’t know the reporting hierarchy for their CISOs at all. 

A shift from fractured to uniform cybersecurity programs: The AICPA’s SOC for Cyber framework

Though well-intentioned, an abundance of cybersecurity frameworks and reporting and disclosure guidance also contribute to executives’ uneasiness about the effectiveness of their programs, often times leaving leadership uncertain on how to work with multiple frameworks and interpret different sets of guidance. 

Regardless of the reason for their lack of confidence in the effectiveness of their cybersecurity programs, about one-third of executives may have a resolution for the uncertainty. According to poll data, 32.3 percent of executives plan to adopt the American Institute for Certified Public Accountants (AICPA) System and Organization Controls (SOC) for Cybersecurity (SOC for Cybersecurity) framework, with 19.2 percent reporting plans to do so within the next 12 months. 

The AICPA SOC for Cybersecurity risk management framework was finalized in April 2017 and serves as a voluntary, market-driven solution intended to provide companies with a common-language reporting mechanism to communicate with key stakeholders on how they are effectively managing cybersecurity risk. The SOC for cybersecurity framework is generally gaining traction because it provides a standardized, yet flexible, blueprint for evaluating, reporting, and communicating the effectiveness of an organization’s cybersecurity risk management program down to the control level. 

As Deloitte’s poll data suggests, many organizations are increasingly discovering that a SOC for Cybersecurity examination offers distinct advantages compared to other types of assessments:  

  • Independence and objectivity — Since the examination is done by a third party, it promotes independent and objective assurance, inspiring greater confidence among recipients of the report. It is also a useful tool for CIOs and CISOs, offering them a different perspective on the effectiveness of their programs than they would receive from an internal assessment. 

  • Transparency across key stakeholder groups —The AICPA framework provides a uniform language, similar to U.S. GAAP for financial reporting, for communicating the effectiveness of an organizations’ cybersecurity risk management program to a variety of stakeholders. Unlike some other reports where the audience is limited to one or two parties, a SOC for Cybersecurity report can be shared with boards and audit committees, regulators, customers, business partners and investors. And, from the board’s perspective, engaging an independent third party to perform a SOC for Cybersecurity examination and circulating the results with key constituents can demonstrate that oversight responsibilities are being fulfilled.

  • Test once, satisfy many — The SOC for Cybersecurity report is very specific regarding what should be tested and what the results should yield. Thus, the report, or portions of it, can potentially be given to regulators, business partners, and other parties as evidence that an organization’s controls were tested by an outside party. By removing the need for different groups to come in and test certain controls themselves, the report can potentially save organizations a great deal of time and expense. The report also has the potential to deliver additional operational efficiencies by streamlining the process of responding to the mounting number of cybersecurity questionnaires.

Improving stakeholder visibility is an underlying tenet of the AICPA’s SOC for cybersecurity framework, and so is flexibility. The report can be leveraged alone or in concert with other industry-specific frameworks and standards, and has been designed to complement, not replace, internal audit reports or other reviews. In conducting the examination, the independent third party can use the same criteria that management used to develop and implement the organization’s program. For instance, if an organization used the National Institute of Standards and Technology (NIST) framework to develop its program, that is what the independent third party would use to assess the organization’s controls. In fact, the SOC for Cybersecurity framework can be applied to any cybersecurity control structure that management has adopted as long as the criteria are appropriate in accordance with the SOC for cybersecurity standards. 

Assurance on what’s important 

Certainly, the topic of cybersecurity is vast and the prospect of examining all of the organization’s controls in one fell swoop may be overwhelming, especially in the case of multinational companies. 

Fortunately, the SOC for Cybersecurity exam doesn’t have to be conducted in a “big bang” at the entity level. You can start by carving out a business unit, a risk, a set of guidance, or another sub-set of criteria. For example, a retailer could undertake a SOC for Cybersecurity exam just on the systems, process, and controls around management of customer credit card data. Alternatively, a healthcare provider may choose to focus on risks related to Personally Identifiable Information (PII). The same principle applies in complying with regulations or following principles-based guidance. For instance, the exam could be conducted to test if the organization is prepared to disclose a breach to investors in a timely manner and with the appropriate level of detail as outlined in the recent interpretive guidance release from the Securities and Exchange Commission (SEC). 

The idea is to define your business objectives and what you want to have evaluated so you can get assurance around the parts of your cybersecurity program that are most important to your organization. 

Getting ready 

Organizations interested in implementing the AICPA SOC for Cybersecurity framework should first consider a readiness assessment to identify and remediate any control deficiencies before undertaking the actual SOC for Cyber exam.  This readiness assessment should include the following activities:                                 

  • Perform a risk assessment to identify the highest criticality assets (e.g., intellectual property, customer data, etc.) and update existing IT risk and control catalogs.

  • Define the company’s cyber risk management program and conduct an IT risk and controls assessment for critical assets and underlying infrastructure.

  • Conduct a gap analysis of identified control deficiencies.

  • Develop a remediation roadmap with prioritized activities and defined due dates.

  • Execute remediation activities to address the control deficiencies identified.

Until recently, organizations mainly tried to address the tough questions coming from the board and other key stakeholders through a range of frameworks, point solutions and ad-hoc approaches – a piecemeal method that did not engender high levels of confidence around an organization’s cybersecurity program. 

Yet, there may be a light on the horizon. As the polling results indicate, the demand for information and transparency is expected to increase from boards and regulators alike. Independent attestations like the SOC for Cybersecurity framework may be able to put these stakeholders at ease by helping organizations problem-solve much of the uncertainty and haphazardness associated with build-your-own cyber programs. By providing a broad, objective and flexible roadmap, the AICPA framework can be used to enhance stakeholder trust in an organization’s ability to protect its ‘crown jewel’ assets, continuously monitor program strength, and chart a measurable path toward ongoing improvements. It can help executives manage multiple frameworks and respond to different sets of guidance. Even more, the costs of implementing the framework would likely pale in comparison to the expenses and consequences of mishandling a significant cyber breach.

About the SEC Interpretive Guidance Release

In response to the pervasive increase in digital technology, as well as the severity and frequency of cybersecurity threats and incidents, the Securities and Exchange Commission (SEC) issued an interpretive guidance release on February 21, 2018.  The release largely refreshes existing SEC staff guidance related to cybersecurity and, like that guidance, does not establish any new disclosure obligations but rather presents the SEC’s views on how its existing rules should be interpreted in connection with cybersecurity threats and incidents. 

More specifically, the SEC’s Division of Corporation Finance issued principles-based guidance in 2011 that provided the SEC’s views on cybersecurity disclosure obligations, including those related to risk factors, MD&A and the financial statements. The release expands on the concepts discussed in that guidance and concentrates more heavily on cybersecurity policies and controls, most notably those related to cybersecurity escalation procedures and the application of insider trading prohibitions. It also addresses the importance of avoiding selective disclosure as well as considering the role of the board of directors in risk oversight.

The SEC acknowledged that it does not expect a company’s disclosures to provide a level of detail that could compromise its cybersecurity efforts and that there may be limited information available in the early stages of a cybersecurity incident investigation. Nevertheless, the SEC emphasized that as information becomes available, registrants are responsible for disclosing appropriate information to keep investors informed and must balance the need for timely disclosure with the level of detail they can provide about such incidents. While cooperation with law enforcement during an ongoing investigation of a material cybersecurity incident may be necessary and may affect the scope of disclosure, it would not alone provide a basis for omitting material disclosure. In light of the SEC’s focus on cybersecurity matters, companies may want to revisit their disclosures and disclosure controls and procedures (DCPs), including controls over the sales of securities by executives.

 

Andrew Morrison is a Deloitte Risk and Financial Advisory principal in the cyber risk services practice of Deloitte & Touche LLP.  Sandy Herrygers is a Deloitte Risk and Financial Advisory partner in the assurance practice of Deloitte & Touche LLP.