Cybersecurity has become an increasingly important priority for nearly every company in the world. The Guardian officially dubbed 2016 “the year of the hack,” the Securities and Exchange Commission has again named cybersecurity as a top examination priority for 2017, and cybersecurity has become a top political issue for corporate directors. As a result, business leaders, boards, stakeholders, and customers are seeking assurance that organizations responsible for managing sensitive data have an effective risk management program in place for controlling cybersecurity threats.
In response to the growing demand for this assurance, the AICPA pulled together a committee of financial and information security professionals to develop a new cybersecurity risk management reporting framework, known as SOC for Cybersecurity. Because of LBMC Information Security’s position as a leading IT security firm, our very own Mark Burnette had the opportunity to work alongside the AICPA to develop the framework, which was published on May 1, 2017.
Our goal is to help answer some of the most common questions we’ve received from clients about SOC for Cybersecurity and what it means for their organization.
What is SOC for Cybersecurity?
SOC for Cybersecurity is an examination engagement (i.e. audit) that can be conducted by cybersecurity savvy CPAs to assist an entity’s board of directors, senior management, customers, and stakeholders, as they seek insights respective to the effectiveness of an entity’s cybersecurity risk management program.
In layman’s terms, it’s like a “Good Housekeeping” seal of approval a company can obtain to serve as an objective and independent validation of the effectiveness of the entity’s cybersecurity risk management program.
While a SOC for Cybersecurity assessment and resulting report may sound similar to reports already being provided (e.g. Enterprise Risk Assessment or a SOC 2 report), a fundamental difference is that that SOC for Cybersecurity is a comprehensive evaluation of an entity’s overall approach to cybersecurity risk management and can serve as a confirmation that the entity’s approach is effective and sufficient.
SOC for Cybersecurity is a voluntary, market-driven approach for examining an entity’s cybersecurity measures. Because of the flexible and holistic nature of the framework, it is relevant to entities regardless of their size or level of maturity.
What are the key elements in a SOC for Cybersecurity report?
A SOC for Cybersecurity assessment consists of three primary components:
1. Management’s Description
SOC for Cybersecurity requires management to provide a description on how the entity identifies its most sensitive information and manages the cybersecurity risks that threaten that information. The management description should also outline the key security policies and processes that the entity has created and put into place to protect the entity’s information assets against those risks.
Management’s Description of its cybersecurity risk management program should include insights in all of the following areas:
- Nature of Business & Operations
- Nature of Information at Risk
- Cybersecurity Objectives
- Factors That Have an Effect on Inherent Cybersecurity Risk (including technologies used, organizational characteristics, significant changes in prior period, etc.)
- Cybersecurity Risk Governance Structure
- Cybersecurity Risk Assessment Process
- Cybersecurity Communications
- Monitoring of the Cybersecurity Program
- Cybersecurity Control Processes
To assist management in effectively and comprehensively defining and describing its cybersecurity risk management program, the SOC for Cybersecurity framework includes detailed Description Criteria that management can use as a basis for developing its description, and that the practitioner performing the assessment can use as a baseline for conducting its evaluation of the entity’s current state.
2. Management’s Assertion
Once a comprehensive description is developed, SOC for Cybersecurity requires management to provide an assertion about the description. In the assertion, management must also note whether or not the controls within the program were effective for achieving the entity’s cybersecurity objectives. In essence, management must assert that its description aligns with the description criteria and that its cybersecurity risk management program control processes were functioning effectively during the period.
3. Practitioner’s Opinion
The final component of a SOC for Cybersecurity report is the CPA’s opinion on management’s description and on the effectiveness of controls within that program. In the opinion, the CPA will indicate whether management’s description of the entity’s cybersecurity risk management program is consistent and aligned with the Description Criteria and whether the controls within that program were effective to achieve the entity’s cybersecurity objectives. This portion of the report is the independent attestation and validation of the entity’s cybersecurity risk management program, and is typically what third-parties and other readers of the report will want to see in order to give validity to the material in management’s description.
Could Your Institution Benefit from a SOC for Cybersecurity Report?
While SOC for Cybersecurity reports are not currently mandated for any industry, a growing number of companies are recognizing the importance of being able to show customers and stakeholders that they’re taking the appropriate steps for protecting sensitive data and reducing the likelihood of security breaches in their environment. The SOC for Cybersecurity report is one of the most effective ways for an organization to outwardly demonstrate its efforts in these areas.
If you want to learn more about SOC for Cybersecurity or discuss how it differs from the steps you’re already taking, feel free to contact our team anytime.