SOC, meet cybersecurity
As global cyberattacks become more common, organizations are fine tuning, or even implementing, a cybersecurity risk management program — and there is no better way to validate your cybersecurity risk management program than with an independent validation.
The American Institute of CPAs (AICPA) recently released the new Cybersecurity Risk Program examination, responding to a changing marketplace where cybersecurity is top of mind for many accountants, and helping organizations looking for an independent evaluation of their cybersecurity risk program.
This new examination is part of the AICPA’s redefined SOC reports. SOC reports previously stood for Service Organization Controls; now the term stands for System and Organization Controls. SOC for Cybersecurity has been added to the SOC 1, SOC 2, and SOC 3 suite of SOC reports.
“The introduction of the SOC for Cybersecurity reporting framework is an exciting development in the area of security focused risk management,” said Dan Zangwill, chief security officer for Capital Confirmation, which provides an online audit confirmation platform. “At a time of increased reliance on third parties in the supply chain of technology solutions, holistic cybersecurity strategies are essential to the protection of an organization's networks and data. SOC for Cybersecurity offers a structured approach to implementing security controls which are efficient, measurable, and most importantly, mitigate risk. An independent report examining the effectiveness of these controls will be invaluable for companies wishing to assert a strong security posture to the marketplace.”
The AICPA defines an entity’s cybersecurity risk management program as a set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from, on a timely basis, security events that are not prevented.
Differences between the AICPA examination and the SOC 2 report
While there are some similarities between the cybersecurity risk management program examination and the SOC 2 report, the type of report, report format, intended users of the report and intent of the report are different. The SOC 2 report is less restricted and meant for a broader audience that could potential customers. In other words, it is a general use report. The examination is not strictly for service organizations (i.e., organizations that provide services to other organizations), but the SOC 2 report is. Any organization, service provider or not, could complete the examination.
Another difference between the SOC 2 and the AICPA examination is the treatment of any subservice organizations. In a SOC 2 engagement, service organizations can either include or carve out a vendor whose services are significant to achieving the criteria. Such a vendor is called a subservice organization. In a Cybersecurity Risk Management examination, there is no option to include or carve-out a subservice organization. Organizations are responsible for all controls within the risk management program regardless of who is responsible for performing the controls.
A SOC 2 report would be considered more suitable for organizations that need to provide a listing of controls that meet the defined criteria and, in the case of a Type 2 examination, the operating effectiveness of those controls over a period of time. The Cybersecurity Risk Management engagement does not include details on how the controls operated during the period. The operating effectiveness of controls over a period of time is not performed in this examination. The report might be considered less detailed than a SOC 2 report.
In a nutshell
The SOC 2 report includes the following components: A description of the cybersecurity risk management program created by the organization and presented to the auditor; a management assertion letter vouching for the description of the program; and an audit opinion on the organization’s cybersecurity program from the auditor.
The AICPA has defined the description criteria that management should use when creating their cybersecurity risk management report:
1. Nature of the business and operations;
2. Nature of the information at risk;
3. Cybersecurity risk program objectives;
4. Factors that have a significant effect on inherent cybersecurity risks;
5. Cybersecurity risk governance structure;
6. Cybersecurity risk assessment process;
7. Cybersecurity communications and the quality of cybersecurity information;
8. Monitoring of the cybersecurity risk management program; and
9. Cybersecurity control processes
If you are looking to either fine-tune or implement a cybersecurity risk management program, consider reviewing the details of this new examination or speaking with an audit professional. An independent evaluation could be just what you need to further your program.