The value of visibility: Cybersecurity risk management examination
Stakeholders are calling for greater visibility into an organization’s cybersecurity risk management program. In response, the American Institute of Certified Public Accountants (AICPA) has developed new guidance to better evaluate and report on an entity’s cybersecurity risk management program. This report discusses the AICPA's new cybersecurity risk management examination reporting framework. It also offers a readiness assessment approach to help organizations prepare.
Mind the gap
In their risk oversight role, boards today are using a variety of cyber risk monitoring and reporting mechanisms, such as risk and control self-assessments, internal audits, and cyber crisis simulations. But these mechanisms only partially meet the needs of an ever-growing audience of stakeholders, and they may not provide adequate visibility and enough relevant information for both internal and external parties to make well-informed decisions about an organization’s cyber risk posture.
The new AICPA cybersecurity risk management examination reporting framework aims to address this information gap through independent and objective reporting on the effectiveness of cyber security processes and controls throughout an organization. These reports, which will describe and assess a company’s efforts to manage cybersecurity risk, won’t completely replace existing mechanisms, nor will they provide guarantees that an organization won’t be breached in the future. But they will use broader and more flexible criteria, provide greater objectivity, and be more widely distributable. They will also be more flexible in scope, and they can be conducted for certain business units or segments. These characteristics are relevant to various stakeholders, including the C-suite and the board.
A cybersecurity risk management examination may offer a number of potential benefits, such as:
- Greater stakeholder transparency into the effectiveness of an organization’s cybersecurity risk management program
- Independent and objective reporting, providing a higher degree of assurance to key stakeholders
- Greater economic value for users of the report, as obtaining more and higher quality information about an organization’s cyber risk management program can drive better informed and strategic decisions
- Strategic competitive advantage and enhancement of the organization’s brand and reputation in the marketplace, obtained by proactively establishing a strong foundation for addressing cybersecurity, before protocols are mandated by regulation or a crisis hits
- Operational efficiencies derived from a single reporting mechanism that addresses the information needs of a broad range of users