the flip side motif, Cyber risk


Cyber risk management oversight and reporting

Proactive steps to protecting and advancing your brand

​It’s not a matter of if, but when, a cyberattack will occur. So when faced with the inevitable, how can your organization implement a Secure.Vigilant.Resilient.™ cyber risk management program? And how can you demonstrate the effectiveness of that program to your stakeholders? Taking a proactive approach establishes a strong foundation for addressing cyber risk, enabling the organization to achieve greater operational efficiencies and also add value—helping your stakeholders gain confidence and obtain reliable information to support informed decision making, creating brand differentiation, and enhancing your reputation.

What’s driving the need for greater transparency around cyber risk management oversight and reporting?

Cyber risk is on many boardroom agendas. And for good reason. The past several years have seen some of history's most high-profile cyber breaches and attacks, and the magnitude of stolen information is staggering. The proliferation of cybercrime is putting organizations under intense pressure from boards, regulators, investors, analysts, business partners, customers, and other stakeholders to respond to inquiries about the effectiveness of their cyber risk management program. Yet there’s still a growing need for greater transparency and uniformity when it comes to evaluating and reporting on an organization’s cyber risk management program and related controls. This is further compounded by the fact that there’s no single approach for doing so today.

In response to this, cybersecurity examination engagement guidance related to cyber risk reporting and disclosures has recently been proposed by the American Institute of Certified Public Accountants (AICPA). This guidance is intended to expand cyber risk reporting to address the marketplace need for greater transparency and assurance around an entity’s cyber risk management program, as well as provide useful information in making informed and strategic decisions.

Back to top

man working at server technology

What benefits can organizations gain by undertaking a cybersecurity examination?

​​Organizations may realize a range of benefits as a result of a cybersecurity examination engagement, including:

  • Independent and objective reporting, providing a higher level of assurance to key stakeholders
  • Greater economic value for users of the report, as obtaining information about an organization’s cyber risk management program can be useful in making informed and strategic decisions
  • Strategic competitive advantage and enhancement of the organization’s brand and reputation in the marketplace
  • Operational efficiencies that can result from a single reporting mechanism that addresses the information needs of a broad range of users
  • Greater transparency around the effectiveness of the organization’s cyber risk management program to internal and external stakeholders, such as boards, regulators, investors, analysts, and business partners
  • A comprehensive set of criteria covering Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal controls, as well as commonly used cyber frameworks, including National Institute of Standards and Technology (NIST), ISO 27001, and AICPA’s Trust Services Criteria

Back to top

businessman working with new modern computer and business strategy

How can organizations get started so they’re better prepared in the future?

A Secure.Vigilant.Resilient.™ cyber risk management program is integral to an organization’s ability to achieve its business objectives, power business performance, and reduce the potential risk of facing a material cybersecurity breach. Proactively investing in a cybersecurity examination readiness assessment today can help organizations prepare before a crisis hits. This includes:

  • Selecting an appropriate cyber control framework, such as the NIST Cybersecurity Framework (CSF) or the AICPA’s Trust Services Criteria, to be utilized in a future cybersecurity examination engagement
  • Evaluating the effectiveness of the current state of internal controls included within the entity’s cyber-risk management program and leveraging the cyber control framework adopted by management
  • Identifying potential gaps in and enhancement opportunities for key cyber risk processes and related internal controls
  • Developing a remediation plan and subsequent execution of key remediation activities

The cyber threat landscape continues to evolve–both radically and rapidly–and your organization’s brand and reputation are at stake. The time to act is now.

Back to top

light trails in tunnel

More from The flip side series

Let's talk

Sandy Herrygers
Partner | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 313 396 3475

Gaurav Kumar
Principal | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 212 436 2745

John Clark
Partner | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 312 486 3985

Jeff Schaeffer
Senior Manager | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 973 602 5518

Back to top

conversation symbol
Did you find this useful?