Companies across the economy have in recent years responded to emerging cyber risks by applying recognized cybersecurity frameworks and controls with varying levels of success. Increasingly, however, corporate leaders are facing pressure from their boards, regulators and key business partners to build confidence in the maturity of their cybersecurity programs. Such pressure could boost demand for independent reviews that provide C-suites a consistent way to understand, improve and inform stakeholders about the effectiveness of cyber risk management programs in their organizations and supply chains.
PwC’s 20th Annual CEO Survey found cybersecurity is among the fastest-rising worries for U.S. CEOs this year. Such concerns coincide with rising global awareness about the complexity and significance of cyber risks. The World Economic Forum’s 2017 Global Risks Report highlights how cyberattacks, software glitches and other factors can cause systemic failures that spill across networks and cause unexpected challenges for society. Further, the report lists massive data theft or fraud and large-scale cyberattacks among the top 10 most likely risks for the next decade.
To date, judgments about the effectiveness of industry efforts to employ leading cybersecurity frameworks and controls — such as the U.S. National Institute of Standards and Technology (NIST) cybersecurity framework — have largely been based on internal assessments and responses to cyber-related questionnaires. This has made it challenging for both internal and external stakeholders to obtain a truly objective view of an organization’s cyber resilience.
This year, however, could mark a turning point on that front. NIST’s recently proposed framework revision includes new draft language on metrics and measures. Further, in its report to President Trump, the Obama administration’s cybersecurity commission urged industry to develop “conformity assessment programs” that would help companies to determine whether they were effectively using the NIST framework. Such reviews, the panel wrote, might help reduce risk and meet the needs of infrastructure owners and operators, business partners and supply chains.
Regulatory scrutiny of cyber risk management, meanwhile, shows no signs of abating and could grow with time. The newly appointed Securities and Exchange Commission leader, Jay Clayton, notably co-authored a 2015 article underscoring the need to proactively manage cyber risks. Further, the new cybersecurity regulation for New York’s financial industry, which went into effect in March 2017, requires identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance.
Corporate leaders might wonder how they can begin to assess their conformance with voluntary standards, further strengthen risk management and demonstrate progress in cybersecurity. Fortunately, an emerging effort by the American Institute of CPAs (AICPA) could provide the marketplace a new tool to help companies from across the economy verify the soundness of their cyber risk management programs.
The AICPA is developing a reporting framework intended to enable organizations to provide key information about cyber risk management efforts to an array of stakeholders. The AICPA is expected to finalize practitioner guidance in the next couple of months. This endeavor could pave the way for public accounting firms to take clients on a two-part journey that begins with assessing whether an organization is effectively using key tools — such as the NIST framework or other leading standards — to develop a sound cyber risk management program. This initial assessment phase would enable corporate leaders to identify and correct gaps in their cyber risk management. The second part of the journey, and the ultimate intent of the AICPA effort, is to enable certified public accountants (CPAs) to provide an opinion as to whether organizations have effective cyber risk management programs.
Many companies might not yet have had strong enough cyber risk management to clear the bar required for an attestation-level report. The AICPA framework, however, could allow companies to start working toward that goal by assessing and improving cyber risk management. Ultimately, however, an attestation-level report would likely boost transparency, streamline cyber risk discussions within industry and with regulators, enable some flexibility in reporting and provide a merit-based means of enhancing brand and reputation. PwC supports development of the AICPA framework and stands ready to help clients explore how they can gain value from this initiative.
Cybersecurity Attestation Services Leader, PwC US