We are on the brink of a major shift in the cyber security landscape. Cyber attest allowing a focus on the entire cyber risk environment as well as a focus on particular systems. New proposed legislation, PCAOB discussions and new criteria from the AICPA on cyber attestation standards are all signs of impending changes that will require cyber security integration throughout the environment to provide transparency and assurance. Here are some of the proposed changes we believe could change the cyber security landscape.
First, there is a House bill to amend SOX - “Cybersecurity Systems and Risks Reporting Act” (H.R. 5069).1
The potential areas being introduced are highlighted below:
- Section 302: A company’s management would be required to certify the effectiveness of the company’s cybersecurity systems;
- Section 404: Management would be required to include in the annual report its assessment of the effectiveness of the company’s cybersecurity systems; and the independent auditor would be required to attest to, and report on, management’s assessment;
- Section 407: A company would be required to disclose whether (and if not, explain why) its audit committee has at least one member who is a cyber security systems expert.
- Also, PCAOB discussing: “Cybersecurity risk evaluation should include consideration of risks impacting third-parties critical to the company’s information system, not only a company’s own systems.”
The status of the bill can be viewed here.
Second, the Assurance Services Executive Committee of American Institute of CPAs has released two sets of criteria on cybersecurity for public comment, which the institute hopes will start to lay the groundwork for a new set of assurance services, read a recent article.
- “Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program,”
- “Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy,”.
Comments on the cybersecurity attestation exposure drafts are due by Monday, Dec. 5. The exposure drafts can be found here.
As these changes evolve for cybersecurity, each company, from finance to internal audit to information technology, will need to increase the transparency of cyber risk assessment and controls. Cybersecurity is, or will be soon, “at the table” with finance – audit committee and SOX. Cybersecurity transparency and reputation risk is extending beyond the company’s four walls.
We recommend proactive engagement as follows:
- Align the parties (finance, compliance, internal audit, procurement, IT operations, security and compliance)
- Validate compliance to others – SOC 2 and (future) cyber attest
- Validate compliance from others – vendor management
Further information on the AICPA Cybersecurity Initiative can be found here.
For more information please contact one of RubinBrown's Cyber Security Advisory Services Group professionals.
1Center for Audit Quality (CAQ) Public Policy and Technical Alert, May 2016. See also PCAOB Staff Inspection Brief, April, 2016
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.
All Business Advisory News Cyber Security Overview