Despite the proliferation and escalation of cyber-breaches, companies and government agencies are still trying to wrap their heads around the notion that break-ins are inevitable.
“Over 30 years, we moved almost everything we value from the analog space to the digital space, connected through a protocol that is not secure,” says John Carlin, partner and chair of the global risk and crisis management practice at law firm Morrison & Foerster. “There is no internet-connected system that is safe from being breached by a dedicated adversary. The technology does not exist.”
That’s not much different from what other cyber-experts are telling companies—that companies should recognize it’s not a question whether they will be breached, but when, and how they’ll handle it when it happens.
Corporate boards are starting to get more engaged on the cyber-threat, says Gregory Garrett, leader of international cyber-security at audit firm BDO USA. The firm’s fourth annual poll suggests a growing share of public company directors are more involved in the effort to defend against cyber-hacks than they were a year ago, and budgets committed to cyber-defense are growing. “Each year, the level of cyber-security investment is going up,” he says.
Companies clearly recognize the threat persists, but they are struggling with how best to spend their limited resources, says Todd Bialik, a partner at PwC in charge of third-party assurance services. “There’s only a certain amount of money out there to spend on cyber-security, so they’re trying to balance their resources and focus on what the risk is to the company,” he says.
As boards get more engaged, they’re not content to simply settle for a “yes” answer when they ask the chief information or security officers if the company is protected, says Bialik. They’re more likely to ask the follow-up question: How do you know?
Little by little, companies are starting to recognize they can’t “just throw a bunch of controls out there without thinking about a risk management framework,” says Bialik. “You have to continuously update: what are the risks facing the company?” That might include environmental factors, industry factors, issues specific to the company, or regional or geographic issues, and many more.
Garrett agrees companies seem to accept that they need to devote more resources and energy to cyber-defense, but they are not entirely sure where to focus. “A lot of money is being spent, but I don’t think it’s always being spent wisely,” he says. Garrett himself advocates for investing on the human side of cyber-security, namely education and training.
“The AICPA’s cyber-framework will create pressure on all businesses to make decisions about security at the very top of the organization, where the CEO, legal, and CFO reside.”
Gregory Garrett, Leader, International Cyber-Security, BDO USA
It was a relatively simplistic hack, for example, that led to a breach at Big 4 firm Deloitte & Touche, paradoxically ranked as one of the top providers of cyber-security services. Hackers reportedly obtained access to an administrator’s password that provided access to e-mail, which exposed private information for a handful of clients. Having robust passwords that are well protected, especially for system administrators, is considered elementary in cyber-risk management.
The Equifax breach, likewise, occurred because of what the former CEO described as an individual oversight to manually patch an application. In testimony to Congress, the ousted Richard Smith said it was a communications error, ultimately, that exposed the credit histories of millions of people.
To assure companies cover such simpler steps in their cyber-protection strategies, auditors are starting to gear themselves up to do what auditors do best—fact check a company’s cyber-risk activities and report on unaddressed risks. The effort is voluntary, but auditors say they’re starting to see interest grow as a way to further focus and refine cyber-risk efforts.
The American Institute of Certified Public Accountants unveiled a framework earlier this year that gives companies an avenue to a voluntary attestation that would enable them to gut check their approach to cyber-risk. It enables companies to demonstrate to boards of directors, shareholders, vendors, customers, regulators, employees, and anyone else who might have an interest that the company is identifying and addressing its most serious cyber-risks.
The framework doesn’t guide a company through identifying and mitigating its cyber-risks. That’s the job of more prominent and well-established frameworks like NIST, ISO, and several others. Rather, the AICPA framework provides a means for companies to tell their stakeholders what they’re doing to manage and mitigate cyber-threat.
With the exception of some industry-specific requirements in high-risk sectors, U.S. companies are generally not bound by much regulation when it comes to protecting private information. The European Union is further ahead with the General Data Protection Regulation that takes effect next year, setting some minimum requirements on companies to protect private data and warn those affected when a breach occurs.
As companies begin to recognize heightened expectations in the United States, auditors say the AICPA reporting framework would give companies a leg up on their competitors in demonstrating a proactive approach. Bialik says he sees a few reasons that explain why companies are starting to show an interest in the voluntary measure.
According to BDO USA, public company boards are maintaining some cyber-security trends. See below.
Source: BDO USA
First, it would answer questions companies are facing from the board room. A formal report to the board might answer even the most progressive questions on the subject. It would also answer questions companies may get from their regulators, depending on their particular sector. “Providing a report with an opinion from an accounting firm gives it a little more credence than an internal assessment by the company itself,” says Bialik. Companies might even find they’ll get a reduction in their cyber-insurance premiums if they can show an insurer a robust report on the approach they’re taking, he says.
Finally, it could make for an efficient way to answer what might be a long list of stakeholders who want to know what a company is doing to protect its information. “A lot of companies say they’re being asked these questions a hundred different times by various customers,” says Bialik. “If I can give them this report, maybe I don’t have to get all these questions and questionnaires, and maybe they won’t audit me.”
It’s similar to the third-party assurance many companies provide via “SOC” reports to customers or vendors on the soundness of internal controls for Sarbanes-Oxley purposes. Companies that rely on third parties for things like payroll or other critical services need those SOC reports to roll up into their own attestations on internal controls.
In fact, auditors are even calling the new reporting framework “SOC for cyber-security,” although the SOC stands for “system and organization controls” for cyber-purposes rather than “service organization controls” for financial reporting purposes.
Carlin says the framework will be useful to boards in helping them understand the scope of their duties with respect to cyber-threats. It might even become the basis for what companies should reasonably be expected to do as cases are litigated and regulations eventually come into play. “It helps set the floor,” he says. “It helps define reasonableness.”
The BDO survey suggests companies struggle with how to report events that have occurred, let alone the state of a company’s readiness to protect against and respond to a cyber-hack. Industry data, for example, suggests ransomware attacks are up sevenfold in the past three years, says BDO’s Garrett, but the poll of corporate directors suggests ransomware attacks have been relatively flat. “I’m concerned board members are not aware or are not accurately reporting that a company’s been breached,” he says.
Large companies are already interacting with accounting firms to achieve compliance with regulations like Sarbanes-Oxley that require a security framework for financial reporting purposes, so the AICPA framework on cyber-security would extend the dialogue, says Richard Stiennon, chief strategy officer of Blancco Technology Group and director of the International Data Sanitization Consortium.
As such, the new framework will be especially useful in getting smaller and medium businesses more proactive in protecting data. “The AICPA’s cyber-framework will create pressure on all businesses to make decisions about security at the very top of the organization, where the CEO, legal, and CFO reside,” he says.