COSO is urging public companies to take a look at its frameworks with not just financial controls and risks in mind, but cyber-security as well.
Developed with the help of cyber experts at Deloitte, COSO released a report explaining how its 2013 Internal Control -- Integrated Framework and its 2004 Enterprise Risk Management -- Integrated Framework can be useful in assessing and responding to cyber-security risks. The paper explains how the five components of internal control apply to the assessment of cyber risks, with detailed discussion particularly around how the principles underlying the risk assessment, control activities, and information and communication components can be leveraged.
Consistent with the COSO model, the paper emphasizes that not every risk can be mitigated to zero. “Cyber risk is not something that can be avoided,” the paper says. “Instead it must be managed. It is clear that protecting all data is not possible, particularly considering how an organization’s objectives, processes, and technology will continue to evolve to support its operations.”
The paper explains a brief history of how cyber-security has become a concern, and so quickly, says Robert Hirth, chairman of COSO. “You have to realize that you can’t control everything,” he says. “But you have to determine what’s important, triage and prioritize the risks, and make sure you’re protecting the most important information in the most robust way.”
The paper walks companies through key questions the organization should be exploring: Are we focused on the right things? Are we proactive or reactive? Are we adapting to change? Do we have the right talent? Are we incentivizing openness and collaboration? Can executive management articulate its cyber risks and explain its approach and response to such risks?
Prioritizing is critical, Hirth says, because companies don’t have unlimited resources to protect against cyber risks. “That’s the whole risk assessment process,” he says. “What are the crown jewels in the organization? There is a lot of information, and a lot of technology-related things that need to be done. We see this as a way to get started, whether you’re a Fortune 10 organization or a small private company. Everyone has valuable information in their technology systems.”