As cyber-security works its way onto the corporate board agenda, COSO is suggesting ways its internal control and risk-management frameworks can be a starting point for companies to anticipate fast-emerging risks.
“One of the key risks I see with cyber-security is that oftentimes the conversation isn’t started at the top of the organization,” says Sandra Richtermeyer, a COSO board member representing the Institute of Management Accountants. The COSO frameworks give directors and senior management a process for defining and addressing cyber-risks not just within IT, but throughout the organization, she says. “You can’t assume all of that’s happening in the middle of the organization. It has to start from the top down.”
COSO recently published a paper explaining how companies can manage cyber-risks by assessing and addressing them via the “COSO cube,” which is the foundation of COSO’s Internal Control—Integrated Framework, updated in 2013 to reflect modern business environments. The internal control framework is most familiar to public companies as a way to comply with Sarbanes-Oxley reporting requirements for internal control over financial reporting, but as COSO often points out, its applicability is not limited to financial controls.
In the control environment, for example (the first of the five components of the COSO model), the new COSO paper asks companies to evaluate whether the board of directors understands the cyber-risks and whether they are informed on how the company is managing them. The guidance then walks through the other four components (risk assessment, control activities, information and communication, and monitoring activities) to explain how each area can focus on cyber-security issues and the controls necessary to manage them.
“One of the key risks I see with cyber-security is that oftentimes the conversation isn’t started at the top of the organization.”
Sandra Richtermeyer, Board Member, COSO
Looking at cyber-risks through the COSO lens allows directors and senior management to communicate their objectives, their view of critical information systems, and their risk tolerances. “This enables others within the organization, including IT personnel, to perform a detailed cyber-risk analysis by evaluating the information systems that are most likely to be targeted by attackers, the likely attack methods, and the points of intended exploitation,” COSO says. “In turn, appropriate control activities can be put into place to address such risks.”
Mike Rose, a partner at Grant Thornton and co-leader of the GRC practice, says leveraging the COSO internal control framework to assess cyber-risks would give directors a mechanism for overseeing, assessing, and managing cyber risks. “Just as the board is responsible for enterprise risk management, this is very similar,” he says.
Considering the proliferation of technology in business, boards have plenty of risks to assess. Rose suggests a company start by identifying its “highest-risk information,” which might be anything from intellectual property to customers’ personal data. “Then you have to look at the systems and applications storing that information. What are your threats and vulnerabilities?”
Below, COSO outlines how to use its 17 principles to mitigate cyber-risk.
As an output of the objectives identified as a result of applying Principle 6, an organization should have a clear understanding of the information systems critical to the achievement of its objectives. Applying Principle 7 and Principle 8 then take the risk assessment deeper and lead the organization to assess the severity and likelihood of cyber-risk impacts. When led by senior management, through collaboration with business and IT stakeholders, an organization is positioned to evaluate the risks that could impact the achievement of its objectives across the entity.
To be effective in the risk assessment process, individuals who are involved must have an understanding of the organization’s cyber-risk profile. This involves understanding what information systems are valuable to perpetrators of cyber-attacks, and understanding how these attacks are likely to occur. The costliest attacks tend to be the ones that are highly targeted at an organization for specific reasons.
Organizations should be vigilant about understanding their particular cyber-threat profile. Being vigilant means establishing threat awareness throughout the organization and developing the capacity to detect patterns of behavior that may indicate, or even predict, compromise of critical assets. Organizations must incorporate this profile into their overall risk assessment process in order to understand where controls should be placed to keep those assets secure.
It is also important to apply an industry lens to cyber-risks versus just looking broadly at cyber-risks. The perpetrators of cyber-attacks have unique objectives that differ between industry sectors. For example, in the retail sector, organized criminals are the most likely attackers, focused primarily on exploiting vulnerabilities in systems that contain information that can be used for profit (e.g., credit card data or Personally Identifiable Information (PII)). Alternatively, the oil and gas industry might be targeted by nation states with a motive to steal strategic data about future exploration sites. Chemical companies may find themselves targeted by hacktivists because of perceived environmental issues around their products.
Regardless of their motives, cyber-attackers are relentless, sophisticated, and patient. They will stage attacks over time by gathering information that will expose weaknesses within the organization’s information systems and internal controls. Through careful evaluation of the motives and likely attack methods and the techniques, tools, and processes (TTPs) the attackers may use, the organization can better anticipate what might occur and be in a position to design controls that are highly effective in minimizing the disruption of potential cyber-attacks and keeping highly valued assets secure.
Change is certain in any organization and should be anticipated in the performance of cyber-risk assessments. The organization will evolve, which includes changes to its objectives, people, processes, and technologies. The cyber-landscape will also change, which includes new perpetrators of cyber-attacks along with new methods of exploitation. While cyber risk assessments are generally reflective of the current state of the organization, the process must be both dynamic and iterative and consider internal and external threat changes that could trigger the need to change how the organization manages its cyber-risks.
Business and technology innovations are adopted by organizations in their quest for growth, innovation, and cost optimization. However, such innovations also create exposure to new cyber-risks. For example, the continued adoption of Web, mobile, cloud, and social media technologies has increased the opportunity for exploitation by the perpetrators of cyber-attacks. Similarly, outsourcing, offshoring, and third-party contracting have exposed organizations to potential cyber-vulnerabilities that are ultimately outside of the organization’s control. These trends have resulted in the development of cyber-ecosystems that provide a broad attack surface for the perpetrators to exploit.
The assessment of changes that could have an impact on the system of internal control should include considerations regarding changes in personnel. Turnover of personnel at operational levels of the organization can have a significant impact on the organization’s ability to effectively perform their control responsibilities that are designed to minimize the potential impacts of cyber-attacks.
Risk assessments should be updated on a continuous basis to reflect changes that could impact an organization’s deployment of cyber-controls to protect its most critical information systems. As information is generated from the vigilant monitoring of the changing threat landscape and the risk assessment process, senior executives and other stakeholders must share and discuss this information to make informed decisions on how to best protect the organization against exposure to cyber-risks.
Other Paths to Try
Dave Roath, a risk assurance partner with PwC, does see benefit in using the COSO frameworks, but says companies probably shouldn’t rely on them exclusively to manage cyber-risks. “No one framework is right for every company,” he says.
Roath points to several alternatives: the Framework for Improving Critical Infrastructure Cyber-security, published in 2014 by the National Institute of Standards and Technology; COBIT, a more mature framework for IT governance; and the ISO 27001 and 27002 standards published by the International Organization for Standardization.
“There are so many different elements within a security framework that companies need to worry about,” he says. “You need bits and pieces of each of those frameworks to define the risk profile and understand what your crown jewels are.”
Companies have no specific regulatory mandate at this point to use any framework to assess cyber-risks. Hence, the NIST framework was born from an executive order from President Obama in early 2013, and Obama called for more steps to improve cyber-security during his State of the Union address just last week. The Securities and Exchange Commission also requires companies to disclose cyber-security risks (although it doesn’t specify how), and indicated cyber-security will be a top concern during its 2015 examination priorities for broker-dealers and investment advisers.
In other words, “There’s definitely a focus on setting a tone that says this is a serious risk and it needs to be managed,” says Erin Mackler, senior technical manager at the American Institute of Certified Public Accountants.
PwC took the pulse of corporate readiness to do battle with cyber-threats in 2014, and found companies are “all over the board,” Roath says. “It’s very different based on the industry or sector that a company is in and the size of the company.” Companies in financial and defense sectors were more prepared, he said. “They have a much higher degree of spend on security and are much better controlled. Midsize companies tend to be fairly insecure.”
Companies are starting to tune into the risks, says Andrew Wallace, a risk assurance partner for PwC. If companies were asked today compared with even a year ago, if they would rate their readiness to withstand a cyber-attack differently, he says. “They would have given themselves a far higher score in the past than they would now, not because they’ve experienced an event, but because they have seen peers experience these breaches.”
Phil Roush, vice president of finance at SanDisk Corp. and vice-chair of a GRC sub-committee at Financial Executives International, says companies that use the COSO frameworks to assess their cyber-risks should take care to assess both the “inside out” and “outside in” risks.
“Inside out deals with employees,” he says: namely, how they communicate and what tools they use that might open the door to hackers. Outside-in, meanwhile, “are your vendors, customers, contract manufacturers—all the groups in your ecosystem. How do they get into your network? How do you restrict where they go and what access they have?”
Bill Watts, partner in charge of business risk services at Crowe Horwath, says using a framework like COSO’s would let companies still mastering cyber-security take more initiative. “In the past, it’s been a very reactive approach to cyber-security, patching leaks in the dam,” he says. “The COSO frameworks are broad enough to apply to a lot of different things, including cyber-security. It gives you a formal structure to give people guidance and put a program in place that’s proactive.”