Evolving Cybersecurity Risks
Awareness continues to grow around the evolving cybersecurity threats to companies. Given the immense scale and complexity of the cybersecurity challenge, every sector of the global economy must do their part to promote cybersecurity resilience.
Global International Management, LLC is in a strong position to play an important role in fostering instructive conversations about cybersecurity risk management, bringing to bear the our core values—including independence, objectivity, and skepticism—as well as our deep expertise and skills in providing independent evaluations in a variety of contexts.
Our Approach to Addressing Cybersecurity Risk Management Programs
3 Key Components:
- Management’s Description
- Management’s Assertion
- CPA’s Opinion
Entity-Level Cybersecurity Reporting Framework
In response to growing challenges related to cybersecurity risk management, the American Institute of CPAs (AICPA) developed an entity-level cybersecurity reporting framework that organizations can use to communicate useful information about their cybersecurity risk management program to a broad range of stakeholders. The reporting framework provides users with three key pieces of information that can be used to assist boards of directors, senior management, and other pertinent stakeholders as they evaluate the effectiveness of their organization’s cybersecurity risk management program.
There are three key components of the reporting framework that can assist stakeholders in understanding an entity’s cybersecurity risk management program.
1. Management’s Description of the entity’s cybersecurity risk management program. Management will provide potential users with a description of an entity’s cybersecurity risk management program. Management will utilize suitable description criteria in developing Management’s Description of the subject matter, and for CPAs evaluating the description. One such suitable criteria is the AICPA Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.
Management’s Description is intended to provide the context needed for users to understand the conclusions expressed by management in its assertion, and by the auditor in its report.
2. Management’s Assertion. Management will assert to the presentation of the Management’s Description of the entity’s cybersecurity risk management program in accordance with the description criteria, and whether the controls within the cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on a suitable set of control criteria. The Trust Services Criteria (criteria for security, availability, and confidentiality) have been designed to be suitable control criteria.
3. The CPA’s Opinion. The CPA’s Report contains an opinion on the description of the entity’s cybersecurity risk management program and the effectiveness of the controls within the program to meet the entity’s cybersecurity objectives.
While companies may not implement all three components of the reporting framework at once, the public accounting profession believes that when an entity provides information to stakeholders—such as the board of directors or audit committees—to enable decision making, it is not enough to provide them merely with information. Decision makers need confidence that the information they have been provided is presented in accordance with suitable criteria. The third component described above in the AICPA’s cybersecurity reporting framework, the CPA’s opinion, can enhance confidence in the cybersecurity information prepared and presented by management.
Global International Management will perform a Cybersecurity Risk Management Examination (“Examination”), in accordance with AICPA attention standards, to provide an opinion on Management’s Description and on the effectiveness of the controls implemented as part of the cybersecurity risk management program.
For those companies that are not ready for an attestation Examination, the AICPA’s cybersecurity reporting framework can be used for a non-attestation cybersecurity engagement, such as a readiness engagement.
Cybersecurity – How can we help?
In our ongoing efforts to ensure that we provide our clients with the most relevant and timely services, Global International Management, LLC has developed a cybersecurity practice that can help our clients identify, evaluate, measure, and manage cybersecurity risks. As potentially damaging cyberattacks continue to affect more organizations, and as news about cybersecurity, hacking, ransomware, and data breaches increases, you may have found yourself wondering about your organization’s susceptibility.
To start the conversation, here are the top things your organization should consider:
- Have we identified all the types of sensitive data in our organization, and do we have an inventory of where that data resides?
- How well-protected is our high value and sensitive information?
- How often do we assess our susceptibility to compromise, and what were the results of the most recent test?
- How quickly would we know if we had a security breach?
- Do we have a plan of action in place in the event of a breach?
- Do our cybersecurity functions have access to adequate resources?
If you are not comfortable with the answers to these questions, or if you have customers and vendors who are asking these questions about your organization, Global International Management, LLC can help you gain confidence about your organization’s cybersecurity posture, and help you make well-informed decisions about how best to address your security risks. Our team can help you remove cybersecurity from the list of things that keep you up at night.
We welcome the opportunity to meet with you to hear about your organization’s cybersecurity efforts, and tell you more about our firm’s cybersecurity services. Please feel free to contact us to schedule a meeting.