Introducing SOC for Cybersecurity: Translating Cyber Risk for Every Stakeholder

June 2017

A new reporting framework for cyber risk management

What You Need to Know

  • On April 26, the American Institute of CPAs (AICPA) launched a new voluntary framework to standardize reporting on the effectiveness of an entity’s cyber risk management controls.
  • The framework is a key component of a new System and Organization Controls (SOC) attestation, SOC for Cybersecurity.

What It Means for You

  • Working with an outside advisor, organizations can use the framework in three important ways:
  1. To perform a cyber risk assessment and gap analysis.
  2. To undertake an examination-level attestation engagement.
  3. To design a comprehensive risk-based cybersecurity program.
Click here to read more about the framework. 

On Friday, May 12, a massive ransomware cyberattack swept the world, impacting hundreds of thousands of computers at organizations in more than 150 countries. The biggest culprit behind the attack? Human negligence.
Blame IT, blame the employee who fell for the cleverly-worded social engineering email—but the truth is the effectiveness (or ineffectiveness) of cybersecurity risk management is a firm-wide responsibility. The challenge is cyber literacy: How do you galvanize your entire organization to prioritize cybersecurity when you lack a common language?
Businesses have a cyber communication problem—which is the impetus behind the AICPA’s new cyber risk management framework. Officially unveiled on April 26, the framework is intended to standardize the way organizations define their cyber objectives and report against them, establishing a common, underlying language to quantify cyber risk.
Click the links below to explore BDO’s insights on the AICPA’s new cyber risk management framework and SOC reporting:

SOC Reporting Guide: Which SOC is Right for You?

  SOC for Cybersecurity (NEW) SOC 1 SOC 2 SOC 3
What It Covers Cyber controls as described by an organization’s enterprise-wide cyber risk management program. Controls at a service organization relevant to user entities’ (clients or prospects) internal controls over financial reporting.
Controls over the security, availability, and processing integrity of a system, or the privacy or confidentiality of information processed by the system. Same as SOC 2.
Report Components A description of the entity’s cyber risk management program (based on description criteria).
Opinion on the effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
A description of the service organization’s system.
Opinion on the fairness of the presentation of management’s description of the system and the suitability of the design of the controls (Type 1).
Type 2 reports also provide an opinion on the operating effectiveness of the controls, including detailed description of tests of controls performed by the service auditor, and results of those tests.
A description of the service organization’s system.
Opinion on the fairness of the presentation of management’s description of the system and the suitability of the design of the controls (Type 1).
Type 2 reports also provide an opinion on the operating effectiveness of the controls, including a detailed description of tests of controls performed by the service auditor, and results of those tests.
Opinion based on an unaudited description of the service organization’s system on whether the entity maintained effective controls as it relates to the principle being reported on.
Intended Usage General use—management and board members, analysts, investors, clients/prospects, business partners and industry regulators. Service organization’s management, user entities’ management, user entities’ financial auditors. Same as SOC 1, plus “knowledgeable parties”—informed stakeholders, including appropriate business partners, prospective customers, vendor management executives and regulators. General use
Distribution Unrestricted Restricted Restricted Unrestricted

Benefits of SOC Reporting

The AICPA’s new cyber attestation engagement is a critical addition to its suite of System and Organization Controls (SOC) reporting frameworks. Through a SOC engagement, a CPA provides an opinion on a service organization’s system controls (SOC 1, 2 and 3) or on entity-wide controls (SOC for cybersecurity). Undertaking SOC attestation provides numerous benefits:
  • Build trust with current customers and prospects. Most large organizations partner with hundreds or even thousands of outside service providers, and auditing each vendor one-by-one would be time-consuming, inefficient and disruptive to both parties. SOC reports can also be a component of the RFP process—some companies demand them as a condition of participating.
  • Validate your risk management model and prove your business value. Other company stakeholders and prospective investors look for SOC attestation as a good measure of corporate health when they contemplate or plan an exit strategy, such as an initial public offering or a sale to a strategic buyer. Companies inherit the risk of their target following an acquisition, and many include SOC queries in their due diligence. Investors, too, look at the effectiveness of enterprise risk management programs as a critical indicator of shareholder value.
  • Find (and close) the gaps. Having a third party examine an organization’s controls and activities provides peace of mind about whether the controls are functioning as expected, and how they can be improved. Going through the SOC process is a visible sign of “good health.” It can also indicate where and when there are breakdowns in the controls that could possibly lead to a breach, fraud or other problems, so the organization can address them as soon as they are identified.

Using the AICPA Cyber Risk Management Framework

Program Design

The AICPA’s Assurance Services Executive Committee (ASEC), through its Cybersecurity Working Group (BDO is a member), has developed a set of benchmarks, known as description criteria, that organizations can use as guiding principles to define their cybersecurity objectives and design a corresponding cyber risk management program to meet those objectives. The common language established by the framework standardizes the codification and communication of existing cyber policies, procedures and controls, increasing transparency inside and outside the organization. At the same time, the flexibility of the AICPA risk management framework enables companies to account for nuance and incorporate industry-specific considerations or additional criteria.

Readiness Assessment & Gap Analysis

The framework can also be used to benchmark the current state of an organization’s cyber program. A SOC for Cybersecurity readiness assessment can help organizations identify deficient or insufficient controls, policies and procedures, and quantify cyber risk against a standard set of criteria. This gap analysis can be used to develop remediation strategies or reprioritize cyber investments. For organizations considering a SOC for Cybersecurity attestation engagement, a readiness assessment is key to understanding their level of preparedness and preemptively addressing any issues that could result in a qualified opinion from the auditor.

Independent Cyber Risk Examination

An independent cyber risk examination can be used to provide an unbiased, third-party assessment of the design and operating effectiveness of internal controls. The SOC for Cybersecurity examination combines cyber-savvy with the discipline of an external audit process, expanding assessment beyond the financial impacts and to the enterprise risk management level. An independent cyber risk assessment that meets the rigors of SOC attestation provides a higher level of assurance to management and the board, as well as interested outside parties. The attestation can also be used to inform a cyber liability insurance policy.

The CPA’s Role in Cyber

A cyber risk audit is a natural extension of the work CPAs are already trained to do: We look at controls and processes and quantify risk in a standardized way. In our traditional attestation work, we’re already assessing cyber risk in terms of the potential financial impacts. Now, we’re looking a level deeper, examining cyber controls not just in terms of financial risk, but to the extent to which they serve an entity’s IT and cyber objectives.
The traditional CPA skillset in isolation is, frankly, ill-suited to the task. To assess cyber risk in a meaningful way, you also need people who can look at an organization through an IT lens. The AICPA’s new framework goes a long way towards establishing a common language for cybersecurity risk management and reporting. But applying the framework requires an understanding of industry nuances and information governance, as well as the ability to think like a hacker. Organizations considering a third-party cyber risk assessment should work with a team that brings the best of both worlds.
The AICPA’s reporting framework comes on the heels of increasing scrutiny from state and federal regulators. Consider the recently announced cyber regulation from the New York Department of Financial Services, which, among other mandates, requires covered institutions to submit an annual certification of compliance, along with supporting documents. Regulated entities need to design a cybersecurity risk management program that satisfies all compliance and reporting requirements. By extension, third-party vendors to those regulated entities will be asked to meet the same higher standard.
Adopting the AICPA’s cyber risk management reporting framework is currently best practice, but in the not-so-distant future, we predict standardized cyber reporting will become mandatory for public companies in the same vein as Sarbanes-Oxley compliance. Companies that are ahead of the curve will have a leg up on the competition.
For more information on BDO’s cyber risk management advisory and attestation service offerings, please visit: