The American Institute of Certified Public Accountants (AICPA) has recently released an exposure draft (Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program) for cybersecurity risk management program examination, in addition to a draft of revised Trust Services Principles Criteria (“TSP”). The cybersecurity risk management examination is a new attest standard in addition to the Service Organization Control (“SOC”) 2 reports that you may already be familiar with. SOC2 reports provide an auditors opinion over the design and operating effectiveness of an organizations controls to meet one or more of security, availability, confidentiality, and processing integrity principles as defined by the TSP. The TSP defines the criteria to be met by each of the aforementioned principles. The updated TSP have been aligned with the 17 principles of Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) 2013 internal control framework. These proposals are open for public comment until December 5th, so it is unlikely that the attestation standard and TSP revisions will be available for use in reports until 2018.
One clear benefit of the new cybersecurity risk management examination criteria is that it allows organizations to choose the information security management framework to report on, rather than mapping your preferred standard to the TSP. This allows organizations that have designed their information security management framework around ISO 27001 or National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to report on the framework that they use.
Considering all of the cybersecurity breaches that have occurred in recent years, it should come as no surprise that new regulations are on the horizon. The New York Department of Financial Services (DFS) and the Society for Worldwide Interbank Financial Telecommunications (SWIFT) both recently released new draft cybersecurity rules that will impact many financial institutions and their service providers. The DFS rules call for an annual certification similar to Sarbanes-Oxley, and the SWIFT rules require that organizations self-attest to their compliance annually. Both regulations extend requirements to service providers, and SWIFT also calls for its user organizations to have access to each other’s compliance reports in order to evaluate counter party risk. Inspections are expected to begin in January 2018.
The AICPA’s new cybersecurity risk management examination is well positioned to meet the needs of organizations that may be required to comply with these new regulations. Whether it be service providers that need to provide assurance to their customers over their compliance with these regulations, or officers at these organizations that desire an independent third party examination before certifying that their organization is compliant.
If these regulations affect your organization, then consider performing an assessment utilizing the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Self-Assessment. The Financial Services Information Sharing and Analysis Center (“FS-ISAC”) has made an automated version of the FFIEC self-assessment available on their website. It’s important to note that the assessment is based upon maturity levels, so all 494 questions may not apply to your organization based upon the inherent risk profile.
Whitley Penn’s Risk Advisory Services team can help improve your information security program by performing the cybersecurity assessment and examination. Our Risk Advisory Services team can also perform IT control reviews, vulnerability scanning, and penetration testing to test the effectiveness of your information security program. To learn more about how Whitley Penn can assist in developing, assessing, or auditing your information security and anti-fraud controls, please visit our website or contact Scott Geye at email@example.com or 214-393-9592.