Communicating Cybersecurity Risks to the Audit Committee

Many CPA firms, professional associations, and industry groups have published thought papers supporting the need for financial executives to apply their expertise to help manage and communicate technology risks. A white paper based on a survey of 98 members of Financial Executives International (FEI) and Grant Thornton clients concluded that “the CFO is often expected to assess cybersecurity risks, align cybersecurity strategy with business strategy, and get buy-in from the board on necessary cybersecurity investments” (“The CFO’s Role in Cybersecurity,” The Financial Executive Research Foundation and Grant Thornton, 2015, http://gt-us.co/1XjftqS).

Generally, the evolution of technology and the increased reliance of businesses on that technology drives this concern. Despite the modern twists and technical language, cybersecurity risks are somewhat similar to traditional business risks that organizations faced in the pre-automated, pre-Internet world. Accountability for custodianship of assets, authorization of transactions, and recordkeeping of activities have traditionally been used to ensure that the information used and reported by the business was valid, complete, and accurate. The same is true in an electronic environment; the threats specific to that environment, however, are different, and require adaptation of traditional internal control strategies. Such threats include the use of automation to incur greater losses in a shorter period of time, reliance on outside parties to safeguard data (customer or company) and reputation, the evolution of insurance strategies to help transfer risk, aggressive stakeholder lawsuits, and increasing regulatory expectations. In addition, the assumption that a breach will occur, regardless of attempts to stop it, changes the dynamic of managing cybersecurity from a financial perspective.

Unfortunately for many financial executives and audit committees, the tools used to communicate cybersecurity risks and mitigation strategies with stakeholders are not as mature, well-understood, or recognized as traditional tools. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a thought paper to provide direction on how the Internal Control – Integrated Framework (2013) and the Enterprise Risk Management – Integrated Framework (2004) can help organizations effectively and efficiently evaluate and manage cyber risks (Mary E. Galligan and Kelly Rau, “COSO in the Cyber Age,” research commissioned by COSO and authored by Deloitte, 2015, http://bit.ly/1XjhIL0). The thought paper laid the foundation for looking at cybersecurity as a risk management issue requiring the appropriate balance of compensating and mitigating controls. The benefits of using the COSO approach include communicating business objectives, risk tolerances, gap analysis, and remediation prioritization.

Cybersecurity risks and many of the technology-based controls used to mitigate these risks must be translated into a language that can be easily understood by those charged with governance and those implementing and managing business objectives. But cybercrime also needs to be recognized for what it really is—a type of fraud. According to Managing the Business Risk of Fraud: A Practical Guide, fraud is “any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain” (IIA, AICPA and ACFE, 2008, http://bit.ly/23eKbIR). Based on this definition, cybersecurity risks must be considered in terms of technology, business (including finance, service delivery, customer acquisition, and relationships), and fraud; however, many current assessments continue to examine and report on cybersecurity threats as if they are one-dimensional.

Performing a Risk Assessment

The first and most important strategy in managing cybersecurity risk is to ensure that the organization fully understands how technology facilitates the achievement of its business objectives and what its tolerance is for suffering technology-related losses. To properly allocate funds and management time in mitigating the risk, executives and board members must fully understand the threats they face and the costs that will be incurred.

Some businesses are already required to comply with established requirements. For example, small businesses accepting credit card payments must comply with the Payment Card Industry Security Standards, and healthcare providers, including medical practitioners and their service providers, must comply with the Health Insurance Portability and Accountability Act. Others, such as financial institutions and companies dealing with child privacy–related issues, may need to follow bank regulatory [e.g., Federal Financial Institutions Examination Council (FFIEC)] and Federal Trade Commission (FTC) requirements.

Most of the regulatory requirements identified above require that a risk assessment be performed. Although specific procedures are not always given, the intention is to provide a mechanism for the business to self-assess its risk mitigation strategies. Usually these assessments are performed against a recognized framework that allows the organization to demonstrate appropriate due diligence if the need arises (e.g., lawsuit or regulatory inquiry).

Audit committee members can determine the quality of the risk assessments performed by management by considering the issues identified by the assessments. The probability of not identifying any issues is very remote, and such failure should bring into question the quality and usefulness of the assessment itself. The resulting report on the risk assessment will facilitate the discussion amongst audit committee members. It could incorporate such factors as each stage of business cycle’s reliance on technology, the presence of proprietary data, applicable regulations, and the sufficiency of current risk practices. Exhibit 1shows a sample report.

To ensure appropriate consideration of threats, financial executives may choose to leverage the traditional fraud triangle (and related derivatives). These tools help identify potential sources of threats by better understanding the motivation and rationalization behind fraud. Realistically, however, implementing practices that can reduce the opportunity for attackers is often the only part of the fraud triangle that financial executives can manage, monitor, and report on.

Choosing What to Protect

Sadly, protecting every part of an organization is too costly to be practical. Therefore, appropriately identifying and managing threats and ensuring that the risks associated with these threats are managed in accordance with the organization’s business objectives and risk tolerances is key. A recent report from Verizon explored the company’s history of client security incidents and the response team’s investigations and lessons learned (“Data Breach Digest,” Verizon Enterprise Solutions, 2016, http://vz.to/1RZHfrb). According to the report, “18 cybercrime case studies were chosen to represent the most common and destructive types of incidents that we’ve seen over the last eight years. For each incident, we reveal the events leading up to the breach, details of the investigation, and how we helped the organization recover. We also rank each of the 18 types of attack, explain who’s at risk, and describe what steps you can take to better protect your organization.” In addition, the report also provides guidance on how to mitigate the risk. Each of the scenarios presented is accompanied by an attack/defend card that includes, amongst other things, which of the Center for Internet Security Critical Security Controls can be implemented to reduce the identified threat. (Formerly known as SANS 20, these controls have long been recognized by the cybersecurity community as important tools to mitigate risk.) A similar list developed by the Australian Department of Defence found that “at least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions” (“Strategies to Mitigate Targeted Cyber Intrusions,” 2014, http://bit.ly/1NaNc0d). Ideally, these two critical reports should be integrated into the organization’s information technology (or cybersecurity risk assessment). Summary results presented to the board or executive management could include the degree of the threat, any mitigating controls, the extent of the mitigation, any further solutions that should be implemented, and estimated time and costs required. (The Verizon report can serve as a useful model.)

In her recent Data Breach Report, California Attorney General Kamala Harris also recommended the Critical Security Controls (http://bit.ly/1RZIQgB), saying that “the 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all of the controls that apply to an organization’s environment constitutes a lack of reasonable security.” The attorney general also reminded readers that “California’s information security statute requires businesses to use ‘reasonable security procedures and practices … to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.’” Several California businesses have taken this to mean that they should incorporate the Critical Security Controls into their overall assessment and reporting strategies.

Some audit committees continue to be challenged by the technical nature of the Critical Security Controls and use this to excuse not questioning management as to the extent to which the controls have been implemented and are functioning. Each of the first five controls, however, can be translated into business issues that audit committee members and financial executives are very comfortable with—further confirming that, at their core, cybersecurity controls are fundamental business management controls. Exhibit 1 illustrates the relationship between the controls, management’s possible questions, current gaps, overall residual risk level and the planned remediation date, providing a tool to govern cybersecurity while minimizing technical jargon.

The Role of Vulnerability Testing

Microsoft defines a security vulnerability as “a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product” (“Definition of a Security Vulnerability,” http://bit.ly/1Wf1cgA). Management of vulnerabilities is critical in promoting a secure environment, but because of the vast number of vulnerabilities, organizations always seem to be behind in remediating them. Policies should be established that specify timely remediation.

The executive summary of the “Verizon 2015 Data Breach Investigation Report,” a well-recognized annual report of actual security incidents contributed to by over 70 organizations, “found that ten vulnerabilities accounted for almost 97% of the exploits in 2014. The remaining 3% consists of 7,000,000 other vulnerabilities. Most attacks exploited known vulnerabilities where a patch has been available for months, often years. Of the vulnerabilities detected in 2014, we found more dating back to 2007 than from any year since” (http://vz.to/22fg3aw, free registration required). The report also stated that that “99.9% of the exploited vulnerabilities were compromised more than a year after the CVE [Common Vulnerabilities and Exposures] was published.” Given these statistics, remediation of vulnera-bilities is critical and warrants appropriate governance oversight.

Unfortunately, many current communication practices regarding audit committees do not facilitate such a review. Most committees receive a thick report full of technical jargon, with at best an executive summary identifying the number of high, medium and low vulnerabilities. Exhibits 2 and 3 may help facilitate communicating management’s ability to resolve vulnerabilities in a timely manner. Exhibit 2 leverages the 30-day analysis typically used for accounts receivable in order to visualize outstanding vulnerabilities by risk level (i.e., higher-risk vulnerabilities must generally be remediated in a shorter time frame). Ideally, management should provide the audit committee with written explanations for any delays, as well as compensating controls. The organization can also present the information based on its data classification policy (e.g., classifying data and servers as high, medium, or low) and only present results for high-ranked resources.

Many vulnerability tools provide the capability of running scans based on the “most popular” or “top” vulnerabilities. Exhibit 3shows such vulnerabilities, the percentage of high-risk assets impacted, whether vulnerabilities can actually be exploited, and the date by which management commits to remediate the vulnerabilities.

Who Is Accountable?

In today’s networked environment, responsibility for protecting digital assets and combatting cybersecurity threats is distributed amongst various individuals within the organization and even outside service providers (although accountability, especially as it relates to the protection of customer information, cannot be outsourced or assigned to a third party). This distribution of responsibilities may cause challenges for an audit committee in determining accountability for remedial actions and ensuring that an organization’s environment is sufficiently and appropriately tested. Exhibit 4 illustrates who “owns” various aspects of cybersecurity risk (which will vary by organization), using color to highlight problems and the department responsible for remediation.

Leveraging Information Management Skills

The general business community has long recognized CPAs as leading information management professionals. In many ways, reporting on cybersecurity risks is very similar to traditional management accounting functions. As with other types of business operations, levering core skills in information presentation will enable CPAs to help others make sense of an increasingly complex world.