A New Form of Assurance for the Ever Increasing Cyber Threats
Cybersecurity breaches across the country and around the world have heightened the awareness and attention of business executives, financial investors, boards of directors and the general public. With the number of breaches on the rise many experts are saying it’s a matter of when, not if, a breach will occur at any organization.
Although no one form of control can guarantee 100 percent security, a well-defined and implemented cybersecurity risk management framework will substantially reduce the likelihood of a breach.
With the implementation of the System and Organization Control (SOC) Report for Cybersecurity, the AICPA recognized the need to help organizations report on the effectiveness of their internal controls designed to prevent, detect, and respond to cybersecurity threats. Their objective is to provide a mechanism for providing corporate directors, senior management, and other constituents of organizations information on an organization’s cybersecurity program through the use of a common reporting framework of criteria designed specifically for evaluating cybersecurity risk.
The new SOC for Cybersecurity is designed to be a reporting mechanism for any organization, not just service organizations (i.e. organization that provide services to other organizations), which is how all other SOC reporting options are currently designed by the AICPA (SOC 1, 2, and 3 examinations). This reporting option was constructed with the mindset to provide a consistent reporting mechanism for any company looking for assurance over its cybersecurity controls.
Differences Between the SOC for Cybersecurity and the AICPA’s SOC 2 Examination Option - A Supplement, Not a Replacement
This new SOC report supplements the AIPCA’s SOC 2 reports on an organization’s controls designed to meet the Trust Services Framework, which currently does not include criteria for an organization to report on its controls specifically designed for cybersecurity risk.
With the increased scrutiny and evaluation of third and fourth-party service provider risk as part of comprehensive vendor management programs mandated by various regulators, the SOC 2 was considered inadequate in many ways with respect to addressing cybersecurity controls. The new SOC for Cybersecurity will help organizations bridge that gap.
Other noteworthy differences between the SOC for Cybersecurity and SOC 2 reports:
- The SOC for Cybersecurity is not restricted to service organizations and can be a reporting mechanism for any company’s cybersecurity framework. The SOC 2 is designed to report on controls over a service organization’s security, availability, processing integrity, confidentiality
- SOC 2 reports can be issued under two types, one of which includes an evaluation of the design and operation of controls over a period of time, thus providing greater assurance to users of the report that the controls are in place and operating within a service organization’s control environment. The SOC for Cybersecurity report does not include information on control design and operating effectiveness over a period of time, potentially providing less assurance that the controls for the entity’s cybersecurity program are indeed in place and operational on a continuing basis.
- Many organizations use third-party service providers to operate various aspects of their business, commonly resulting in reliance on those subservice providers to have controls of their own. SOC 2 reports enable a service organization to identify the controls they expect their third-party providers to have implemented and allows them to carve-out those control responsibilities from their control environment. However, the SOC for Cybersecurity does not offer an option to delegate any related control responsibilities to third-parties. Instead organizations are responsible for having all controls required to meet the cybersecurity framework requirements outlined by the AICPA.
What SOC Report Should You Consider?
Regardless if you are a user of reports or a service provider with the objective of providing your customers with some degree of assurance, chances are no single SOC report will meet all the needs of your organization.
There are several considerations that may make one report more applicable than another, however increasing demands for greater clarity and reassurance may mean more than one report is required.
The broader needs of most user entities will largely be covered by a SOC 2 examination, including the relevant scope of services and trust service principles that relate to its commitments and requirements to customers. That said, the increased attention and focus on cybersecurity may still require completion of a separate SOC for Cybersecurity.
As seen within the new regulation over cybersecurity issued by New York State’s Department of Financial Regulators, regulators are putting increased pressure on their constituents and adding requirements for vendor management programs to be more comprehensive, specifically to include due diligence measures that cover cybersecurity.
And to provide the necessary assurance being sought by an organization’s leadership and investors, the SOC for Cybersecurity provides an opportunity to answer the questions being asked by so many.
If in doubt, or to learn more about SOC reporting options for your company, contact our dedicated team of professionals that focus and provide SOC services on a national basis. Click here or call Dave Hansen, Principal, at 585.360.1481 to connect.View full article
Online business is the new "Main Street" of America. According to the U.S. Chamber of Commerce, 74% of small businesses have a website online; many of these solely conduct business through their website. With an uptick of devices that increases social media presence (i.e. the smart phone, tablets, apps); businesses are able to conduct more of their daily activities online than ever before. This drive to do business or maintain a website online does not just apply to corporations, but to entrepreneurs looking to start or grow their business online.
While companies large and small are increasing their online business, larger companies have the capability to improve their defenses and resilience against cyber threats, leaving the small companies ripe for the picking for cyber criminals. Theft of digital information has become the most commonly reported fraud. Whether a business is utilizing, or thinking of utilizing cloud computing or just using email and maintaining a website, cyber-security should be part of the plan. It is a business’s responsibility for creating a culture of security that will enhance business and consumer confidence.
In order for businesses to stay a step ahead of cyber criminals these steps should be taken to increase security:
Train your employees in security principles- establishing basic practices and policies for online use, such as creating strong passwords, appropriate internet use, and rules on how to handle and protect customer information and vital data.
Protect computers, networks from cyber attacks- “cleaning” computers is one of the most vital things you can do to help prevent cyber attacks. For example having security software, web browser, and operating systems are the best defense against malware, viruses or other online threats.
Provide a firewall for your computer- a firewall is a set of related programs that prevents outsiders from accessing data on private network information. This includes ensuring that if an employee is working from home that their home system has firewall protection. One of the most common mistakes is downloading firewall programs but not “enabling” them; essentially “turning them on”.
Secure Wi-Fi networks- make sure that any Wi-Fi networks you have for your business is secure, encrypted and hidden. You can hide information by setting up your wireless access point or router so that it doesn’t broadcast a network name, and password protect access to the router.
Limit employee access to data- do not provide any one employee to all data systems. Employees should only be given access to the specific data systems that they need to perform their jobs, and should not be able to install any software without permission.
PCI Compliance is also a big part of being secure online. PCI DSS is the Security Standards Council that was put into place to ensure that businesses storing, transmitting, and processing payment card data, are not putting their customers or their business at risk of data theft or fraud. The PCI DSS has four levels of compliance, with number one set as the highest level. The level that your business requires depends on:
The volume of transactions you process, and
How you process them.
Cyber-security is a team sport. Taking actions that will better protect both vital data and your business operations will have positive consequences for the security of all businesses, communities and the country. Computers and networks are interconnected through cyberspace; that means that both public and private sectors share responsibility.
Freed Maxick CPAs
Freed Maxick’s tax team and enterprise risk management team want to make sure that your online business is secure. Our firm is registered with the Payment Card Industry Security Standards Council, LLP (PCI SSC) and has Qualified Security Assessor’s certified by the Council to validate an entity’s adherence to the PCI DSS. Contact us and connect with our experts.