Not only is the number of cybersecurity attacks increasing every year, but the sophistication and severity of these attacks is on the rise as well. As a result, cybersecurity is one of the top board room concerns in nearly every company in the country. In response to these concerns, the AICPA issued a robust Cybersecurity Risk Management Reporting Framework as a solution for organizations to take a proactive approach to cybersecurity risk management.

The cybersecurity risk management examination is part of the AICPA’s suite of System and Organization Controls — or SOC — reporting. Through a SOC engagement, a CPA firm provides an opinion on a service organization’s system controls (SOC 1, 2 and 3) or on entity-wide controls (SOC for Cybersecurity).

The SOC for Cybersecurity Report includes the following three key components:

• Management’s description– The description of the entity’s cybersecurity risk management program. This description is designed to provide information about how the entity identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the entity’s information assets against those risks.
• Management’s assertion– Management provides the assertion regarding the presentation and effectiveness of the controls in place to achieve the cybersecurity criteria. Specifically, the assertion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.
• Practitioner’s opinion– A CPA firm’s opinion on the description and effectiveness of controls in place to achieve the cybersecurity criteria. Specifically, the opinion addresses whether (a) the description is presented in accordance with the description criteria and (b) the controls within the entity’s cybersecurity risk management program were effective to achieve the entity’s cybersecurity objectives based on the control criteria.

The Cybersecurity Reporting Framework is flexible meaning that organizations may use other criteria (such as the NIST Critical Infrastructure Cybersecurity Framework and ISO 27001/27002) as control criteria, as long as such criteria are appropriate for the engagement in accordance with the AICPA’s attestation standards.

By obtaining a SOC for Cybersecurity attestation report that is performed by a third-party CPA firm, not only are you providing an increased level of confidence to your clients but also adding significant value to your service organization. A successful SOC for Cybersecurity audit will differentiate your organization from your competitors by demonstrating the establishment of an effective control environment and a commitment to the security, confidentiality, integrity and availability of your client’s data.