On-Demand Webinar: An Introduction to "SOC for Cybersecurity"

March 26, 2020

This course will introduce the AICPA’s "Systems and Organization Controls" (SOC) examination engagement called "Reporting on an Entity's Cybersecurity Risk Management Program and Controls."


Transcript

Rod Smith:

Good afternoon, everyone and thank you for joining us. Let me make sure I got control of the slide here, it's a little bit of a delay. So there we go. As was mentioned, I'm a partner at Eisner in the controls assurance practice. I work primarily on technology controls assurance and support our financial statement audit practice, and I also do control attestations, primarily SOC 1 and SOC 2. And I was one of the members of the working group that developed the SOC for cybersecurity engagement. So I have a good understanding of the details of the engagement and also the rationale for certain decisions that were made that are reflected in the engagements standards.

With me is Mike Cintron as well. I'll apologize to Mike in advance. As many of you, we are in different locations and I'll be the primary presenter and probably drive most of the presentation in terms of just the logistics is a little easier that way. So with that, we'll get going. But before we do, I just want to thank, we've got a really good registration for this webinar. And I'm sure part of that is the fact of the COVID-19 coronavirus conditions and work arrangements that we currently have. Before we begin, I'd be remiss if I didn't just wish you and your families, I hope you're safe and sound and healthy. And I hope everyone is abiding by the edicts that we've been given regarding maintaining public health.

And I think the good news is that there's a silver lining here in this difficult time, is that we're learning better ways to work remotely and efficiently. And to the extent that you might have delays in your work or disruption, certainly attending trainings like this are helpful, and you also get a CPE credit. So it's probably a pretty good use of time and we're going to teach you about a development in the profession, just that hopefully, you'll understand at the end of this presentation what this new control attestation is, what its purpose is and have an understanding of whether it might be a benefit to your organization or not.

So here's our agenda. We're going to go over a background regarding current challenges with cybersecurity risk management for organization and the marketplace for cybersecurity services. We'll go over the opportunities and the objectives for the new CPA attestation, the AICPA SOC for cyber attestation versus other cybersecurity services. After that, we'll go over the basic features and components of the new report, the cyber assurance report. Then we'll discuss differences and similarities this report has with existing control attestations, primarily the SOC 1 and SOC 2 engagement. Then we'll have a frank discussion of both the advantages and disadvantages of the new SOC for cyber security engagement. And we'll go over our thoughts regarding which kinds of organizations are likely to be good candidates for the service and early adopters. And finish off with a little thought on our perspective regarding whether this new engagement will get market acceptance and what its likely future is in terms of industry, its growth potential in the marketplace.

So really, this is just an opportunity to get a basic understanding of a new attest engagement service, SOC control attest engagement service that is really the only one that has SOC cybersecurity risk management as its subject matter. We'll go over its value proposition and the factors to consider regarding the need for providing assurance over cybersecurity to interested parties for your organization.

So let's look at the current market for the cybersecurity services and the risks that cybersecurity risk poses to most organizations. Obviously, cybersecurity is probably the most important, emerging technology risk for organizations. It affects all realms of our lives. It really affects all operations of organizations, its services, its products, how organizations communicate. There really is very little from the factory floor up to the CEO's office in terms of transacting business that isn't affected to some degree by information such as security risks and external information security risks that are the focus of cybersecurity risk management.

Obviously, you can give us, the new cycle has been dominated by the coronavirus and addressing that but typically, when you give a presentation about cybersecurity, there's always a headline regarding an organization that has experienced a devastating breach with major economic and reputational consequences. And under this current circumstances, I think that there's an increased risk with people working remotely that poses some risks to organizations that they'll have to react to and think about as part of their cybersecurity risk management posture.

Stakeholders and regulatory bodies are demanding increased visibility and assurance over their organization's cyber program. I'm going to just refer to it as a cyber-program. The actual, what we're looking at here has kind of a dual emphasis. One is the overall cyber risk management program that organizations develop, and then the controls they put in place to actually prevent/detect cyber risks. It's kind of a cumbersome phrase. So I'm just going to shorten it to cyber program. When I mention cyber program, I'm referring to the overall program and controls.

As most of us know, new regulations and examiner guidance have increased expectations of organizations. Most organizations do see cybersecurity as a strategic risk for their companies. However, few have really mature or robust programs with mature capabilities to both prevent and detect cyber incidents but also to handle the entire lifecycle of a cybersecurity incident, which also involves assessing incidents, mitigating them and recovering from that as well. So the need for cyber security assurance and reporting has been growing. It's been growing for quite some time. The expectations of executive management and governance bodies to monitor, to demonstrate that they're monitoring, overseeing their organization's cyber program is becoming increasingly critical.

Michael Cintron:

So Mike Cintron here. I'm just going to step in until he hops back. The next slide we have here is the general challenges.

Rod Smith:

But this slide here just illustrates how daunting the task is to have a robust and proactive program. Given the current environment with shifting threats and vulnerabilities and increasing regulations, most organizations find themselves backing into a reactive approach which they're addressing things in a one off manner. So there's a need to have a robust program in place, and the need to provide reporting and assurance to other parties is growing.

So in addition, the challenges are companies are spending a lot a large investment in tools, technology, personnel and reporting, but most still have immature cyber programs and oversight. There are several suitable and well respected cyber security frameworks. None of them has emerged as predominant. Several of them are suitable in the sense that they cover what they should. So various companies have adopted different frameworks. If there were a predominant one, I'd say it's probably the NIST cybersecurity framework is probably predominant, but there are other good ones that organizations use and they should be able to use them.

Many consultants perform excellent cybersecurity assessments and testing but the methods and tools they use vary. The report distribution, the reports are very, very technical and hard to read for someone who's not a technologist, and the distribution is limited. And many services really focus on just two aspects, and that is preventing and detecting incidents, identifying vulnerabilities and testing the controls in place to prevent cybersecurity incidents. And they don't look at the rest of the program, that is the policies and procedures and controls in place to assess, mitigate and recover from incidents.

As I mentioned, there's currently limited options for providing assurance. Many organizations currently just rely on what they call management representations just explaining to the third party what you have in place and your security posture. And the consulting engagements they commission are typically used internally. And they may be unacceptable to provide to certain interested parties. They may provide too much quite technical detail, quite frankly. And they really can't be used in what they call audit evidence of the design and operating effectiveness of the controls for a third party.

So there's an increasing demand in the market to provide assurance and the standards that you use to cover the cybersecurity subject matter need to be robust and comparable from one entity to another.

Thank you. So the existing alternatives, and the top one's probably the most prevalent for organizations in terms of providing assurance, and that is just responding to questionnaires and surveys that are submitted by business partners and clients and customers. There's a lot of time spent on that and each individual organization might present their own questionnaire. There's consulting reports, we already mentioned that those are difficult to read and difficult to provide to third parties. Currently, there's the other SOC reports, primarily the SOC 1 and SOC 2, both of which cover many aspects of information security but they really don't, they don't have cybersecurity risk management programs and controls as the subject matter. And they really don't describe the program.

So it's another option and you can tailor a SOC 2 so it addresses a cybersecurity framework of your choice in its entirety. But you still won't get a lot of information regarding the overall cybersecurity risk management program in place. And then there's management representations which I already went over. So as you can see, these existing forms of assurance are pretty limited and they all miss the mark in terms of providing independent and objective audit evidence of the effectiveness of the program in place and the controls to address cybersecurity risks.

Yes. Well, the answer was supposed to be B, false. When you look at assurance to other parties, yeah, there are some options, but they really miss the mark in terms of providing objective and independent assurance regarding the program and control. So the intended answer there, and it's a tricky question so I understand why. I just went over options, so I understand why some of you selected true, but the real answer is there really isn't a very good option and there wasn't many, and there wasn't a good option for providing assurance to third parties prior to the SOC for cyber engagement.

Okay, can we, thank you. Okay, so now we're going to look over the objectives of the AICPA's new control attestation over cybersecurity.

So, the AICPA recognized that there was a pretty acute need in the market to provide an independent examination of the cybersecurity risk management subject matter, and one that could be performed across organizations and industries. They also realized that there was a need for a holistic approach to the subject matter that not only looks at assessing the program's ability to reduce the likelihood of breach and the controls in place to detect and prevent a cybersecurity instance, the design and operating effectiveness of those controls. But they also wanted to look at the ability of an organization to assess, mitigate and recover from cybersecurity incidents as well and take a holistic lifecycle approach. They thought there was an opportunity to leverage what the public accounting profession does particularly well, and that is providing a positive assurance opinion, adhering to stringent professional standards, excuse me, providing consistency and comparability of reports and also publishing an engagement guide, which allows both the entity being examined and the CPA practitioner to have complete transparency over how to conduct an audit and what will be looked at.

They also felt the subject matter warranted a separate engagement, and that it shouldn't be kind of bolted on or attached to the existing financial statement on it. And they wanted that engagement to be voluntary, flexible and separate, as I mentioned, excuse me. The objectives were to provide both a thorough description of the risk management program as well as test the implementation and operating effectiveness of a cyber-risk management control framework. And the resulting engagement reflects the AICPA's dual emphasis on those two areas.

Michael Cintron:

Rod, so we had a question come in from one of the attendees, and the question is are there prescriptions for companies to follow for cybersecurity, rather than determining them on their own? This control framework can be overwhelming. Do you have any thoughts on that?

Yes. The NIST framework is, all the frameworks in this scope of this engagement is very expansive, no question about it. One of the things they did was unlike other and we'll get to this on another slide, I apologize, it seems like my presentation is going into mute when I move my mouse around so I'll try and be careful of that. So I apologize if there's a break in my presentation. But yeah, they gave the practitioner the ability to vary the timing, nature and extent of testing. So while the frameworks are very, very expansive, and all those controls should be designed and implemented, the actual examination itself, you have a little leeway as to exactly what you feel you need to test in order to support your opinion. So good question.

Let me make sure we're getting some progress here and I'll try and go through the next slides pretty quickly. And one thing I want to mention is that to develop a robust approach, it's got to speak to many aspects of the program. There's also obviously one of the things we want to be real clear on is that an organization could do all the right things as it relates to having a really good effective program in place, and having a good controls framework in place and still suffer a devastating breach. And that's why they want to focus on the lifecycle of the cybersecurity incident, not just the controls in place to prevent and detect in their approach.

Rod Smith:

Unfortunately, the nature of cybersecurity risk is as good a job that you may do in terms of implementing a cybersecurity controls framework and program, you still could suffer a breach. And hopefully, you'll be better than an organization that doesn't have a good program in terms of mitigating and recovering from it, but could still incur a devastating breach.

Okay, so we're going to look at the actual report form itself. Now, we'll go into the components of the report. So it's very familiar to those of you who reads SOC 1, SOC 2 reports. The basic format is similar with one omission, which we'll get into later, but it has a management's description or a system description in a SOC 1 or SOC 2, but it's called a management's description of their cyber risk management program. And you have to address what the AICPA has published in the engagement as description criteria, which we'll go into some of the slides that follow.

Management also needs to include an assertion that both their cyber risk management program and controls description are fairly presented in accordance with the description criteria and the control framework, and that the controls to prevent, detect, mitigate and recover from cybersecurity related incidents are effective. Likewise, the CPA practitioner's opinion opines on management's assertion with those two same assertions. One, that the description is fairly presented and two, that the program and controls to prevent, detect, mitigate and recover from incidents are effective. So as you can see, those are very similar to other control attestations, primarily the SOC 1 and SOC 2.

I'm going to move to the next slide and the description criteria, this will give you a sense of just how good your program needs to be before you proceed with this engagement because the description criteria forces you to describe nine benchmark areas, and I'll go over them very quickly. You can review these in detail after the presentation.

But one is just describing the nature of your business and its operations, and then you have to look at the nature of the information at risk. Section three is you have to articulate the specific cybersecurity objectives for your organization.

Four are factors that impact your inherent cybersecurity risk that could be the technology you use, some regulatory requirements, the information you have. Various things may, in fact your industry or your particular organization that has an effect on the inherent risks involved. And you have to describe your cybersecurity risk governance structure, your cybersecurity risk assessment process as well. You need to describe how you communicate the cybersecurity objectives, how you communicate that to both internal and external users and the thresholds for communicating certain events internally and to other organizations as well as your process for responding and remediating incidents. They also want to look at how management really monitors the effectiveness of their program and controls. And the final area is what's typically described in other SOC 1 and SOC 2 reports. And that's just the control processes.

So you can see that you really need to have a very full program in place because you really can't be silent on any one of those areas in any of the control criteria, description criteria rather, that are in each of those areas before you move forward with this examination.

So now we're going to look at how it differs from other control attestations, again primarily to SOC 1 and SOC 2 engagements. So this is a pretty good slot and the slides we have here, this is a pretty good reference, quick reference. It gives you in terms of the areas that are different the distribution of the report for a SOC 1 and SOC 2. Those are what they call limited or restricted use reports. They're limited to companies and client organizations, which contract or use the services that are examined in the scope of the SOC report.

SOC for cyber, however, is like the financial statements. It's a general use report that can be provided to all interested parties. And that's a major advantage. It also carries risk with it, which we'll go into later. The opinion assertions are quite specific in a SOC engagement. In a SOC engagement, you have three. One is the fair presentation of the description. One is the design effectiveness of controls. And the third is the operating effectiveness of controls. And you're really opining when you render a SOC 1 and SOC 2 opinion, you're opining with reasonable assurance the achievement of each and every criteria for a SOC 2, for each and every control objective for a SOC 1 that was achieved with reasonable assurance.

For SOC for cyber, you have two assertions. One is the fair presentation of the cyber risk management program in comparison to the description criteria. And the other one is kind of a blanket assertion that controls for the program and the control framework were effective. One thing I don't have in this presentation which I should mention is that either the SOC, obviously SOC 1 and SOC 2 could be what they call a type one where you're just doing the two assertions, the design effectiveness and presentation of the description as of a certain point in time or it can be a type two, which tests operating effectiveness over a period of time.

Likewise, the SOC for cyber can be as of the report date or as of a point in time, it can be a type one and it can also be a type two, which is opining on the effectiveness of the controls over the stated period. The third piece is different, and that is testing. In most control attestations, you have a description of the control activities that the CPA practitioner believes are necessary to achieve the control objectives and criteria involved. And it listed the specific test design and test performed, as well as the result of each test.

For SOC for cyber, there is no testing section. This was done for two reasons, one of which I alluded to earlier. And that is, one is the scope of these reviews are so expansive, that it's a bit impractical to perform tests of every control for each attestation. Secondly, they didn't want to provide that level of transparency regarding cybersecurity vulnerabilities or results of exceptions, because they felt that they could be exploited. So it was kind of a cloaking objective as well to omit a testing section in the SOC for cyber.

The approach to third parties is also vastly different. For most existing control attestations, subservice organizations, I'll describe what they are, that's other parties involved in the subject matter you're examining, are expressly carved out of the opinion. So your opinion, subservice organizations are organizations which have a bearing on the achievement of the control objectives that we're examining at the service organization. So it's third parties that are performing activities on behalf of that service organization, which helps them achieve or is integral to achieving the control objectives being examined. So that puts the reader in the position of those reports to have to go to those other organizations if they feel they need to, to get assurance regarding those activities.

The SOC for cyber however, there are no carve outs. The opinion actually extends to third parties. The examination took a twofold approach to that. One is to assess the third party risk management programs the client has in place, and the other is where depending upon the nature of the risk and the activity performed by the third party, was the need to test by management and by the service auditor to get audit evidence from those third parties.

Now, I was involved in the working group, as I mentioned, that develop and engage, and I was never quite comfortable with this opinion assertion. The reason they chose this approach was they felt that you really couldn't do a good job of opining on the subject matter if you excluded the third parties. And I agree with that. However, they didn't address the practical consideration of how you would really get assurance over the activities performed by those third parties. So in my mind, it was a bit of an unholy compromise in terms of including third parties in the opinion assertion.

Michael Cintron:

I got to ask a question here.

Rod Smith:

Go ahead, Mike, yeah.

Michael Cintron:

In regards to the differences between a SOC, general SOC requirements and the cyber requirement, what are some of the variances in the point in time of an audit, or the period of time of an audit or examination?

Rod Smith:

Well, I mean, I think it's a good question and I got to be honest, I have not seen and if you have, let me know, anyone that's listening. I have not actually seen a SOC for cyber examination report. But it will follow the same model as other reports in the sense that you will have a stated period of time. And really all you're saying is at the time, in that case, at the time that the CPA practitioner assigns the opinion, that they have confidence that the system description is fairly presented, and that the controls in the report were effectively designed and implemented. But all they did was just confirm that the controls were at one point in time they were implemented. They didn't go into whether they were operating effectively.

So I think this new SOC for cyber will have a similar approach in terms of type one, and a type two would probably be a calendar year. I think the expectation would be that you wouldn't have any breaks in coverage and that you would adopt, you would issue these reports every calendar year, every 12 months or whatever, a 12 month cycle. Does that answer your question, Mike? Maybe I missed it.

Michael Cintron:

I think that covers it. We have a few other questions that are relevant to the testing section. A question is how can a standard copy reliant on the test results are not shared? And so, how can you find an effectiveness with no testing? So I think can you kind of explain the way the report lays out, how we see what is actually done without giving too much information about the cybersecurity program in place of that client itself?

Rod Smith:

Well, the analogy I would use? It's a great question. And the degree of transparency you have in a SOC 1 and SOC 2 is extreme. I mean, it's kind of an open poker hand in the sense that you know exactly what was tested what the results are. And you can compare that to the opinion that's rendered and either agree or not and you can react to individual exceptions. But similar to a financial statement audit, you don't provide details on everything that was tested for rendering a financial statement opinion. The approach taken here is similar. The CPA practitioner needs to be, if examined or reviewed, needs to have audit evidence in their work paper files of the test performed, the test design and results sufficient to support their opinion. But they don't necessarily need to include all that detail in the report. That's at least the thinking.

Okay, so let's make sure, I know we can go over a little bit, but I want to be respectful of people's time and make sure that we get through the slides before the end of our hour. We're doing pretty well actually, so that's good.

So a couple other points. While this is a voluntary separate engagement and it doesn't really have a relationship to the financial audit, and quite frankly, the controls tested really don't overlap all that much with controls tested for the financial statement audit, even with the 404. There's a lot that's tested in a SOC for cyber examination that aren't necessary to test for an accelerated filer. Nonetheless, the thinking is that these reports will be used heavily by users of the financial statement and we expect that they will be highly engaged users of the report. Similarly, while the regulation examiners probably aren't an intended user of the report, considering the report's available in the public domain, they are likely to be reviewed by and relied upon by regulators, which is a good thing, because some of these regulators perform their separate examination at great time and expense and disruption of the client they're examining. Now you can provide this report, furnish this report to them, and it should answer more than what they would probably look at. That's at least the objective.

And here's another point. It is a general use report, but like any control attestation general use report, it can be restricted by both the CPA practitioner and the entity by mutual agreement that both parties believe there is a high risk of misunderstanding whereby a reader of the report may place undue reliance on the conclusions or the results to not understand the subject matter sufficiently to draw those conclusions. So, the cybersecurity did not change there. If you notice, they issued a new engagement guide, they issued description criteria or cyber risk management programs. They updated what they call the trust services criteria to make them appropriate for the cybersecurity subject matter, but they in no way changed existing test standards with the promulgation of this new service. But it does have several differentiating aspects that should make it attractive to the intended users of such a report.

So we'll have a frank discussion of the advantages and the disadvantages of the new engagement.

The summary, I already mentioned that this is something you can give to a wider distribution of all "interested parties", similar to the financial audit reports. It has a structured approach and a familiar approach and a standard CPA positive assurance opinion, which is familiar and well understood. It's in line with other control attestations. The format of the report will be rather standardized, excuse me, and comparable from one organization in industry to another.

It has description criteria, which should drive consistency in terms of understanding the program for the report user, and will also drive improvements in an organization's program. And it also has the benefit of transparency in terms of a published and rather exhaustive, not exhaustive, it's not that lengthy but a very thorough description of engagement guide and requirements and illustrative reports, et cetera, that are in the audit and assurance guide that's published for this engagement. It has a holistic, inclusive approach to the subject matter, which was kind of lacking in the marketplace. It covers all aspects of the cyber programming controls, it focused on describing the program, not just testing and assessing the controls. It takes a lifecycle approach to the cyber incidents in terms of the entire lifecycle of not only preventing and detecting, but assessing and mitigating and recovering from incidents.

It's a tailored scope. The description criteria walks you through the operations and all the aspects which allow you to tailor and understand the cybersecurity objectives of an organization. And then you can measure the actual controls and program to satisfy those objectives. So it's got a tailored approach. It's driven by risk assessment and it's also going to be more readable and understandable, especially to those who are not technologists than our current cybersecurity services.

Its balance, its flexibility and standardization in a sense, flexible and sensitive, you can choose your cybersecurity framework. You don't necessarily have to adopt the AICPA's default framework. The default framework is TSC. And I'm sorry, I just used some acronyms to not make these slides too busy. But TSC is the Trust Services Criteria. They're associated with the SOC 2 primarily. And they are criteria of typical areas that you need assurance for from third parties. The categories are security, confidentiality, availability of systems, processing integrity and privacy.

It's scalable in the sense that I didn't mention this before is that the exam scope can be enterprise wide, or it can be limited to a business area, geography or unit and it's standardized in terms of the description criteria. We already discussed that. So it does have several advantages and it does really address well the overall cybersecurity risk management subject matter. However, some of these advantages also create some additional risk for those who commission such an examination.

These are disadvantages. I don't know if these are risks, I'd say these are disadvantages. One is the expertise of practitioners. Public accounting firms and Eisner in particular, we have a very good cybersecurity practice with people who live and breathe and are very deep in doing technical cybersecurity engagements. But there's also many excellent consultancies outside the public accounting realm. And to the extent that given the broad focus of this and the fact it's in a test engagement, the team that will review, they will perform a SOC for cyber engagement is likely to be composed of deep cybersecurity consultants, as well as more mainline information technology auditors and auditors in general, controls assurance practitioners.

To the extent that certain niche consultancies can really do a deep dive in specific areas, you're not going to get quite that depth, you're going to get broader coverage and a good depth with the SOC for cyber, but if you really want to go with a very technical review of a specific area, you probably won't get that from the SOC for cyber and you could get that from a consulting engagement. It's a high risk engagement, in the sense that it's a high bar to clear in terms of the program in place and measuring that against the description criteria and in terms of the breadth of controls or what's in scope.

When we went through developing the scope of the review on the working group, it really became pretty much everything, all things related to information security. Initially, the focus was like external threats. That's what you typically think of when you think of cybersecurity incidents is something coming from outside your virtual four walls of your organization and what's the internal network, but it also wanted to cover risks internally. So it's a very broad treatment of the subject matter, and it's a lot to cover. And as a result, there's a higher risk of us receiving a qualified opinion.

It's a public audit report, so you can't control necessarily who may receive the report and use it and what kind of conclusions and reliance those individuals may have on the report. It's not unlikely that could happen with any audit report, but with this subject matter, it may be more prone to misuse and putting undue reliance on it than other types of general use reports.

It's expensive. I mean, it's going to be given the scope and the risk involved with it, the fees for these services will be adjusted accordingly. I already mentioned the point that you could do everything right. The optics wouldn't look good. I mean, let's be clear. I mean if you're a large company, and you commissioned this review, and you get a clean opinion, for a SOC for cyber exam, and then shortly thereafter, you've suffered a devastating breach, that wouldn't look good for that organization. And it wouldn't look good for the public accounting firm which issues that. It's not unlike any kind of financial statement audit, quite frankly. It's not that I don't think it's got a greater risk than that, but it does have that risk of like a class action type of suit. It has the opinion risk, I already mentioned in the sense that it extends to third party and a strong assertion regarding the controls that are described in the report that controls were effective.

It also doesn't leverage what they call a maturity model. A lot of frameworks in the cybersecurity realm adopt a maturity model approach. Well you're not only looking at pass fail. You're looking at, you can grade each criterion from one to five. Organizations like a maturity model because it allows you to monitor the progress over time of your program in various areas. The SOC for cyber uses the traditional kind of pass fail or qualified opinion model. So as a result of both its advantages and some of the risks and disadvantages, there's no guarantee that this product will gain market acceptance.

Again, in terms of other assurance options, let's look at them again now that we understand what the SOC for cyber is. You can continue and a lot of organizations will find themselves in number one, let's do self-assessments of reporting. As long as entities continue to accept that, I mean, a lot of times that's the least expensive option, where you provide representations over your cyber program and posture to third parties. Probably the lowest cost approach, although it may be disruptive and timely in terms of internal time and resource to provide those representations.

If you're really just concerned about the quality of your controls to prevent most known vulnerabilities in testing operating effectiveness, consulting services may be a better option for you. They can really test in a very thorough and use tools to automate the testing of controls in place to prevent and detect incidents. And sometimes, these services also incorporate the maturity model that I described and that makes it attractive to many organizations.

Another option that people should consider because it's probably a little less expensive, is what they call a SOC 2 plus report. And what you can do with a SOC 2 plus is you can address the trust services criteria that we described earlier, and then look at that in comparison to the organization's chosen cybersecurity risk control framework and determine how many of the controls in the cyber risk framework are addressed by the basic native trust service criteria. And then you can add the controls that aren't addressed by them and test them separately.

You would call that out in your opinion, that you address the trust service categories, as well as an additional framework criteria. And you can call it out in your testing section. So you'd also get that additional reporting of testing in a SOC 2 plus, where you could actually include the delta, those criteria that weren't addressed by the base trust services criteria that need to be addressed to cover the cybersecurity framework. All that testing and the results of that testing would be available to the users of those reports. You don't have to get into all the description of the program that you would for SOC for cyber with that option. And again, it has a limited use which may be attractive to some organizations as compared to the general use SOC for cyber.

Let's try to get those all filled out. I don't know why it's... All right. So these are the organizations that we think are good candidates for the service. Obviously, top of the list is large publicly owned audit clients. They can absorb the fees of this service and they probably have, they could get the most mileage out of providing this report to many various constituents.

Banking clients are also high priority targets from a profit motive standpoint of the hacking community. And they also already have a stringent regulatory regime that they need to satisfy from a control standpoint. So they would also be good candidates for the service. In addition to banking clients, there's also I should put air quotes around financial services entities because there's a very broad definition of it, but financial services entities in New York State, given the New York State cyber rule 500, all entities that fall under the New York Department of Financial Services purview and have Nexus in New York, which really captures a lot of organizations, quite frankly, would be a candidate for the service because that's a very stringent cyber rule. And they need to provide a representation regarding their program and controls to the New York Department of Financial Services already. And again, it really encompasses a lot of different types of companies, including insurance companies and various other companies, credit card companies. It's a very long list of organizations, not just your traditional, what you think of in terms of financial service entities that fall subject to that rule.

Organizations that already have a pretty heavy burden to provide controls assurance like payment card industry clients and other SOC clients that already issue SOC engagements but are hampered by the restricted use limitation of those reports may also be interested in the SOC for cyber. Technology companies primarily because their client organizations may be some of the same organizations we just described above will feel the pressure to possibly adopt this new control attestation as well as any other audit clients who are sensitive to the increasing need to provide assurance of their cyber risk program.

So, the objective here with this new services, it provides a very full treatment of the cybersecurity risk management program and control subject matter, provide assurance to a wide range of interested parties. And to potentially test once and satisfy all or many of the constituents is the objective and the value proposition of SOC for cyber.

I think it's very clear that you have to be able to answer a lot of questions about your program before you decide whether this is right for you. Here are some of those. And I think we kind of went over these and I know we're running out of time. So I'll wrap this up quickly.

Our view overall is that organizations will over time have an increasing need to demonstrate that they have a sound cyber risk management program and controls framework in place and to provide assurance to interested parties. And really, I think we've demonstrated the SOC for cyber is really the only full treatment of that subject matter that provides assurance that's objective, comprehensive and understandable to non-technical parties, and which provides a consistent and transparent framework and reporting format. For this reason, we do think this, I don't know if it will become the de facto reporting standard, but it can become the gold standard for reporting on the cybersecurity subject matter, and that early adopters may enjoy some advantages and prestige for issuing this report. And just in general, any organization that endeavors to do this examination will certainly improve their program. That I mean is almost certain. So, with that, that concludes the presentation. I know where we're at one minute, we're at one o'clock or maybe a minute beyond. But if there's any additional questions, we'd be happy to answer those now.

 

About Rod Smith

Rod Smith is a Partner in the Assurance and Technology Control Services Practice within the Audit Group, with professional services experience in quality assurance of the information technology control assurance portion of financial statement audits.

About Michael Cintron

Michael Cintron is a Manager in the Assurance and Technology Control Services Group with experience in internal controls and IT Risk Management.

Have Questions or Comments?

If you have any questions, we'd like to hear from you.