One Tool To Get a Better Grasp on Cybersecurity Risk Oversight

November 26th, 2018

cybersecurity-11-26-18.pngAs new types of risk – and new regulatory requirements – are introduced, bank directors play an instrumental role in making sure the executive team is properly addressing cybersecurity risks.

This can be an especially challenging responsibility as it is rare for board members to have the technical background or expertise to appropriately assess an entity’s cybersecurity risk management program without external resources. In many instances, directors find themselves in the uncomfortable position of relying primarily on management reports or the advice of third-party providers to meet their oversight responsibilities.

Annual scorecards from management and vulnerability assessments from third-party providers have value, but can make it difficult to compare and assess risk management programs with confidence.

To address this challenge, boards can consult new guides that offer ways to explore and dig into potential cyber risk management issues and other technical matters.

The Center for Audit Quality (CAQ), recently released a new publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The tool, like other emerging frameworks, is designed to help board members probe more deeply, challenge management assertions from a position of knowledge and understanding, and make more informed use of independent auditors.

Asking the right questions
In addition to offering board members a high-level overview of cybersecurity risk management issues and board responsibilities, the tool offers a series of probing questions board members can use as they engage in discussions about cybersecurity risks and disclosures with management and with independent financial auditors.

The questions are organized into four groups:

  1. Understanding how the financial statement auditor considers cybersecurity risk. These questions help board members understand the auditor’s approach to cybersecurity-related risks, and how such risks get addressed in the audit process.
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures. These questions help board members explore compliance with current SEC guidance, as well as other regulatory and disclosure requirements.
  3. Understanding management’s approach to cybersecurity risk management. These questions look beyond financial reporting and compliance, and begin to probe broader cybersecurity-related issues, including the governing framework, policies, processes, and controls the bank has in place to manage and mitigate cybersecurity risk.
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. These questions help board members learn about additional offerings CPA firms can provide to assist them, and what factors to consider when engaging outside auditors to perform readiness assessments and examinations.

Starting the conversation
The CAQ says the cybersecurity oversight tool is not intended to be a comprehensive, all-inclusive list of questions for board members to ask. It also cautions against using the questions as a checklist for board members to use.

Rather, board members should look at the questions as conversation starters, examples of the types of issues they should raise with management and financial statement auditors. The purpose of the questions is to spark a dialogue to clarify responsibilities and generate a conversation and help board members develop a better understanding of how the company is managing its cybersecurity risks.

Expanding CPAs’ capabilities
As noted, one group of questions is designed to help board members learn more about other cybersecurity assurance services offered by CPA firms. One example of such services is the new System and Organization Controls (SOC) for Cybersecurity examination developed by the AICPA.

The information within the report provides management, directors or clients a description of the organization’s cybersecurity risk management program and an independent opinion on the effectiveness of the controls in place.

As concerns over cybersecurity risks in banking continue to intensify, directors will find it increasingly necessary to be capable of effectively challenging executive management and financial auditors. This tool is one guide alongside other evolving frameworks and services, that can help boards fulfill their responsibilities while also adding significant value to the bank and its shareholders.

aahmed

Arshad Ahmed, CPA, CISA, CISSP is a partner within Crowe LLP’s national IT Assurance practice. He has over 30 years of experience within the areas of Sarbanes-Oxley Act, System and Organization Controls (SOC 1 & SOC 2), SOC for Cybersecurity, HITRUST and other cybersecurity risk consulting engagements. In addition, Arshad is the practice leader for SOC, HITRUST, and SOC for Cybersecurity. He can be reached at Arshad.Ahmed@crowe.com.

bphillips

Ben Phillips, CPA, CISA, CITP is a member of Crowe LLP’s national IT Assurance practice. He has over 8 years of experience within the areas of Sarbanes-Oxley Act, System and Organization Controls (SOC 1 & SOC 2), SOC for Cybersecurity and other cybersecurity risk consulting engagements. Ben can be reached at Ben.Phillips@crowe.com.