SOC for Cybersecurity
Patrick Morin, Principal, and Zach Porter, Senior, Risk & Business Advisory Practice
Could your company afford a material loss of 10 percent or more of income? In the infamous Yahoo data breach, three billion user accounts were hacked. Not only did this breach impact consumer confidence in the company (as evidenced by the 5% stock drop on the day Yahoo announced the breach), but the breach also cost the company millions of dollars. Yahoo was forced to pay a $35 million dollar fine to the SEC, $50 million worth of damages, and $35 million in attorney fees. Additionally, Yahoo took a $350 million cut as a result of this breach when it sold itself to Verizon in 2017- that is a total swing of about $470 million. As organizations continue to deepen their technological dependency (and given the risks associated with using technology), it is not a surprise that cybersecurity has become a top priority for management.
According to a 2019 study conducted by Gartner, cybercrime damages are predicted to top $6 trillion by 2021. By 2020, a company is expected to fall victim to a ransomware attack every 14 seconds, with damages 15 times higher than those of two years ago. With the rise of cybersecurity threats, organizations are recognizing the need to address cyber risks. According to Gartner’s research, only 41% of CEOs consider their organization well equipped to address and defend a cyberattack. Given the reality that 93% of breaches in 2017 could have been prevented (Gartner), many companies are turning to outside resources to fortify their cybersecurity programs. To address this growing market need, the American Institute of Certified Public Accountants (AICPA) has developed a cybersecurity risk management reporting framework and a new SOC (System and Organization Controls) for Cybersecurity report through which a CPA reports on an organization’s enterprise-wide cybersecurity risk management program.
The SOC for Cybersecurity report provides readers with a description (prepared by management) that includes information to help them understand an organization’s enterprise-wide cybersecurity risk management program. Independently, the CPA expresses an opinion on whether or not management’s description was made in accordance with the description criteria and whether or not the controls within the program were effective in achieving the organization’s cybersecurity objectives based on the control criteria.
The SOC for Cybersecurity report provides stakeholders with an independent, enterprise-wide assessment of an organization’s cybersecurity risk management program. The report identifies gaps and deficiencies in the current program, and provides management with direction on where the program’s strengths are, as well as areas that are currently at higher risk. With this information in hand, stakeholders can make better decisions regarding risk assessment and risk mitigation, and identify and close control gaps before a catastrophe strikes. As technologies continue to develop, and companies leverage these technologies to promote efficiency and cost-savings, companies must not forget the associated financial, reputational, and compliance risks associated with the use of these technologies. The initial investment in a SOC for Cybersecurity report will prove to be far less costly than a cyberattack, as well as provide stakeholders with added assurance that the company is equipped to defend against and handle an attack.
Cyberattacks are imminent. Cybersecurity, or a lack thereof, can have a major impact on your organization, both financially and non-financially. Are you prepared? Do you feel confident in your organization’s ability to thwart and manage a cyberattack? Has your company evaluated its cyber resiliency? Does your organization fully understand the risks posed by the use of its technologies? If you answered no to any of the above, or are not sure, the SOC for Cybersecurity report may be a good way to learn more about your organization’s cyber risks and what you can do to address them.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.