IT Cyber Risks: A View under COSO 2013 Lens
Cyber security continues to be a ‘meteor’ at the top of organizations’ risk profiles. Bridgepoint Consulting hosted an event on May 12 for internal audit and compliance executives to discuss IT cyber risks — including both assessment and management using COSO 2013 framework guidance.
Themes discussed included:
- Business is cyber-driven at high speed and cyber-attacks are increasing in frequency and impact
- Cyber risk must be managed; assume attacks and breaches are already happening, and focus on timely detection and appropriate response
- Legislation and increased regulatory requirements are on the horizon
- COSO 2013 provides one of the frameworks that can be used by internal audit and compliance functions to assess and monitor cyber risks and related controls
The following summarizes additional highlights that meeting participants discussed:
Control Environment: Does the Board and Senior Management focus on cyber risk profile and how it is being managed?
Board level and senior management ‘tone at the top’ for IT strategy and risk management is a critical success factor. Participants indicated their organizations were moving from SOX-focused IT general controls risks to broader cybersecurity risks with an increase in communications to Board level and senior management. The frequency of this IT risk reporting varied from at least annually to monthly. Topics reported include IT investment adequacy, deploying the right people, and technical requirements to align with objectives of managing cyber risks. Most companies have experienced an increase in budgets and costs related to managing cyber risks. There has also been an increase in Board level and senior management requests for IT audit coverage and IT compliance functions’ activities.
Challenges mentioned included communicating the ‘tone at top’ message throughout company ranks, keeping up with the pace of cyber threat moving targets, and rogue systems exposure.
Risk assessment: Does your company’s risk assessment address cyber threats to operations, reporting and compliance objectives?
The group discussed cyber risk assessment considerations including defining objectives, identifying information systems most likely to be attacked, possible hacking methods and related control activities effectiveness. IT risk assessment activities and level of effort have increased. Analyzing root causes of breach events, what data is most valuable or subject to fraud, how data is stored and processed, and both internal and external threats were some of the considerations mentioned related to risk assessment.
Third party IT providers are more prevalent in today’s business environment and must be subjected to risk assessment. Understanding points of data access, service organization controls effectiveness and training needs, including end-user training, were mentioned as critical areas of risk assessment.
Control Activities: Are IT controls present and functioning to adequately manage cyber risks within acceptable tolerance levels?
The participants noted increased focus on understanding and evaluating access control activities effectiveness, both within their organizations and third party service providers. Recent breaches have emphasized the importance of controlling access points through vendors. Control structures providing ‘lines of defense’ for user access additions, changes and terminations, including administrative levels and firewall protection, were top of mind for assessing design and operating effectiveness. Enablers for assessing control effectiveness include IT policies and standards, and well documented system/application flow diagrams and accompanying control activities.
The group agreed that recent increased cyber risks requires a more thorough assessment of third party provider SSAE 16 report results, along with related evaluation of user control considerations and mapped business controls. The risk of over-reliance on the SSAE 16 SOC reports was mentioned for awareness.
Effectively designed and operating preventative and detective controls to accessing IT environments (external and internal sources) are ‘table stakes’ for managing cyber risks. Given that breaches are inevitable, detective controls must operate timely for appropriate response and corrective actions.
Information & Communication: Has your company identified information requirements and communication protocols to adequately manage controls over cyber risks, including responses to breach events?
Cyber relevant information requirements considered were:
- Documented responsible personnel, systems and applications data flow diagrams to enable detailed cyber risk assessment analysis and control effectiveness evaluation
- Third party providers: specified IT services, data access, interfaces, processing and reporting
- Data logs and security daily alerts of potential cyber-attack events or patterns of events that are actionable
- Information needed to timely identify changes in people, systems and processes
- Completeness, accuracy and timeliness of information needed to operate control activities
Timely and effective external and internal communications regarding cyber risks and controls are essential. It was noted that defined channels of communication should be developed and executed throughout the organization, including Board level, and with external stakeholders. In addition, specific planned communication protocols must be in place for potential or actual breach events.
Monitoring: What monitoring activities take place in your company to address cyber risk coverage?
Monitoring activities mentioned were ongoing and separate evaluations of control activities covering cyber risks. Consideration should be given to lines of defense:
- Control owners; business and IT management; IT Compliance; other Compliance functions; Internal Audit; external audit
- Includes monitoring lines of defense for third party service organizations’ controls and related user control considerations
Control deficiencies should be timely identified and reported with management corrective action plans monitored through remediation.
Cyber threats will continue to demand expanded levels of effort by all stakeholders and increased needs for the right people, systems and processes to manage these threats.
Bridgepoint’s Risk Services professionals are skilled at performing IT security related consulting and risk/internal control assessments. Our team can provide assistance with security monitoring and improvement initiatives.
If you have questions or would like to discuss these topics further, please contact: David Roe, Managing Director of Risk Services at DRoe@Bridgepointconsulting.com