A SOC for Cybersecurity examination is how a CPA reports on an organization’s cybersecurity risk management program. Its intent is to communicate information regarding an organization’s cybersecurity risk management efforts, which can give boards of directors, analysts, investors, business partners, industry regulators, and users an entity-wide perspective and confidence in an organization’s cybersecurity risk management program.
A SOC report consists of a single document, intended for a financial statement read, that meets the challenge of reporting on cybersecurity risk management practices and activities in a manner that is understandable to a wide variety of readers. It is an entity-level report that allows readers to gain a good understanding of the cybersecurity risk management program, relating it to the organization’s culture, structure, strategy, and operations. It is a continuous reporting process, which is intended to provide appropriate levels of ‘updates’ to the board of directors, individual management, and regulators if a significant event occurs (e.g., data breach).
Cybersecurity reporting has evolved over the past five years. The SOC for Cybersecurity report was developed in response to calls for (i) a comprehensive and objective report on risk management, (ii) an understanding of cybersecurity risks at the enterprise level, and (iii) how cybersecurity efforts fit into the financial reporting process. Cybersecurity reporting has become more popular as cyber security is now the second most important topic that all the company auditors speak to management about. It may even be first in the minds of the IT auditors.
The risk management and the financial reporting communities have been approached and educated by cybersecurity experts and industry leaders that there remains a gap in how cybersecurity risk management is being addressed in financial reports. Most have adopted the approach of guidelines and identifying red flags. However, while standards for risk management (GAAS) exist, their application in cybersecurity risk management remains sparse.
“Most financial auditors have seen the financial cyber risk reports, but are confused at how it is to be interpreted, and how it fits into their audit planning”. The SOX 10K reports for cyber risk are typically all restricted to the Risk Management section and are done in a similar format that is very confusing. All too often, the technical details are conveyed in a report that is only read by those in the cyber security function. It only provides an ‘objective picture’ of cybersecurity risk management. Other organizations, including the FASB, IASB, International Auditing and Assurance Standards Board (IAASB), and the Institute of Internal Auditors (IIA) have begun developing standards in this area. However these standards tend to fall short on providing guidance related to the cybersecurity risk management program. The Society of Corporate Secretaries and Governance Professionals (SCSG), in their “White Paper on Cybersecurity Risk Management” recommended “that organizations have a standard for reporting that is similar to the annual financial reporting”. That is what the Gartner Group reports on in its SCSM (SOC for Security Management).
The SOC for Cybersecurity is aimed at the entire organization, where the SOC for Security Management is intended to be at the management level. However, the SOC for Security Management is parallel reporting to the SOC for Cybersecurity. The SOC for Security Management is an internal report that is able to be seen by the board of the directors, where the SOC for Cybersecurity is an external report that is reviewed by the board of directors.
A complete SOC for Cybersecurity evaluation report consists of the following:
- Executive Summary
- Business Review
- Risk Assessment
- Risk Management
- Data Security
- Global External Cyber Risk
- Climate for Cybersecurity
- Key Findings
The SOC for Cybersecurity is a management report for the board, that the SOC for Security Management is for management. Therefore, you may find the need to have both reports in your organization. These reports are written jointly by management and the cybersecurity professional, utilizing a mutually agreed upon format for presentation of information.
Along with the SOC for Cybersecurity report, the internal report, SOC for Security Management, is developed by management and the cybersecurity professional. The SOC for Cybersecurity Report is then reviewed by management, the board of directors, the audit committee, and the entire board of directors as part of an annual update.
It is estimated that a few years ago that there were approximately 20 different statements for professional service groups that could be adopted by management. The SOC was endorsed by CISO Executive Council (CISEC), Society of Corporate Secretaries and Governance Professionals (SCSG), and the Information Systems Audit and Control Association (ISACA). CISEC and ISACA were part of the development for how the reports were written, and have provided their support for it. The SOC for Cybersecurity is an international standard recently accepted by ISO as an international standard for cyber risk management.