May 16, 2019
by Sylvia Tsen, Executive Director, Knowledge, Operations and Technology, IFAC and Stathis Gould, Deputy Director, Professional Accountants in Business, IFAC
Cybercrime threatens trust and transparency in business and governments on a daily basis. As a customer, taxpayer, supplier or other stakeholder, we ask ourselves whether we can trust an organization to effectively secure our data. The public increasingly expects greater openness about the ethical issues arising from cybersecurity breaches, and how personal data is protected.
In their roles as value protectors and stewards, accountants need to be part of the solution when it comes to cyber security, whether they are advising their clients or working in a finance and accounting team, or in a broader strategic or operational role.
IFAC’s cybersecurity webinar provides valuable insights on what professional accountants need to think about in terms of their role in cybersecurity. This includes using their skills and expertise to protect data and information, as well as reporting on a company’s cybersecurity risk management program and controls.
The cybersecurity landscape is changing rapidly as organizations store more data and hackers have more opportunities to break into systems. The consequences of breaches in the form of fines and legal action, and ultimately a loss of customers, are also more significant.
The Ninth Annual Cost of Cybercrime Study by Accenture and Ponemon Institute finds that information theft is the most expensive and fastest rising consequence of cybercrime (although data is not the only target). Companies don’t think twice about insuring their buildings, but in many instances are exposed to loss and damage to their data. In the best case, stolen data, hacked systems and malware cause significant operational disruption. At worst, there will be reputational damage.
Businesses need to act on the basis that their security will be comprised. For boards of directors and other stakeholders, cybersecurity needs to be treated as a significant business risk. Those in oversight or management capacities therefore need greater insight into how organizations manage cybersecurity as part of their risk management programs.
Given that cyber security is a complex, multifaceted business risk, it is important to involve directors and management in ensuring a comprehensive business-led approach that embeds cybersecurity issues into all decision making and operations involving the company’s information networks and data.
A holistic risk management rather than piecemeal approach is the only effective way of dealing with an ever-changing business landscape, and the continually evolving threats and risks that span people, processes and technology across the business. Involving all levels of an organization helps to ensure that there is a framework understood by all and that the various lines of defense can collectively manage and mitigate cybersecurity risks on an ongoing basis.
A proactive and pragmatic risk-based approach involves identifying gaps, targeting resources to deal with key threats, and broadening cybersecurity activities beyond prevention to include intelligence, detection and response. Key steps include understanding cybersecurity roles and capabilities, and identifying, mitigating and monitoring specific risk areas such as privacy risk or cloud security.
Identifying and mitigating cyber risks involves mapping out major processes, systems and information flows, and assessing risk remediation plan and appropriate controls, and ongoing monitoring.
In terms of dealing with substantial gaps in cybersecurity levels, it is important to identify the most critical information assets, and get the basics right. For many organizations, this means dealing with fundamental security practices including boundary firewalls and internet gateways; secure configuration; access control; malware protection; and patch management. Basic discipline involves responding to new standards and regulation, understanding the weaknesses in legacy systems, and identifying where investment in technologies can help.
Supporting smaller businesses is an important opportunity for firms to provide useful business advice. The professional accountant advisor can be particularly important in:
– Helping clients assess their governance and risk management – smaller businesses tend not to have strong risk management and control expertise. Accountants can ensure adequate business continuity and disaster recovery planning, particularly in the face of ransomware threats;
– Helping clients quantify risks and return on investment based on cost of breaches and stolen data and factors that impact cost; and
– Helping to mitigate risks with effective controls.
The ICAEW provides simple cyber security steps for smaller firms. To help accountants in terms of risk management and attestation, the AICPA’s System and Organization Controls (SOC) for cybersecurity provides the basis for transparent and consistent communications about an organization’s cybersecurity risk management efforts, and increasing stakeholder confidence in management-prepared information about an organization’s cybersecurity efforts.
The AICPA’s cybersecurity risk management reporting framework, a key element of the SOC, includes description criteria for management of an entity’s cybersecurity risk management program, and the key components of a cybersecurity attestation report covering management’s description of the entity’s risk management program and their assertion on the operating effectiveness of controls to achieve cybersecurity objectives, and the CPA’s report on these.
The Impact on Knowledge and Skills
An enhanced role in cyber security does require relevant knowledge, skills and experience. For accountants to effectively undertake cybersecurity risk management or attestation services, key areas of knowledge and skills include:
– Relevant IT systems and technology, as well as the ability to keep current on changes in the technology and systems environment
– Understanding IT processes and controls and their evaluation
– Awareness and relevant experience with cybersecurity frameworks
– Understanding an entity’s industry and business and whether it is subject to specific types of cybersecurity risks
– Establishing and engaging multidisciplinary teams, for example including information security professionals and auditors.
The accountant also needs heightened ethical awareness when it comes to considering what action to take when there has been a breach in either their own organization, or in one that they are advising. Given the accountant’s obligation to act in the public interest, it might be necessary to make a public disclosure, such as informing customers that their personal information has been exposed. If there has been a ransom demand, it might be necessary to seek specialist advice and support.
More information on dealing with cyber security is available from the IFAC Gateway including resources from IFAC members.