The AICPA wants to build a common standard for assessing and reporting on cybersecurity programs

There's a lot going around these days: viruses, malware, Trojans, ransomware, you name it. And if you're not careful, you could catch a nasty case of any of these inflictions.

Most companies are taking great pains to inoculate themselves by building up their cybersecurity programs and managing the risks. Yet nobody seems to be completely immune. That's partly because, like the immunization system against infectious diseases, defense against cyber-attacks and other computer maladies depends on a good deal on the cybersecurity habits of others, including partners, suppliers, cloud providers, data services, resellers, and nearly every entity that interacts with your network or data. But how do we know if these third parties are making the same effort to prevent attacks as we are? We don't.

That's where cybersecurity reporting comes in. Companies should be able to easily check on the cybersecurity health and practices of those they interact and share data with or the ones they trust to safeguard their own data. Consumers, regulators and other stakeholders also want more information one who is lagging behind on cybersecurity. There should be a standardized framework to assess those efforts.

The American Institute of Certified Public Accountants floated plans this month to provide a system that would do just that when it released two exposure drafts designed to provide a framework for evaluating and reporting on a company's cybersecurity risk-management program. The AICPA envisions a system where the company's independent auditor or another firm would conduct an assessment along agreed-upon standards and issue a report separate from the company's financial reports.

"Our primary objective is to propose a reporting framework through which organizations can communicate useful information regarding their cybersecurity risk-management programs to stakeholders," said Sue Coffey, executive vice president–public practice in a Journal of Accountancy report on the plans.

According to the AICPA's first exposure draft on the plan, "Proposed Description Criteria for Management's Description of an Entity's Cybersecurity Risk Management Program," the reporting process would have two main elements: a description of the cybersecurity risk-management plan and an assessment of the effectiveness of its cybersecurity controls.

"In the cybersecurity examination, management makes an assertion about whether the subject matter is measured or evaluated in accordance with suitable criteria. The subject matter of the cybersecurity examination includes the following:

  • A description of the entity's cybersecurity risk management program in accordance with the description criteria.
  • An assessment of the effectiveness of the controls within that program to achieve the entity's cybersecurity objectives based on the control criteria."

Competing Standards

There are, of course, several systems, standards, and frameworks for evaluating and reporting on cybersecurity programs at companies already in place. According to the AICPA, they are too fractured and varied to be useful in fully understanding a company's cybersecurity readiness. "The existence of multiple, disparate frameworks and programs for evaluating security programs and their effectiveness, as well as different stakeholders' preferences for each, has created a chaotic environment that only increases the burden on organizations trying to communicate how they design, implement, and maintain an effective cybersecurity risk management program," Chris K. Halterman, executive director, advisory services for EY and chair of ASEC's Cybersecurity Working Group told the Journal of Accountancy.

Whether or not the AICPA can be the organization to create the uniform standard remains to be seen. Since it leverages a fairly universal system of financial assessment and reporting, it may have the best shot yet at creating the common system of reporting on cybersecurity programs. But it is already gaining some backers, including the Center for Audit Quality.

"A comprehensive approach that is risk based and driven from the internal control structure of the company and that can be delivered with independence and objectivity offers a new approach for management and boards to bring to bear on cyber-security risk," the CAQ wrote in a report on the proposal. 

The AICPA is accepting public comments on the two proposals until December 5.