It is no secret that cybercrime has hit a record high. Reports from The Center for Strategic and International Studies and McAfee are estimating that worldwide cyberattacks – including online fraud, financial crimes, post-breach mitigation, cyber insurance and more – are costing the world a whopping $600 billion — a $150 billion increase over 2014.
Taking into mind that any organization, large or small, can be hit with ransomware, DDoS attacks, and other cyberattacks, the Center for Audit Quality has announced a new tool to help board members, management, and CPA firms have a strategic discussion about cybersecurity risks, mitigation processes, and disclosures.
The tool is called “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The Journal of Accountancy reports that the tool can help board members and management have a better understanding of what questions to ask in order to help develop cybersecurity action plans.
Sample Questions from the “Cybersecurity Risk Management Oversight: A Tool for Board Members”:
- What framework does management use in designing its cybersecurity risk management program?
- What processes are in place to periodically evaluate the cybersecurity risk program and controls?
- What additional offerings can CPA firms provide related to cybersecurity since the financial statement auditor’s focus is on IT risks that affect financial reporting?
As companies defend their networks and IT infrastructures against cybercrime with firewalls and antivirus software, organizations also must bear in mind the recent compliance laws around reporting data breaches. For example, the Securities Exchange Commission (SEC) as well as 48 states around the nation have data breach laws which require companies to report breaches in a timely manner. In addition, the new GDPR (General Data Protection Regulation) that went into effect on May 18, 2018, demands that companies that do business in the European Union or have business dealings that affect EU citizens’ online privacy, must report data breaches within 72 hours of the attack, or else suffer large fines.
Sample Questions from the tool in relation to reporting to the SEC and other organizations:
- In complying with the current SEC guidance, how has management considered cybersecurity risks in its ability to record, process, summarize, and report on information required to be disclosed in its SEC filings?
- Has the design and operating effectiveness of the disclosure controls and procedures been evaluated to ensure they appropriately record, process, summarize and report on information required to be disclosed in the company’s SEC filings?
It is important to be vigilant in creating a Cybersecurity Business Continuity Plan and putting the right processes in place for reporting data breaches. Contact DiamondIT at 877-716-8324 to learn more about security training, adhering to compliance issues, assessment services and more in order to build out your lines of defense and prevent cybercrime.