Goal is to promote consistent disclosure on how companies manage the risk
The American Institute of CPAs (Aicpa) has launched a reporting framework designed to help directors, management and investors assess how companies are tackling the hot-button issue of cyber-security.
The Aicpa hopes the three-part voluntary, principles-based framework can become the universal standard for companies to assess and report on their cyber-risk management programs, comparing it with other standardized accounting principles such as US Gaap and IFRS.
‘The framework we have developed will serve as a critical step to enabling a consistent, market-based mechanism for companies worldwide to explain how they’re managing cyber-security risk,’ says Susan Coffey, the Aicpa’s executive vice president for public practice. ‘We believe investors, boards, audit committees and business partners will see tremendous value in gaining a better understanding of organizations’ cyber-security risk-management efforts.’
The first and most applicable part of the framework to boards and company management is called the ‘description criteria’. These criteria lay out a structure for companies to describe how they’re addressing cyber-security risk management. ‘[This is] a way for management [teams] to look at what they have in place and take a holistic approach to managing cyber-security risks, including their relationships with third parties, service providers and on the cloud,’ Erin Mackler, director of assurance and advisory services – system and organization controls reporting at the Aicpa, tells Corporate Secretary.
Aicpa officials say the standardized language will help boards and investors assess how well a company is prepared for an attack.
The second part – called the ‘control criteria’ – applies to external accounting professionals, providing them with a framework to evaluate and report on the effectiveness of a company’s cyber-security program. Aicpa will release the third part of the framework – the ‘attest guide’ – later this month. It will provide additional resources to CPAs.
The framework was developed over the course of two years, with input from corporate board representatives, accounting professionals and internet security experts. ‘We had to strike a careful balance of not disclosing sensitive information,’ Mackler says. ‘The framework creates the right amount of disclosure so that it is useful without being too prescriptive or disclosing sensitive information.’