Some senior managers take a passive or reactive approach to protecting their company’s systems from cyberattacks and other risks. While they may acknowledge the risks, they believe that the risks are too minimal—or the costs too high—to actively address the causal issues. Their solution may be to purchase cyber insurance to prevent a monetary loss if a breach were to occur.
This approach is not advisable. The insurance strategy may limit immediate financial loss, but the long-term damage to the company’s brand—and bottom line—can be great. The company may even be liable for legal penalties.
According to the Federal Trade Commission in its Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches, presented on March 26, 2014 before the Committee on Commerce, Science and Transportation in Washington, D.C.:
“A company [is considered to be engaging] in unfair acts or practices if its data security practices cause or are likely to cause, substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition. The Commission has settled more than 20 cases alleging that a company’s failure to reasonably safeguard consumer data was an unfair practice.”
An organization that addresses risk in a passive manner may also be negatively impacting its own growth. It is no longer uncommon for large clients to engage in the discussion of risk when considering purchasing your product or service. Risk is often reviewed during initial discussions prior to the development of a relationship, and risk is assessed during periodic vendor reviews during the relationship in client surveys and audits of the company’s business practices. Common areas of concern are the following:
-What means are used to protect information?
-What are the policies for the security, access, and retention of documents (in both electronic and paper formats)?
-Is there a plan for disaster recovery?
-Is the company in compliance with industry-specific regulations?
-Does the company have insurance coverage?
-Does the company have a plan for physical security?
If the company is unable to fulfill the client’s requirements, it may lose lucrative business, negatively affecting cash flow and leading to even more lost business when word spreads that doing business with you would be a risky move.
The Proactive Approach
The implementation of a proactive approach to manage risk begins with taking the following steps:
Know and implement the COSO Internal Control—Integrated Framework. COSO, the Committee of Sponsoring Organizations of the Treadway Commission, is a joint initiative of five private-sector organizations, including the American Institute of CPAs (AICPA), dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. COSO’s framework continues to be the gold standard for risk management and is a logical place to begin the process.
When you look at what the framework represents, it is obvious that both public and private organizations of all sizes will benefit from its adoption. The purpose of the framework is to prevent and detect fraud. It is a standard framework for designing, implementing, and conducting internal controls as well as assessing the effectiveness of your current internal controls. The framework was recently updated from the original 1992 version to the 2013 revision to account for the ongoing changes in the business environment. Some of those changes include evolving technology, increased outsourcing, and the changing regulatory environment. (Companies that report to the Securities and Exchange Commission were expected to have fully transitioned to the 2013 framework by Dec. 31, 2014.)
Start by reviewing the COSO Internal Control—Integrated Framework’s core areas, principles, and focus areas. Document how your organization abdresses the concerns embodied in the core areas, principles, and focus areas. This framework will be the basis of your plan. In general terms, the framework is as follows:
Control Environment. This relates to the responsibility of preserving an internal control environment, concentrating on people (ethics and integrity); employee development and training; and management and accountability. The importance of proper employee training cannot be understated. Employees represent an organization’s greatest assets and its greatest risks. All employees within an organization must become part of the risk management process.
Risk Assessment. This area is geared to the identification of entity objectives and the associated operations risks. Consider compliance with applicable regulations specific to your industry, as well as external financial reporting requirements. Identify areas where policies and procedures may allow for fraud to be conducted. Consider outside threats.
A best practice is to assign a seasoned veteran with a complete understanding of the organization’s business model to develop the risk-assessment plan.
Control Activities. The primary focus of this area is on the establishment and ongoing maintenance of policies and procedures; accountabilities; and security management, such as the segregation of duties and segregation of information access.
Information & Communication. This area concerns the gathering and dissemination of information related to support internal control activities.
Monitoring Activity. The COSO risk management model recommends that on an ongoing basis, management evaluate internal controls to understand their presence and effectiveness, communicate deficiencies, and report on the status of corrective measures.
Tips for success: The first three sections do not need to be completed by the same person, as they look at different but related activities. In fact it may be better to divide the tasks among senior managers to foster mutual ownership and responsibility of the plan.
Augment this information with other framework standards that may apply, including risks identified by industry-specific trade groups and associations. A good example of additional framework standards include ISO 27001, and Framework for Improving Critical Infrastructure Cybersecurity.
Get approval and implement the plan throughout the organization. Once your plan is complete, seek board/management approval on the concept implementation. After approval has been obtained, execute the plan throughout the organization. Be sure to include communication throughout the entity so all employees understand their roles and know exactly what the plan entails.
Continually update the plan. To be effective, a risk-management plan must be fluid and continually evolve. For example, if during the course of the year, your company receives an audit request of your product delivery or service, and during the course of completing your audit you discover an area not covered by your plan, immediately update your risk plan, as you must assume the same client will ask the same question at the time of the next audit.
I wrote this post for the Institute of Finance Management “Controller’s Report Member Briefing.” It was published in the August 2015 edition.