The most far-reaching regulations are often borne out of crisis, as we saw with the creation of the U.S. Sarbanes-Oxley Act of 2002 in response to a series of financial disasters. We are now in the midst of an ongoing cyber crisis, and internal auditors should be preparing for the regulations to come.
In the past few weeks alone, we heard of millions of people having their personal information stolen from major companies such as Google and Marriott. We all know the list of known hacks goes on and on. And then there is the thought that there are two types of companies, those that have been hacked and those that don't know that they've been hacked.
The European Union and California have addressed a portion of the cyber crisis with new regulations to protect data privacy. This, to me, is the tip of the iceberg. Could we get to the point where regulators take something like the U.S. National Institute of Standards and Technology Cybersecurity Framework and require a Sarbanes-Oxley-like approach, where every control must be tested with a final sign-off by the CEO and chief information officer?
In fact, the American Institute of Certified Public Accountants (AICPA) is already pushing down this path. With its Cybersecurity Risk Management Reporting Framework in 2017, it introduced a system and organization controls for cybersecurity engagement. This (currently) voluntary examination includes management's description of the entity's cybersecurity risk management program, management's assertion, and a practitioner's report. The practitioner's report:
"addresses whether management's description is presented in accordance with the description criteria and whether controls within the entity's cybersecurity risk management program were effective to achieve the entity's cybersecurity objectives."
That all sounds very Sarbanes-Oxley-like.
It is important to recognize that cybersecurity is an ever-evolving risk that increasingly demands greater attention from organizations. While well-intentioned, AICPA's cybersecurity engagements are unlikely to adequately address an organization's current needs or the needs of its stakeholders. The engagements would most certainly be issued as of a specific point in time, mention significant inherent limitations, and bring significant cost. What's more, similar to Sarbanes-Oxley, these engagements may provide an unrealistic appearance of certainty and likely divert organizational resources away from addressing the cyber risks themselves.
One of the key reasons the Cybersecurity Act of 2012 failed to pass in the U.S. Senate was because of concerns over added costs and an unnecessary burden on business. Past experiences, such as the impacts associated with complying with Sarbanes-Oxley and the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act, further show that another framework and external review of an entity's cybersecurity risk management program would surely increase compliance costs. Of critical importance is not the cost in isolation, but the benefits of the work, which must outweigh the costs.
Instead, the focus should be on enabling organizations to address the cyber risks and to accommodate emerging regulatory requirements. This is best accomplished with a robust, objective, and independent internal audit function that has the appropriate skills and is adequately resourced to address such risks. It is unclear to me why it is in the best interest of organizations to look to public accounting firms for these skills. In fact, having firms aggressively recruiting personnel who have these skills could impede organizations from obtaining them to more directly address the cyber risks.
One of the biggest complaints of Sarbanes-Oxley is that it is too focused on minutia and misses the big picture. After all, financial problems continue. Internal audit must help avoid the same happening with cybersecurity. It's not that the minutia is not important: certain controls are critical. What is more important is that you don't get run over by new and emerging cyber risks because you are overly focused on the number and details of individual controls, some of which may be important while others are not.
New, comprehensive cyber regulations will be coming and the role for internal audit in cybersecurity issues will need to expand. Don't be caught off guard. Begin by understanding the cyber risks in your organization. Perform a gap analysis, acquire the right resources, and get engaged.
Build the right relationships with security professionals in your organization and with regulators if applicable. You don't want to meet for the first time during a crisis. You may even consider regular checkpoints with key personnel involved with cybersecurity, so you are always aware and able to know when it is the right time to speak up. Being engaged will also allow you to effectively answer questions from board and audit committee members when they start asking, or, better yet, to be proactive with communicating cybersecurity concerns to them before problems erupt.
That's my point of view. I'd be happy to hear yours.