Appendix II:

Cybersecurity risk management
reporting framework

In response to the growing demand for information about the effectiveness of organizational efforts to manage cybersecurity threats, the AICPA has developed a cybersecurity risk management reporting framework. While there are many methods and frameworks for developing cybersecurity risk management programmes, this framework is a common language for organizations to communicate about, and report on, these efforts.

The framework includes the following three components, as highlighted in the AICPA Cybersecurity Fact Sheet:³⁸

Management’s description. A narrative prepared by management that describes the entity’s cybersecurity program. This description is designed to provide information about how the organization identifies its information assets, the ways in which the entity manages the cybersecurity risks that threaten it, and the key security policies and processes implemented and operated to protect the organization's information assets against those risks.

Management’s assertion. This assertion relates to the effectiveness of the controls put in place to achieve the entity’s cybersecurity objectives and whether the description is presented in accordance with the description criteria (discussed below) and whether the control objectives were based on control criteria that are appropriate for an engagement in accordance with the AICPA’s attestation standards.

The practitioner’s opinion. The third component of the framework is the CPA’s opinion on the description and on the effectiveness of controls within the entity’s cybersecurity program.

A key component of a SOC for Cybersecurity attest engagement, the framework can also assist organizations in demonstrating to analysts, investors, and other external parties that they have effective processes and controls in place to detect, respond to, mitigate and recover from breaches and other security events. Benchmarks, which can be used by management in describing their cybersecurity risk management programme, are captured in the framework’s Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program. An illustrative cybersecurity risk management report has also been developed to provide an example for how an entity might prepare and present a description of its cybersecurity risk management programme. The description criteria are categorized into the following sections:

Nature of business and operations. Disclosures about the nature of the entity’s business and operations.

Nature of information at risk. Disclosures about the principal types of sensitive information the entity creates, collects, transmits, uses and stores that are susceptible to cybersecurity risk.

Cybersecurity risk management programme objectives (cybersecurity objectives). Disclosures about the entity’s principal cybersecurity objectives related to availability, confidentiality, integrity of data, and integrity of processing and the process for establishing, maintaining, and approving them.

Factors that have a significant effect on inherent cybersecurity risks. Disclosures about factors that have a significant effect on the entity’s inherent cybersecurity risks, including the

characteristics of technologies, connection types, use of service providers, and delivery channels used by the entity; organizational and user characteristics; and environmental, technological, organizational and other changes during the period covered by the description, at the entity and in its environment.

Cybersecurity risk governance structure. Disclosures about the entity’s cybersecurity risk governance structure, including the processes for establishing, maintaining and communicating integrity and ethical values, providing board oversight, establishing accountability, and hiring and developing qualified personnel.

Cybersecurity risk assessment process. Disclosures related to the entity’s process for

identifying cybersecurity risks and environmental, technological, organizational and other changes that could have a significant effect on the entity’s cybersecurity risk management programme; assessing the related risks to the achievement of the entity’s cybersecurity objectives; and identifying, assessing, and managing the risks associated with vendors and business partners.

Cybersecurity communications and the quality of cybersecurity information. Disclosures about the entity’s process for communicating cybersecurity objectives, expectations, responsibilities, and related matters to both internal and external users, including the thresholds for communicating identified security events that are monitored, investigated, and determined to be security incidents, requiring a response, remediation, or both.

Monitoring of the cybersecurity risk management programme. Disclosures related to the process the entity uses to assess the effectiveness of controls included in its cybersecurity risk management programme, including information about the corrective actions taken when security events, threats, vulnerabilities, and control deficiencies are identified.

Cybersecurity control processes. Disclosures about the entity’s process for developing a response to assessed risks, including the design and implementation of control processes;

the entity’s IT infrastructure and its network architectural characteristics; and the key security policies and processes implemented and operated to address the entity’s cybersecurity risks.