Kral Ussery LLC, Certified Public Accountants
TX Office: (817) 416-6842
NV Office: (702) 565-2727
Search    

Assessing Cybersecurity Risk

Assessing Cybersecurity Risk:  Are We Getting Value from the Effort? 

This class is oriented towards corporate board / audit committee members, C-Level executives and accounting / legal firm managing partners. This is for 4 hours of CPE, on-site class instruction with significant class interaction.

Today, there are many different approaches to assessing cybersecurity / enterprise IT risks. Everybody has an opinion on preferred vendor solutions, but what should you really be looking at? In many cases a corporation may have several different efforts underway to address risks & implement solutions, dependent upon their business function: IT, Finance, Legal, Operations, Insurance / Risk Management. Sometimes they consult with each other and sometimes not, possibly developing conflicting projects that could still leave an enterprise exposed. Topics include:
  • Functional approaches to assessing cybersecurity risk:
    • Information Technology / Security Officer perspective: technical oriented, use software, hardware investments to mitigate threat risks; data center & security operations command center focused
    • Auditor / Legal / Risk Management perspective: internal controls, governance & compliance oriented.  Possibly use insurance policies to assist with financial transfer.
    • Operations perspective:  equipment automation / ‘Internet of Things’ oriented, using equipment vendor installed security controls to improve operational productivity.
    • Finance / Tax Planning perspective:  Financial budget and controls over financial statement reporting oriented; possibly use captive insurance company for tax planning, to extend corporate self-insurance.
  • Brief review of cybersecurity risk assessment standards & frameworks
    • Review of various frameworks, with emphasis on NIST - CSF usage by various professional groups
  • Review of various risk assessment efforts, reporting & how used
    • Technical security consulting efforts:  Vulnerability scanning / Penetration testing, Microsoft Score, services by technical vendors -- CISCO, technical security consultants, Big 4 consultants, IT outsourced / managed service providers
    • COSO Internal Control Framework:  Sarbanes - Oxley Act required management certification & description of controls
    • AICPA: SOC for Cybersecurity attest
    • ISACA: CISA attest & reporting function, with focus on IT Governance
    • ISO 27001: Standard certification & reporting 
    • Insurance broker tools for assessing risks & assisting underwriting efforts 
  • How do I ensure my company has the appropriate leadership?   
    • Depends on who really is driving the process; ‘Tone at the Top’ still rules. The board needs to ensure that executive leadership really has the appropriate personnel representation & training efforts
    • Does your firm consider their critical customer & vendor electronic connections?  Supply chain risk has become more intense as firms develop their security systems but have not really checked on their supply chain partners.  [WSJ article on Department of Navy cs issues] 
    • Do you understand your firm's Enterprise Risk Matrix?
    • How do you measure & monitor such efforts?
    • Does all 'cybersecurity effort' end up with your IT Security Officer?  This is only part of the solution. Leadership needs to understand limitations to technical solutions & ensure they are aligned to business objectives and not just reactive to the 'threat of the day.'
    • Behavioral, cultural, organization elements can create your greatest risks
      • Gaining alignment to business objectives
      • Cybersecurity awareness training for everyone on staff and key vendors / business partners
  • Does my cyber risk insurance policy really cover my exposure?
    • Who participates in the insurance policy review process?  
    • Does the policy coverage align to my company's critical risk exposures that I am seeking to financially transfer?
    • Why are insurance carriers willing to write cyber risk coverage? Especially given the seemingly unending threats and lack of historical data.
    • Should I use my captive insurance operations for cyber risk & related customer data privacy liability exposure?    
  • Summary
    • Lack of enterprise transparency creates exposure and wasted resources
    • Cross functional effort is necessary to ensure critical business risks are identified, analyzed, mitigated, transferred and understood. 
    • The exposure / threat is ever present; so be prepared
    • Efforts can be leveraged to reduce impact from incidents and improve value from cyber-risk insurance policies.
  • Open question & class discussion
Session objectives:
  • Learn about various cybersecurity risk assessment standards & frameworks
  • Explore risk assessment efforts, reporting & how to apply the COSO Internal Control - Integrated Framework and the AICPA’s SOC for Cybersecurity
  • Examine the pros and cons of cyber-risk insurance policies
  • Understand what it takes to enhance cybersecurity from a cultural standpoint
  • Discuss cybersecurity risk management approaches for all organizational sizes

Kral Ussery Services Overview

Kral Ussery Services Overview Flyer

Kral Ussery Services

Accounting & Audit Readiness

Litigation Support

Data Quality and M&A

Internal Audit, IT Risk & SOX

SEC Compliance

Interim Roles & Performance

Get In Touch With Us

Kral Ussery Contact Us

TX Office: (817) 416-6842
NV Office: (702) 565-2727

Governance Issues TM

A Newsletter to Help You
Protect & Grow Shareholder Value

Free Subscription     View Previous Articles
IPO FAQs | IPO Process | Detailed IPO Process Steps
Home | Privacy Policy | Disclaimer | Site Map

Copyright © , Kral Ussery LLC, Certified Public Accountants All Rights Reserved

Web Presence By Netphoria Inc