Communicating with stakeholders on Cyber Security risk management can be a challenge. EY has prepared this document to assist organizations in addressing the growing demand from stakeholders to provide greater transparency and confidence in their cybersecurity risk management program.
2. This document has been prepared to assist organizations
in addressing the growing demand from stakeholders
to provide greater transparency and confidence in their
cybersecurity risk management program (CRMP) through
the issuance of enhanced stakeholder communications.
In summary, the journey to issue enhanced stakeholder
communications is a significant undertaking. It begins with
the implementation of a robust CRMP – one that effectively
manages the organization’s risks and helps to achieve its
business objectives.
• While most organizations have made significant
investments over the past several years to continue
the enhancement of their programs, many still require
substantial remediation to evolve their programs to an
appropriate level of maturity.
• For some organizations, this activity may require an
extended period of time to achieve.
A valuable resource for management teams to reference
as they undertake this activity is the American Institute
of Certified Public Accountants’ (AICPA) CRMP evaluation
criteria/framework. Unlike implementation frameworks that
focus on ensuring that the key building blocks of a program
are in place, the AICPA’s evaluation framework is focused
on the outcome – is the program designed and operating
effectively to meet the organization’s cybersecurity
objective?
• In addition to being more business-centric, if management
is considering the issuance of an enhanced stakeholder
communication under one of the AICPA’s reporting
options, adherence to the evaluation framework will be
essential, as the criteria and areas of focus will generally
serve as the basis of those engagements.
As you review this material and progress on your
own journey, feel free to reach out to your local EY
representatives if you would like further information on how
we can assist you.
Unlike implementation frameworks that focus on ensuring that the key building blocks of a
program are in place, the AICPA’s evaluation framework is focused on the outcome – is the
program designed and operating effectively to meet the organization’s cybersecurity objective?
Communicating with stakeholders
2Managing cybersecurity risk
3. Evaluate the current state of
your CRMP
• Challenge what you currently
know about your entity-wide
CRMP and its maturity
• As necessary, perform a rapid
assessment of your program to
round out the understanding
of your current state
• Update internal stakeholders
on insights gained and next
steps
This road map outlines a comprehensive approach to preparing your organization for enhanced stakeholder communications.
Based on the current state of your CRMP, the time required to complete each phase will vary — especially Phase 5, where
remediation occurs.
Understand your business objectives, enterprise risk,
cybersecurity risk and cybersecurity objectives
• Understand the cybersecurity risk profile of your organization (e.g.,
who you are, what you do, how you do it, the markets you operate
in, the type of at-risk information you possess, contractual/
regulatory data obligations, etc.)
• Challenge the depth of your risk assessment relative to
cybersecurity risk
• Identify your cybersecurity objectives relative to availability,
confidentiality, integrity of data and processing, and how these
objectives align with your overall business and strategic objectives
• Update internal stakeholders on insights gained and next steps
Evaluate your cybersecurity risk management
and communication needs
• Evaluate the need to further mature your CRMP
• Evaluate whether formal reporting on your CRMP is
needed, and if so, the type of reporting and proposed
timing
• Internal stakeholders
• External stakeholders
• Update internal stakeholders on insights gained and
next steps
Remediate gaps
• Implement processes, controls and technology
solutions to address identified gaps and issues
• Update internal stakeholders on progress made
As necessary or desired, prepare
for cybersecurity reporting
• Develop draft report description based
on AICPA’s “description criteria”
• Engage a qualified service provider
to execute examination procedures to
evaluate the design and operational
effectiveness of the organization’s CRMP
As necessary, perform an in-
depth assessment of your CRMP
• Evaluate the design, maturity and
operational effectiveness of key
processes and controls to achieve the
organization’s cybersecurity objectives
• Identify gaps/lack of maturity in the
program
• Develop an action plan to guide
remediation of identified gaps/
maturity issues
• Update internal stakeholders on insights
gained and next steps
Re-assess your CRMP
• Following completion of remediation, re-
evaluate the design, maturity and operational
effectiveness of key processes and controls
to achieve the organization’s cybersecurity
objectives
• Re-evaluate risk factors impacting the
organization
• Update internal stakeholders on insights
gained and next steps
Evaluating and reporting on cybersecurity
risk management programs
An implementation road map
3Managing cybersecurity risk
Phase
2
Phase
1
Phase
3
Phase
5
Phase
7
Phase
4
Phase
6
4. Phase 1
Understand your business objectives, enterprise
risks, cybersecurity, contractual/regulatory
obligations and cybersecurity objectives
Review and challenge (and, as necessary, update) your
understanding of the “cybersecurity risk profile” of your
organization; ensure this understanding identifies:
• Who you are, what you do, how you do it, the markets
you operate in, etc.
• Compile all contractual/regulatory requirements, as well
as the entity’s commitments (e.g., published data policies)
and stakeholder expectations associated with data
• What type of information or processing is at risk, and
where that risk resides (e.g., internally, suppliers, cloud)
• Data that could be extracted and monetized
• Data that, if modified, could affect the integrity of
processing
• Applications that, if modified, could affect the integrity
of processing
Review and challenge (and, as necessary, update) the
depth of your risk assessment relative to cybersecurity risk
• Evaluate the likelihood and impact of cybersecurity risk on
data and processing activities that support the organization’s
key business processes (i.e., what could go wrong)
• Issues beyond what is most frequently seen in the market
(e.g., “data grabs”) should be considered given the
growing evolution of cybersecurity attacks; examples
include:
• Unauthorized manipulation of data, (e.g., widespread
manipulation, subtle manipulation that could
eventually call into question overall data integrity)
• Unauthorized manipulation of applications, business
rules, etc., that affect the processing of transactions
• Business interruption/ransomware attack that impacts
ongoing operations
• Enterprise risk management (ERM) programs often
identify cybersecurity as a single, isolated risk, rather
than identifying the implicit impact cybersecurity has
throughout the organization
• As necessary, update the enterprise risk inventory for
situations where identified cybersecurity risk had not
been properly reflected
• Challenge whether conclusions reached in the ERM
program should be revised based on the potential
likelihood and impact of cybersecurity risk
• Challenge the alignment of the ERM program to the
organization’s business goals and objectives
• Update the ERM program for any business objective
that is missing a relevant enterprise risk
Identify your cybersecurity objectives relative to
availability, confidentiality, integrity of data and integrity of
processing; these objectives generally relate to:
• Organizational matters such as business strategies,
protection of intellectual property, competitive
advantages and business operations
• Commitments made to customers, vendors, business
partners and others related to the security and
availability of information and systems
• Laws and regulations to which the entity is subject as a
result of the types of information it possesses or uses
• Industry standards to which the entity is subject as a
result of the types of information it uses
Update internal stakeholders on insights gained and next steps
Desired outcomes and benefits:
• A comprehensive understanding of the
organization’s cybersecurity risk profile, including a
compilation of CRMP requirements (e.g., contractual
obligations, regulatory requirements, company
policies and perceived stakeholder expectations)
• A comprehensive risk assessment that appropriately
identifies the likelihood and impact of cybersecurity
risk on the organization’s ERM program, and ultimately
the organization’s business goals and objectives
• A comprehensive listing of the cybersecurity
objectives that the organization intends to achieve
Build-out of key steps
in road map (seven phases)
4Managing cybersecurity risk
5. Phase 2
Evaluate the current state of your CRMP
Challenge what you currently know about the maturity of
your entity-wide CRMP and its maturity
• Note: Most organizations: (1) have some form of a
CRMP in place and (2) periodically assess their program;
however:
• The depth and extent of these assessments vary
considerably, ranging from high-level/inquiry-
only assessments to comprehensive assessments
that include the detailed review/evaluation of
documentation and processes, testing, etc.
• Most organizations lack an accurate understanding
of the depth/extent of assessment that has been
performed, or their true maturity level
• Challenge the depth and breadth of previous internal and
external assessments
• Evaluate the results of previous assessments
• The scope of the assessment (e.g., business unit/
location-specific vs. enterprise-wide)
• The independence and objectivity of the assessment
• The depth of the assessment
• Inclusion of all critical CRMP components;
program components that are often overlooked,
or only covered at a superficial level include:
• Risk assessment activities
• Information assets (e.g., hardware, virtual
servers, software, data, connections, etc.)
• Monitoring capabilities
• Change management system
• Vendor risk management program
• Threat intelligence program
• Vulnerability management program
• Extent of validation of process/control
effectiveness performed
• Extent of compliance testing performed on
control procedures
• Competency and independence/objectivity
of assessor
• Volume and severity of issues identified/
outstanding
• Effectiveness of incident response detection,
evaluation and response
• Status of remediation of identified issues
• Challenge your understanding of program maturity
across the entity
• In light of new information accumulated on the depth
and breadth of previous assessments, challenge prior
conclusions on the maturity of the organization’s
CRMP
• Identify a comprehensive list of known issues and
related strategies to address the issues and the related
remediation timeline
• Ensure that the list is enterprise-wide
• Validate the viability of identified remediation
strategies and timelines
As necessary, perform a rapid assessment of the
organization’s program to round out the understanding of
your current state
Update internal stakeholders on insights gained and next steps
Desired outcomes and benefits:
• A more comprehensive understanding of the
current state and maturity level of the
organization’s CRMP
5Managing cybersecurity risk
6. Phase 3
Evaluate your cybersecurity risk management
and communication needs
Evaluate the need to further mature your CRMP
• Compare your understanding of the current state of your
program and maturity level to expectations of the Board,
executive management and as necessary the market
(e.g., investors, clients, business partners)
• Solicit input from the Board and executive
management on their expectations relative to
the desired maturity level for cybersecurity risk
management; compare to the organization’s current
state
• Evaluate your ability to achieve your identified
cybersecurity objectives
• Gather information on the cybersecurity risk
management maturity level of market competitors;
compare to the organization’s current state
• As necessary, identify and execute a strategy
to enhance/mature your CRMP to align with the
organization’s needs
Evaluate whether formal reporting on the organization’s
CRMP is needed; and if so, identify the proposed time
frame
• Identify the organization‘s various internal and external
stakeholders (e.g., Board, management, investors,
analysts, business partners, regulators) and their potential
need for greater transparency and confidence in the
organization’s CRMP
• Evaluate the range of communication options available to
address each stakeholder’s unique needs; examples may
include:
6Managing cybersecurity risk
7. Develop a proposed stakeholder
communication strategy and
recommended implementation timeline
Review the proposed strategy and
recommended implementation timeline
with the Board and management
(1) As an interim step to reporting under the AICPA guidance, organizations could elect to adopt a staged rollout
(a) Covering some or all of their operations and/or
(b) Using the AICPA evaluation framework or other suitable criteria the organization may already be leveraging. Such reports would be restricted for
internal use only.
(2) A further discussion of these options can be found at the AICPA’s website under the caption “SOC for Cybersecurity” or in EY’s previously issued thought
leadership “Cybersecurity Reporting.”
Options Scope Stakeholder applicability Benefits Limitations
Do nothing
• Not applicable • Not applicable • Not applicable • Cost-effective • Does not address
relevant areas of
concern of the
stakeholders
Internally prepared materials
• Education
sessions
• Determined by management • Board
• Executive management
• Allows management
to control the depth
and breadth of the
messaging
• Cost-effective
• Lacks objectivity
• May not address
relevant areas of
concern of the
stakeholders
• Presentation
materials
• Determined by management • Board
• Executive management
• Investors
• Analysts
• Business partners
• Regulators
Pilot program (1)
• Internal use only
report
• Entire organization, or
targeted at specific business
units or higher-risk areas
• Board
• Executive management
• Heightened level of
objectivity
• Greater ability to
manage investment in
money and time
• Does not address
any immediate
needs of outside
stakeholders
AICPA reporting options (2)
• Service
Organization
Controls (SOC)
for Cybersecurity
report
• Entire organization • Board
• Executive management
• Investors
• Analysts
• Business partners
• Regulators
• Heightened level of
objectivity
• Content based
on market-vetted
framework
• Significant
investment in
money and time
• SOC for Service
organization
report
• Portion of the organization
that supports the outsourced
service
• Business partners • Addresses all relevant
areas of concern of
the stakeholder
• Significant
investment in
money and time
• SOC for Supply
Chain report
• Portion of the organization
that supports the
manufacturing and
distribution of supply chain
goods
• Business partners • Addresses all relevant
areas of concern of
the stakeholder
• Significant
investment in
money and time
Desired outcomes and benefits:
• An evaluation of the organization’s cybersecurity risk management
program maturity across the key domains
• A summary of management’s point of view of its cybersecurity reporting needs
• Communication strategy and timeline for addressing needs
Communications options available to address stakeholders’ needs
7Managing cybersecurity risk
8. Phase 4
As necessary, perform an in-depth assessment
of the organization’s cybersecurity risk
management program
Evaluate the design, maturity and operational
effectiveness of key processes and controls to achieve the
organization’s cybersecurity objectives
• Leverage a comprehensive evaluation framework that
aligns with the organization’s anticipated reporting needs
(e.g., AICPA evaluation criteria) as a basis to evaluate:
• Adequacy of processes/controls to identify/complicate/
detect/respond/recover from a cyber event
• The framework selected must satisfy the “suitability
test” if subsequent reporting is being considered
• Evaluate process/control maturity
• Sufficiently documented to help ensure consistent
execution
• Sufficiently built-out to help ensure it is responsive
to the key underlying risks (or what-could-go-wrong
scenarios)
• Applied across the entire organization
• Consistently applied (i.e., compliance)
• Perform validation procedures to help ensure the
effectiveness of key processes and controls
• Perform process/control walk-through to confirm
understanding
• Validate implementation of automated processes
• Validate compliance with processes involving human
intervention
• Evaluate results
Identify key control over key process areas
• Develop mapping of client’s processes and controls against
the AICPA evaluation criteria or other suitable criteria
Identify gaps in the program
• Identify instances where current processes and controls
fail to satisfy evaluation criteria or other suitable criteria
Develop a prioritized and time-boxed action plan to guide
remediation of gaps
Update internal stakeholders on insights gained and next steps
Desired outcomes and benefits:
• Mapping of the organization’s processes and
controls against AICPA evaluation criteria
• Summary of significant deviations from the
expectations identified in the AICPA evaluation
criteria (i.e., gap assessment)
• Action plan that outlines remediation steps to
address gaps and associated timelines
Phase 5
Implement comprehensive solutions to address
identified gaps based on action plan
As noted previously, the time required to complete this
phase will vary considerably based on each organization’s
current status and assumptions made in the Phase 4 action
plan relative to time frames, priorities, challenges, etc.
Update internal stakeholders on progress made
Desired outcomes and benefits:
• Execution of action plan resulting in the
implementation of policies, procedures, controls
and technologies to address identified gaps
8Managing cybersecurity risk
9. Phase 6
Re-assess the organization’s cybersecurity risk
management program
Following completion of remediation, re-assess the design
and effectiveness of processes and controls
• Perform validation procedures to help ensure the
effectiveness of key processes and controls
• Perform process/control walk-throughs to confirm
understanding
• Validate implementation of automated processes
• Validate compliance with nonautomated processes
Re-evaluate risk factors impacting the organization
• Given the extended time frame that may be required
to remediate gaps, consider changes that may have
occurred to the organization’s structural, operational
changes, etc., and their impact on the CRMP
Update internal stakeholders on insights gained and next steps
Desired outcomes and benefits:
• Updated mapping of the organization’s processes
and controls against AICPA evaluation criteria
• Summary of any new significant deviations from
the expectations identified in the AICPA evaluation
criteria (i.e., gap assessment).
• Action plan that outlines remediation steps to
address gaps and associated timelines
• Execution of action plan resulting in the
implementation of policies, procedures, controls
and technologies
Phase 7
As necessary or desired (based on
communication needs), prepare for
cybersecurity reporting
Prepare draft of report description
• Develop report description based on AICPA “description
criteria”
Complete examination
• Execute examination procedures to evaluate the
design, maturity and operational effectiveness of the
organization’s cybersecurity risk management program
Desired outcomes and benefits:
• Issuance of enhanced stakeholder communication
report
9Managing cybersecurity risk