What Banks Need to Know About the AICPA Cyber SOC

SOC-816593-edited.jpgFor organizations of every kind, data breach incidents are "when"—not "if" events. Especially for business entities (like banks) that manage clients’ private information, building vigilance against threat actors, unintentional compromises, and other cyber vulnerabilities is as much a part of risk management as instituting compliance measures. But understanding how to spot weaknesses, build transparency, and engage checks and balances demands a new level of focus and capability for many banks.

This summer, the AICPA issued its much-anticipated standard on cybersecurity. Their System and Organization Controls (Cyber SOC) is new guidance that CPAs can use to standardize a process for reviewing and reporting on cybersecurity.

How the AICPA Cyber SOC Changes Risk Management

Organizations historically have relied on outside consultants and internal resources to spot and mitigate cyber risks. The Cyber SOC fundamentally changes how cyber threats are evaluated and managed. It allows for an independent, objective look at an organization’s processes, policies, and controls around cyber risks. 

Particularly for Boards of Directors, the new standard offers a necessary higher level of sophistication around understanding cyber risk, which is constantly evolving and demanding greater oversight and agility than may be in place. The Cyber SOC also provides a more consistent benchmark of a business’ cybersecurity. The standard uses the same framework of management description of controls, control objective and control testing used in Service Organization Control Reporting (now renamed System and Organization Control Reporting).

Financial institutions no doubt will need to rely on this new report to evaluating businesses for loans and other forms of financing. Additionally, the report offers a framework through which leaders can assess the ability of a contractor to protect confidential information the institution may share for processing. The AICPA expects the report will become a standard resource for anyone considering the creditworthiness of a business seeking capital.

As with previous SOC reports, the Cyber SOC framework allows for a readiness assessment that can be used as a dry run for the formal SOC engagement. In the readiness assessment, the CPA benchmarks the organization’s current cyber control framework against the Cyber SOC control objectives. This benchmarking allows for the identification of gaps in the cyber control environment that can then be remediated. 

Once your team has performed a readiness assessment and mitigated all gaps, you can engage a SOC review. It will test each cyber control, alleviating concern about the robustness and operating effectiveness of the cyber controls. A report summarizing the controls, testing and results should then be provided to the Board as part of their oversight responsibilities.

The Cyber SOC is one of the next generation services from the AICPA. It’s incredibly valuable for organizations, and just as important to their Board members in identifying and managing cyber risks. 

 Join the conversation and receive updates of new posts:

Subscribe to the Banking Blog

Topics: SOC, Electronic Health Records

Leave A Comment