S - 1

Panel 4:

Accounting for Cybersecurity

Reporting and Attestation Issues

October 2, 2015

S - 2

Increasing Board ConcernAs a result of the widely publicized cyber attacks on major corporations and public sector entities by hackers, criminals and foreign governments, cybersecurity is gaining increasing attention by boards of directors, customers, business partners, and regulators.

Causes Not Well Defined or UnderstoodAre these attacks due to a lack of standards, inadequate regulations, managements' failures to adopt adequate countermeasures, lapses in monitoring or a lack of satisfactory technical solutions?

Evaluating Cybersecurity InitiativesEntities are currently in the process of evaluating their cybersecurity programs, and are discussing options for communicating how they achieve their cybersecurity objectives.

Independent ReportingOne key aspect of communicating the achievement of cybersecurity objectives is the ability to provide assurance by way of a report on cybersecurity controls from an independent assessor.

The Cybersecurity Issue

S - 3

The AICPA’s ResponseThe AICPA’s Assurance Services Executive Committee (ASEC) formed the ASEC Cybersecurity Working Group to work in collaboration with the AICPA’s Auditing Standards Board (ASB) in develop practitioner guidance for performing examination-level attestation engagements related to cybersecurity.

Tools for the ProfessionThe working group will be responsible for identifying or developing suitable measurement criteria and for developing a cybersecurity attestation guide, as well as a supply chain/vendor management attestation guide, to provide performance and reporting guidance for practitioners engaged to report on controls over cybersecurity for an entity or portions of an entity (i.e. system(s), related systems, operating unit or division).

Effective ReportingA cybersecurity attestation report will provide useful information to users in making decisions as stakeholders in the entity.

The Cybersecurity Issue

S - 4

Cybersecurity Discussants

Chris Halterman, Partner EY

Chris Halterman is an Executive Director in the Advisory Services practice of Ernst & Young LLP, with more than 26 years of experience in the public accounting profession, focusing on IT and process controls and information integrity. He leads EY’s Advisory Service Organization Control Reporting practice globally and in the Americas, with responsibility for developing methodology, training, client service strategy, quality assurance programs and market initiatives.Chris is a member of the AICPA Assurance Services Executive

Committee (ASEC) and chairs the ASEC Trust/Information Integrity Task Force. In this role, he leads the AICPA’s efforts to establish the criteria for evaluating the system security, availability, processing integrity, confidentiality and privacy. In his role as Chair of the ASEC task force, Chris speaks regularly on SOC 1 (formerly SSAE 16) and SOC 2 reports in the US and internationally He also serves as signing executive for a major service organization’s SOC 1 and SOC 2 reports and performs quality review on numerous other reports.

S - 5

Cybersecurity Discussants

Graham Gal, University of Massachusetts

Graham Gal is an Associate Professor of Business Administration at the Isenberg School of Management in the Department of Accounting and Information Systems. His research interests include business ontologies, specification of internal controls, continuous monitoring, continuous reporting, organizational security policies, and controls for sustainability reporting.

Dr. Gal has recently presented his work at the University of Vienna’s Value Modeling and Business Ontologies symposium, the REA Workshop at CAISE, The University of Melbourne, Marmara University’s Ethics, Fraud, Governance and Social Responsibility Symposium, and Rutgers’ Continuous Reporting and Monitoring workshops. He has published in a number of journals including;Journal of Emerging Technologies in Accounting, Decision Sciences, Expert Systems Review, Expert Systems, Journal of Information Systems, The Information Systems Control Journal, Advances in Accounting Information Systems, The International Journal of Accounting Information Systems, and The International Journal of Information Management. Dr. Gal is an associate editor of the Journal of Emerging Technologies in Accounting and The International Journal of Auditing Technology.

S - 6

Cybersecurity Moderator

Cybersecurity Participation

Open Discussion Following the Discussants’ Presentations

Robert G. Parker, Retired Deloitte Partner, UW-CISA

Robert Parker is a retired Deloitte Enterprise risk partner. He has been involved with Information technology for many years, is a Past International President of ISACA, has served on many AICPA committees; SysTrust, Privacy Task Force and Top Tech Issues and on many CPA Canada Committees; Privacy , the Information Technology Management Advisory Committee, Year 2000 Committee and Database Auditing to name a few.

He is a member of the Board of Directors of the University of Waterloo Centre for Information Integrity and Systems Assurance.

S - 7

Opening Comments

Security continues to rank highly on nearly everyone’s list of concerns

AICPA – CPA Canada’s 25th Anniversary Top Tech Issues survey ranked security

Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey

ISS

UES

S - 8

Opening Comments

Security breaches involving personal information – information about an identifiable individual – are quickly becoming the norm

Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey

CO

NFI

DEN

CE

S - 9

CO

NFI

DEN

CE

Cybersecurity

Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey

Dropdown Questions

S - 10

Cybersecurity

Source: AICPA-CPA Canada 25th Anniversary Top Tech Survey

CO

NFI

DEN

CE

S - 11

CYBERSECURITY

S - 12

Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403

CYBERSECURITY

S - 13

Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403

CYBERSECURITY

S - 14

Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403

CYBERSECURITY

S - 15

CYBERSECURITY

2015 Data Breaches

Anthem BlueCross BlueShield – 80 million patient records - February

Office Of Personnel Management – 21.5 Million May

Premera BlueCross BlueShield – 11.2 Million records January

Office Of Personnel Management – 4.2 million records April

Ashley Madison - 25 gigabytes (no indication of how may of their over 40.8 million members were exposed ) – August

CareFirst BlueCross BlueShield – 1.1 million records May

Hacking Team - 1 million emails July

Army National Guard - 850,000 records July

Penn State University – 18,000 February

S - 16

By design, the data breach cases included in this research had a minimum value of 1,000 records and a maximum value of 100,000 records. As discussed, we do not include data breach cases in excess of 100,000 records because this would affect the findings and are not representative of the data breaches most companies experience.

CYBERSECURITY

Data Breach Costs

S - 17

Cybersecurity

How many have this or a similar type of communication?

S - 18

USA adopting chip & signature and not chip & pin

Among those many options are three for the cardholder verification method (CVM):

1) Chip and PIN - the most secure option because it requires the cardholder to enter a personal identification number with each purchase;

2) Chip and Signature - where the cardholder need only sign a receipt; and,

3) Chip and Nothing - where, as the name implies, the cardholder is not verified.

Likely motivation for not adopting Chip and Signature:

• Lack of desire to alter existing cardholder behavior by introducing PINs with credit cards

• An attempt to limit the cost of EMV (Electronic Member Verification) for merchants by not requiring the purchase of an EMV-compliant PIN pad. 

S - 19

Cybersecurity Participation

Open Discussion Following the Discussants’ Presentations

S - 20

Questions

Given the requirements for assessment criteria, is there a plan in place to continually or periodically review the technical information on cybersecurity and cyber breaches and update the AICPA’s guidance material?

Assessment Criteria

Scope of Assessments

S - 21

Questions

A number of high profile cyber security breaches have been successful by exploiting the “soft underbelly” of an almost unrelated organization.

Organizations are allowing or welcoming the perpetrators into their organization, sometimes unwittingly and at times as trusted business partners.

Where do we go from here?

What do we have to do the get managements’ attention?

S - 22

What are the top 3 cybersecurity risks that management must address?

Questions

S - 23

Questions

What impact has the “Internet of Things” had on the way businesses address or should address cybersecurity?

S - 24

Questions

Does BYOD significantly alter the Cybersecurity requirements?

Does MDM (Mobile Device Management) software do much to protect the organization?

S - 25

Questions

The media focuses on large security breaches involving personal information; is this useful, meaningful or appropriate?

What about SCADA controlled devices?

S - 26

Questions

Many organizations rely on the Fortress Model whereby a strong and robust perimeter is established and monitored using IDS (Intrusion Detection Software) and IPS (Intrusion Prevention Software) software.

What else would you recommend that organizations do to strengthen their Cybersecurity defences to lessen the risk of an event occurring or, if one does occur, the impact of the Cybersecurity breach?.

S - 27

Questions

The Ponemom Institute and others have frequently identified internal data breaches as being more prevalent than external cyber breaches, although fewer records may be accessed; is management focusing resources in the most appropriate area?

S - 28

Questions

Which is the most frequently adopted cybersecurity standard? (CobIT, NIST, ISO, Industry, AICPA, etc.)

S - 29

Questions

What are the key failings that management should avoid in ensuring that their organization is not a victim of a cyber security breach? What is management not doing that they should?

What are the key security controls that management should implement and monitor to ensure that their organization is not a victim of a cyber security breach?”

S - 30

Where should cybersecurity responsibility reside? (ISP, Organization, Network Management, Data Owners, End Users, Subject Data)

Questions

S - 31

Questions

Has the general public become too acclimated and now accepts cyber security breaches as the norm?

Do you believe that users, customers and others will require a Cybersecurity certificate before doing business with an organization?

S - 32

Questions

On a scale of 1 to 10 with 10 being excellent and 1 being nonexistent or ineffective, where would you rank the existing technology based tools designed to protect data in the event of a cyber-attack?

S - 33

Questions

Legislation, regulations and rules can only go so far in preventing cyber-attacks;

Where are they weak or non-existent?

Are the penalties severe enough?

Do they go far enough?

Can they ever be effective?

How can we motivate management to do it better?

S - 34

Thank You For Your

Interest and Participation

S - 35