Page 129 - COSO Guidance
P. 129
Managing Cyber Risk in a Digital Age | 13
REVIEW & REVISION
Principle Description
15. Assesses Substantial Change The organization identifies and assesses changes that may substantially affect
strategy and business objectives.
16. Reviews Risk and Performance The organization reviews entity performance and considers risk.
17. Pursues Improvement in Enterprise The organization pursues improvement of enterprise risk management.
Risk Management
Rapid evolution in information technology, adoption of Organizations should constantly assess their cyber security
that technology by employees, global supply chains, and risk assessment initiatives to determine if they are able to
permeation of industrial Internet of Things in businesses identify and mitigate the risk associated with these threats
are increasing the threat of cyber attacks to organizations. and potential attacks. To perform ongoing assessments,
A successful cyber attack can have significant financial management must clearly articulate the goals, indicators
and reputational impact on an organization. To mitigate for measuring performance, and consequences of missing
the risk of a successful cyber attack, organizations should targets. The consequences of missing targets should
develop processes to identify and assess how a significant be proportional to the risk and the impact of a potential
change would influence strategy, business objectives, and breach. Subsequently, assurance on control effectiveness
risk appetite. related to cyber risk (i.e. how risk controls are periodically
monitored and tested) can be performed by the internal
For example, a manufacturing organization planning to audit department or by an external auditor for independent
implement smart factory solutions, which use artificial reporting purposes. For example, the AICPA has released
intelligence and networked sensors, would need to guidance for the “System and Organization Controls
review its existing operational, financial, and technical (“SOC”) for Cybersecurity engagement, through which
strategies to address the cyber security risks that arise. a CPA reports on an organizations’ enterprise-wide
The review could entail a cost and benefit analysis of cybersecurity risk management program. This information
developing a robust cyber risk management program, can help senior management, boards of directors,
hiring qualified cyber risk professionals or re-training analysts, investors and business partners gain a better
existing employees, or performing ongoing evaluations of understanding of organizations’ efforts” and provide an
10
new security vulnerabilities. Additionally, the organization independent opinion on the effectiveness and maturity of
would need to manage its external environment such as an organization’s cybersecurity program.
impact to its vendors, customers, and regulators, including
communication in case of a successful cyber breach. Consider, for example, that management determined
phishing e-mails to be high risk to the organization.
Cyber risk assessment processes are iterative as Management implemented an employee-training program
changes occur in an organization’s internal and external to ensure employees were aware of the risk. The goal was
environment. The organization must evaluate each change also to ensure that 100% of employees would not click on
to determine its impact on the enterprise and determine phishing e-mails. If, after implementing this program, the
how to best manage the cyber risk. organization still had measurable problems with phishing,
they need to revisit the program and make revisions, such
as implementing software to scan for phishing-like emails
in addition to employee training.
c oso . or g
