Page 130 - COSO Guidance
P. 130
14 | Managing Cyber Risk in a Digital Age
For organizations looking to evolve and implement new Organizations must operationalize governance processes
technologies, cyber risk avoidance may not be an effective to capture and evaluate potential changes that may alter
strategy. Management must therefore implement effective their cyber risk profile. This includes—at a minimum—
cyber risk strategies to become more vigilant (e.g., capturing prospective new and changing products and
comprehensively monitor the extensive threat landscape). services, information technology and evolving digital
Feedback from comprehensive risk monitoring should feed strategies, business processes, mergers, acquisitions, and
into the risk assessment process. reorganizations, and laws and regulations. Each of these
items must be evaluated by qualified key stakeholders
New technological advances, feedback from the cyber operating within a broad cyber risk management program.
security assessment, organizational changes, review In addition, the importance of key indicators and control
of risk appetite, improved communication processes, testing in monitoring for changes in the organization’s
and comparisons to other industries and competitors cyber risk profile must remain a top priority.
are examples of inputs that can help improve the risk
management process. For example, a manufacturing The Review & Revision component is key as the constantly
organization planning to implement smart factory solutions, evolving cyber world disruption and digitization continue
which use artificial intelligence and networked sensors, to drive the need for changes and enhancements to cyber
may not have considered the impact of cyber breaches risk management.
in connected devices as part of prior risk assessments.
However, changes in technology and changes in business
objectives require improvements to the risk assessment
processes to factor in new cyber risks.
c oso . or g
