Cyber risk has historically ranked high and has been an area of concern in internal audit risk assessments over the past decade. As such, it’s likely that your audit plan has evaluated some of these areas with a close nexus to the new reporting requirements. Given the short ramp-up time, though, an independent and holistic evaluation may be necessary to assess readiness both from a first- and second-line perspective. Here are a few topics worth considering:
- Cyber governance: Disclosure management, board reporting and oversight.
- Cyber risk management: Cyber risk assessment and scenario threat modeling; Key Risk Indicators (KRIs); cyber risk and control frameworks anchored to authoritative sources such as NIST CSF, NIST 800-53 and other sources; NIST CSF cyber program capability maturity assessment.
- Cyber incident reporting: Process and controls and maturity assessments in the key areas of incident response management, security operations center (SOC), security incident information and event management (SIEM), technical and executive tabletops.
The new cyber disclosure rule requires even greater communication and connections among IT and security, finance, general counsel and ERM teams. Internal audit should coordinate with the cross-functional team as it does the assessments.
Coordination with SOX teams can also yield collaborative results. With the evolution of cyber risks, areas of common cyber exposure relative to financial reporting have caused auditors to scrutinize the potential impact of cyber risks on the financial statements more closely. Examples of such areas of common exposure include patch management, intrusion detection, backup and restoration of data, vendor management and wire processing.