Recent high-profile cybersecurity incidents, such as Equifax, Sony, and Target, have increased professional and regulatory attention. For example, organizations are under pressure to demonstrate that they are managing cybersecurity threats, and that they have effective processes and controls in place to detect, respond to, mitigate, and recover from breaches and other security events. Cybersecurity risk management involves not only improving internal controls, but also includes a wide range of factors from strategy, IT management, investment decisions, human behavior, disaster recovery/business continuity, and technical solutions to actual implementation and practices.

From the regulatory perspective, the PCAOB explicitly included the assessment of cybersecurity risks in its 2018–2022 strategic plan (PCAOB 2018). Further, the Securities and Exchange Commission (SEC) recently issued reporting guidelines on cybersecurity risk disclosures (SEC 2018), while the AICPA proposed an assurance framework for auditors to use to evaluate an organization's cybersecurity risk management policies and...

You do not currently have access to this content.