why cybersecurity matters to accountants...cybersecurity and accountants. understand why...
TRANSCRIPT
Why Cybersecurity Matters to Accountants
Barry Melancon | AICPA President & CEO“If we think about systems broadly and the information that businesses produce, that information footprint is very big, and financial statements are just a piece of that…”
“If we can think about the totality of that system environment, and all the assurance needs in there, we can move into a position where we can serve the needs of more and more users of that information.”
- December 2019
Cybersecurity and Accountants
AICPA | Cybersecurity Resource CenterCybersecurity and Accountants
AICPA | Cybersecurity Resource CenterCybersecurity and Accountants
AICPA | Cybersecurity Resource CenterCybersecurity and Accountants
AICPA | Cybersecurity Resource CenterCybersecurity and Accountants
AICPA | Cybersecurity Resource CenterCybersecurity and Accountants
Homeland SecurityCybersecurity and Accountants
Going Concern
Definition• An accounting term for a company that has the resources
needed to continue operating indefinitely until it provides evidence to the contrary. Refers to a company's ability to make enough money to stay afloat or avoid bankruptcy.
• How does cybersecurity play a role in this?
Cybersecurity and Accountants
Understand why Cybersecurity is a Concern in Today’s Society
What are the threats
Cybersecurity and Accountants
Technology is Changing
Business IntelligenceRobotic Process Automation (RPA)Artificial IntelligenceBlockchainDigital Wallets
LET’S THRIVE TOGETHER
Cybersecurity is a people problem, not a technology problem.
Cybersecurity and Accountants
Human Factor (Error)According to the research, 99% of cyberattacks now rely on a person taking an action - clicking a link, opening an attachment, falling for a scam.
The instincts of curiosity and trust lead well-intentioned people to click, download, install, open, and send money or data
Instead of attacking systems and infrastructure, threat actors focused on people, their roles within an organization, the data to which they had access, and their likelihood to ‘click here’.
- Proofpoint
Cybersecurity and Accountants
IT Security Awareness Culture- Governance’s Role – Crucial for Buy-in- EVERYONE is responsible for IT Security Controls- Everything (and everyone) is vulnerable- Mobile devices and mobile apps are a primary
threat vector in today’s environment
• Phishing Emails (Business Email Compromise) – attempts to deceive personnel into divulging information or clicking corrupt links• Not just emails - Phone Calls, Text Messages, etc.
• Keylogging Viruses – watching all keystrokes of a computer• Ransomware – attempts to lockup servers and data to
demand money for release
Cybersecurity and Accountants
Threat Actions
• Denial of Service (DoS) – attempts to overwhelm services and interrupt business
• Insider Threats – attempts to steal valuable information from within the company (financial information, product or service information, etc)• employees, former employees, contractors, or anyone else
that may have access inside of your firewall, antivirus, and endpoint protection.
Cybersecurity and Accountants
Threat Actions
Cybersecurity and Accountants
FBI | IC3
• Business Email Compromise (BEC) Stats – for 2019• 23,700+ Cases• $1.7 Billion lost (3x as much as next scheme)• Uptick in Payroll diversion schemes
• email appearing to be from an employee requesting to update their direct deposit
• new direct deposit information generally routes to a pre-paid card account.
Cybersecurity and Accountants
FBI | IC3 Website
Cybersecurity and Accountants
Phishing Attempt – Phone Call
Threats• Often begins with Phishing email• Triggered with clicking a link or opening an attachment• Encrypts all files by locking up servers and data
Preventative/Corrective Controls• Daily backups• Log review for unusual activity• No local admin rights [prevent running of .exe files]
Cybersecurity and Accountants
Ransomware
IT Security Event vs IncidentCybersecurity and Accountants
Security Event vs Security Incident
Security Event Security Incident
Definition An identifiable occurrence that could
theoretically be relevant to information
security.
An event that is a viable risk or that
causes damage such as lost data or
operational disruptions.
Breach Notification LawsCybersecurity and Accountants
- All 50 states have them
- Apply to residents of that state
- Contains common items- Security Measures that
should be in place- Fines for Non-compliance
related to a breach
- Expanding to Privacy Laws- CCPA
Understanding Data Security and Applying Information Technology
General Controls (ITGCs)How to Combat the Threats
Tenet of Cybersecurity• An entity that operates in cyberspace is likely to experience
one or more security events or breaches at some point in time, regardless of the effectiveness of the entity’s cyber security controls.
• Understanding this tenet is essential to dispelling user misconceptions that an effective cyber security risk management program will prevent all security events from occurring.
Cybersecurity and Accountants
Tenet of Cybersecurity• Inherent limitations in a cyber security risk management program,
an entity may achieve reasonable, but not absolute, assurance that security events are prevented and, for those not prevented, that they are detected, responded to, mitigated against, and recovered from on a timely basis.
• An effective cyber security risk management program is one that enables the entity to detect security events on a timely basis and to respond to and recover from such events with minimal disruption to the entity's operations
Cybersecurity and Accountants
GAAS RequirementsUnder AU 314, we are required to obtain an understanding of the entity and its controls to assess risk.
• An understanding of IT is required to understand related IT controls and to assess related IT risks (AU 314, paras. 81 - 87).
• Ineffective ITGCs by themselves do not cause misstatements; however, they may permit application controls to operate improperly (AU 314, para. 94).
Cybersecurity and Accountants
1. STRUCTURE AND STRATEGYEvaluate if reasonable controls over the Company’s Information Technology structure are in place to determine if the IT Department is organized to properly meet the Company’s business objectives.
2. CHANGE MANAGEMENT Evaluate if reasonable controls are in place over change management relative to the operating systems and network environment to determine if standard maintenance changes (e.g. patches, fixes, upgrades, etc.) are identified, approved, and tested prior to installation.
IT General Control Review AreasCybersecurity and Accountants
3. VENDOR MANAGEMENTEvaluate if reasonable controls are in place over third‐party services to determine if third‐party services are secure, accurate and available, support processing integrity, and are defined in performance contracts.
4. SYSTEM & APPLICATION SECURITYEvaluate if reasonable controls are in place over system security, both logical and physical, to determine if software applications and the general network environment are reasonably secured to prevent unauthorized access and appropriate environmental controls are in place.
IT General Control Review AreasCybersecurity and Accountants
5. INCIDENT MANAGEMENTEvaluate if reasonable controls are in place over incident management to record, investigate, and resolve any user or system incidents and management monitoring of system incidents exists.
6. DATA MANAGEMENTEvaluate if reasonable controls are in place over the data management and storage process (backups and disaster recovery) and are being tested on a regular basis.
IT General Control Review AreasCybersecurity and Accountants
• Terminated employees still active in systems and the network• Lack of Security Awareness Training / Education• Lack of critical application and vendor lists
• no knowledge of vulnerabilities• Lack of vendor management program and no vendor risk
assessments• Lack of ongoing vulnerability monitoring - external
penetration testing and internal vulnerability scanning
Cybersecurity and Accountants
Common Deficiencies
• Shared and/or generic administrator accounts without monitoring• Weak system password parameters
• No timeout• Not changed often• Not complex
• Lack of use of Multi-Factor Authentication for Logins• Lack of data backup testing• Lack of portable device policy and security
Cybersecurity and Accountants
Common Deficiencies
Cybersecurity and Accountants
Passwords
Cybersecurity and Accountants
Password Attacks – Brute Force
Risk Assessment and Risk Management
(Internal Risks)
Enterprise risk management enables management to effectively deal with uncertainty and associated risk
- Aligning risk appetite and strategy- Enhancing risk response decisions- Reducing operational surprises and losses- Identifying and managing multiple and cross-enterprise risks- Improving deployment of capital
Cybersecurity and Accountants
Risk Assessment
Cybersecurity and Accountants
Risk Assessment - continued# Responsibili
ty Risk / Threat
Risk TypeLikelihood of Occurrence Potential Damage to the Company
Control Objective Reference
Internal Controls, Policies, and ProceduresR=Reputation
alO=Operation
alL=Legal
S=Strategic
1 = Low5 = High
1 = Minimal5 = Major Key Controls
1 Information Technology
Sensitive data is transmitted unencrypted. R, L 3 4 CO 7
● ShareFile, a secured site, is used to receive and transmit client data.
● Security measures are in place to encrypt client and participant information transmitted via email (i.e., ShareFile Outlook add-on utility).
● Personnel are trained to never send participant information via email.
● The Employee Handbook prohibits the transmittal of sensitive data via an unsecured method.
2 Information Technology
Loss of portable media containing sensitive data or unauthorized access to systems utilizing lost or stolen laptops or portable media.
R, L, O 3 4 CO 7
● Use of the secure VPN is required to gain external access to sensitive data.
● All USB drives are encrypted.
● Portable devices such as laptops are encrypted and PDA's are password protected.
3 Information Technology
Virus infiltration negatively impacts system and/or data files. R, O 1 2 CO 7
● Microsoft System Center Endpoint anti-virus is installed on servers.
● IT personnel periodically review the Microsoft System Center Configuration Manager.
● Appropriate network and internet usage is addressed within the Personnel Manual.
● The Company has procedures in place to efficiently segment the affected area of the network.● Whitelisting applications.
Risk Assessment Questions• What keeps you up at night relative to managing your division? Ask this
question and sit back and listen.
• What are the top three risks in your area? (these may be the same as what keeps them up at night)?
• What is the worst thing that could happen in your division?
• What upcoming projects, endeavors, etc. are you planning? What are you anticipating as the greatest risk?
• How are you currently managing risk? Are all of your key people aware of your top risks?
Cybersecurity and Accountants
Risk Assessment - continued
Cybersecurity and Accountants
Risk Assessment - continued
Risk Category Risk ToleranceCurrent
Risk Levels
Comments
Financial Reporting Low Management rates risk as low given long-term people and defined processes. No prior audit issues.
Disbursement Processing Low Management rates risk as low. Audited last year with no issues and multiple signoffs required for processing.
New Client Setup Low Management rates risk as Low. Very defined processes and no major current client impact.
Information Technology MediumManagement rates risk as low. However, due to the inherent risk, this is a moderate area. There are well-defined controls and processes.
Data Security High The company recently had a cybersecurity breach.
Cash Procedures High Management ranks risk as high due to availability or access to cash of clients.
Comfortably within Risk Tolerance Nearing Boundaries of Risk Tolerance Exceeding Boundaries of Risk Tolerance
Cybersecurity and Accountants
Risk Assessment - continued
VENDOR RISK ASSESSMENT
(External Influence)
Vendor Risk ManagementA Vendor Risk Assessment should be performed annually and include thefollowing:
A listing of all vendors used by the company, including a description ofthe services provided by the vendor, the contract period covered, whois assigned to manage accountability of the vendor relationship, and adetermination whether each vendor is a critical vendor.For critical vendors, need to evaluate the internal control structure andpotential risks to the company. Most companies require their criticalvendors to have an independent internal control report performed byan outside accountant or security specialist (such as a System andOrganization Controls report).
Cybersecurity and Accountants
Vendor Risk ManagementEach vendor should be assigned an overall risk rating. The riskrating will be based upon such items as the vendor internalcontrol report findings, any issues experienced with thevendor, any reputational issues the vendor has had, as well asany items that could potentially impact the security,confidentiality, or availability of company data. The vendor riskrating should be evaluated annually by management.A contingency plan should be in place for all critical vendorsrelative to the services provided by the vendor.
Cybersecurity and Accountants
Cyber liability Insurance
Cybersecurity and Accountants
Cyber liability Insurance
• Increased regulatory attention (e.g., SEC) • Vendor/business associate risk • Insider threats • Exclusions in legacy coverages (e.g., CGL, D&O) • Cyber-criminal ingenuity, perseverance, and greed• Covered Costs
• Forensics • Legal and PR • Data Restoration • Lost Income
Cybersecurity and Accountants
Cyber liability Insurance
Articles (by Warren Averett Experts)Cybersecurity Recommendations (Summer 2019)Mobile Device Management (June 2019)Cyber Risks Article (May 2019)Disaster Preparedness – Security and Technology (May 2019)Cybersecurity Insurance (May 2019)Ransomware Guidance (April 2019)Cybersecurity Basics (April 2019)
Cybersecurity and Accountants
Resources
Websites/Groups for Additional InformationThe CyberSecurity HubTM (Linked-in resource)www.ISACA.orgwww.ic3.govwww.ISSA.orgwww.Infragard.orgwww.Sans.org
Cybersecurity and Accountants
Resources - continued
Questions?
Paul M. Perry, CISM, CITP, CPAMember | Security, Risk and Controls Practice [email protected](205) 769-3251
Connect on