Technology and Health & Life Sciences
Cybersecurity Risk Management Guidance Proposed
The following exposure drafts have been issued by the American Institute of Certified Public Accountants’ (“AICPA”) Assurance Services Executive Committee, offering guidance for evaluating cyber risk management:
- Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program (“Description Criteria”). This exposure draft is intended for a company’s management when developing and describing its organization’s cybersecurity risk management program, and by public accounting firms for reporting the description of the program. The AICPA hopes developing a conventional set of criteria will clear the path for a cybersecurity examination to assist in evaluating the efficiency of an organization’s cybersecurity risk management program. This reporting framework would help companies communicate essential information to stakeholders about their cybersecurity risk management programs.
- Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (“Trust Services Criteria”). This exposure draft details the updated AICPA trust services criteria for public accounting firms that offer advisory or attestation services for the evaluation of controls in an organization’s cyber risk management program or SOC 2 engagements. The trust services criteria can also be used to review the design and efficiency of controls.
The deadline to submit comments on the exposure drafts is Monday, December 5. Please direct comments regarding the proposed Description Criteria to Mimi Blanco-Best, and comments about the proposed update to Trust Services Criteria to Erin Mackler.