Deloitte poll: Firms plan adoption of AICPA's SOC for Cybersecurity framework
John Davis and Sean McMahon
June 11, 2018

A new poll released by Deloitte shows corporate boards pursuing increasing oversight of cybersecurity programs as executives brace of more regulation around management of cyber threats. One-third of respondents said their organization will adopt the American Institute for Certified Public Accountants System and Organization Controls for Cybersecurity framework, and one in five plan to implement the system in the coming year. 

"Boards want to gain a higher level of confidence in their organizations' cyber risk management program effectiveness, so an expectation of more robust and consistent reporting is not surprising," said Andrew Morrison, Deloitte Risk and Financial Advisory principal. "Corporate executives in all sectors are feeling obliged to provide greater transparency and uniformity when it comes to cybersecurity reporting — alone or as part of an enterprise-wide risk management program."

More than 62% of executives surveyed expect more pressure to execute cybersecurity programs that work, while 57% of respondents are expecting more regulations around cybersecurity. Financial services will be an area of focus for both boards of directors and regulators when it comes to cyber risk, according to the poll. Other industries where cybersecurity is top-of-mind currently include life sciences and healthcare and telecommunications.

Regulators and corporate boards are turning their attention to cyber risk in an environment where few executives are confident in current protection measures. In the Deloitte poll, only 16.7% of executives said they were highly confident in cyber programs. For financial services the number dropped to 14.3%, while for technology, media and telecommunications firms only 11.8% expressed confidence. For energy and resources firms, the confidence dropped still to 5.6%.

When queried regarding their understanding of the reporting structure around cybersecurity, 12.9% of respondents said they did not know who the chief information security officer reported to.

"Whether organizations leverage the AICPA SOC for Cybersecurity alone or in concert with other industry-specific frameworks or standards, it offers another mechanism that can provide a higher degree of assurance around the effectiveness of an entity's cybersecurity risk management program," said Gaurav Kumar, a Deloitte Risk and Financial Advisory principal. "An independent cybersecurity attestation can also serve to enhance stakeholder trust with readiness efforts that: focus on the appropriate level of risk and control assessment needed to protect the business's 'crown jewel' assets, monitor program strength continuously, and chart a measurable path toward ongoing improvements."

Key steps to implementing the AICPA SOC for Cybersecurity framework include a risk assessment, defining the program, gap analysis and development of a remediation roadmap, according to Deloitte.