How COSO's new framework helps mitigate risk
Data breaches and other cyber threats are among the biggest risks companies face today. To help companies address these risks, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a research report in 2015 that provides guidance on using COSO's Internal Control — Integrated Framework(2013) and its Enterprise Risk Management — Integrated Framework (2004) to evaluate and manage cyber risks.
A driving force behind COSO's 2013 update to its 1992 internal control framework was a dramatically changing business environment resulting from technological developments. For example, in 1992, telephone and fax were the predominant business communication tools and there were fewer than 14 million Internet users worldwide (compared to nearly 3 billion today).
COSO's 2015 report, entitled COSO in the Cyber Age, notes that the Internet was designed primarily to share information, not to protect it. As a result, cyber risks can't be avoided; instead, they must be managed. The report suggests that, to effectively manage cyber risks, companies should view their risk profiles through the lens of the 2013 framework's five internal control components:
- Control environment. Does the board of directors understand the company's cyber risk profile and how the company is managing the evolving risks it faces?
- Risk assessment. Has the company evaluated its operations, reporting and compliance objectives, and developed an understanding of how cyber risks affect each of those objectives?
- Control activities. Has the company developed general control activities over technology (and other control activities) that enable it to manage cyber risk within the company's risk tolerance?
- Information and communication. Has the company identified the information requirements for managing internal control over cyber risk? Has it developed communication channels and protocols — both internal and external — that support internal control? How will it respond to, manage and communicate cyber risk events?
- Monitoring activities. How will the company evaluate the design and operation of internal controls that address cyber risks? How will it correct any deficiencies that it finds and monitor its cyber risk profile?
The report provides detailed guidance on each of the five internal components and how they can be used to address cyber risks. According to COSO, this exercise enables a company's board and management to better communicate their business objectives, critical information systems and risk tolerance levels. This, in turn, enables others throughout the organization to identify the information systems most vulnerable to cyber threats and implement controls to address those risks.