The Association of International Certified Professional Accountants (the Association), a new organization composed of the American Institute of CPAs (AICPA) and the Chartered Institute of Management Accountants (CIMA), has provided comments on three federal agencies’ advance notice of proposed rulemaking (ANPR) regarding enhanced cyber risk management standards for large and interconnected entities and their service providers.
“We applaud the agencies’ efforts to increase the operational resilience of entities and reduce the impact of cyber events,” wrote Susan S. Coffey, CPA, CGMA, the Association’s executive vice president for public practice, in a January 17 letter to the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation. “The Association believes that today’s marketplace is driving the need for strengthened cybersecurity in all types of organizations.”
“We believe that the regulatory community can best serve the public interest and national security by coordinating to establish and implement common, overarching principles related to cybersecurity risk management,” Coffey stated. “A consistent set of high-level principles or best practices (as opposed to specific, detailed, prescriptive rules or requirements), would keep the focus on agility and responsiveness to an ever-evolving challenge, to stay one step ahead of, not behind, current and future risks.”
“…[T]here are already a number of strong voluntary cybersecurity risk management frameworks available to companies to follow in designing effective cybersecurity risk management programs, Coffey observed. “We believe that the cybersecurity risk management reporting framework that we have developed complements these frameworks and serves as a critical step to enabling a consistent, market-based, business-based mechanism for companies to effectively communicate with key stakeholders on how they’re managing cybersecurity risk.”
Coffey noted that while it is well understood that it is impossible to guarantee the prevention of a cybersecurity breach, this framework “will enable companies to demonstrate and communicate due diligence and due care in their management of cybersecurity risk in a consistent manner, serving the needs of multiple stakeholders with a single approach.”