When the skies clear:

Web-hosting

outage hits Amazon data centers

Read this if you are subject to SOC examinations.

In late October 2022, the American Institute of Certified Public Accountants’ (AICPA’s) Assurance Services Executive Committee (ASEC) released an update to the System and Organization Control (SOC) 2 reporting guide. Significant updates have been made to the Description Criteria implementation guidance and the Trust Services Criteria points of focus. Overall, the changes provide clarity around several recent and emerging industry topics and continue to promote reporting quality and consistency.

Summary of changes

Available for use now, the AICPA updates for SOC 2 examinations are significant and may require additional time and attention from companies who currently have a SOC 2 report or are planning on working toward compliance. High-level updates include incorporating new attestation standards (e.g., SSAE-20 and SSAE-21):

• Updates to the Description Criteria implementation guidance for additional clarity regarding certain disclosure requirements, guidance on disclosure of how controls meet the requirements of a process or control framework, and guidance on disclosure of information about the risk assessment process and specific risks
• Updates to the points of focus that support the application of the Trust Services Criteria that better reflect the ever-changing technology, legal, regulatory, and cultural risks, data management requirements, particularly related to confidentiality, and differentiating between a data controller and a data processor for privacy engagements
• Incorporating, where appropriate, updates included in the AICPA Guide Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1 guide)
• Incorporating, where applicable, additional guidance included in the AICPA Guide Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System (SOC for supply chain guide), particularly related to the risk assessment guidance

Additional updates

Other updates from the AICPA include, but are not limited to, the following:

• Making qualitative materiality assessments (from the AICPA whitepaper on materiality)
• Considering the service organization’s use of software applications and tools (from the SOC Tools FAQ)
• Considering the operation of periodic controls that operated prior to the period covered by the examination
• Considering management’s use of specialists
• Performing and reporting in a SOC 2+ engagement (including an updated illustrative service auditor’s report)
• Addressing considerations when the service organization has identified a service commitment or system requirement related to meeting the requirements of a process or control framework (such as HIPAA, ISO, or NIST)
• Supplements and several appendices were removed and will be replaced with links to the appropriate documents on the AICPA website

If you currently have or will be working toward a SOC 2 report, it’s essential to understand the impact to the SOC 2 reporting process. Early preparation will help your organization stay ahead of the curve when it comes to achieving compliance. It is also essential to help ensure that frameworks are aligned and controls are in place to effectively guard against cybersecurity risks and protect sensitive data. If you have questions about SOC audits, or your specific situation, please contact our SOC Audits team. We’re here to help.

Read this if you are a part of the gaming industry.

The gaming industry has bounced back during 2021 and 2022 following pandemic-related declines, but a potential economic downturn will likely impact consumer behavior and have effects for gaming businesses. Though recessionary concerns may prompt some consumers to rein in spending, several factors point to resilience in the gaming industry, including customer retention initiatives, the growth of digital gaming and sports betting, and the continued allure of experiences offered by casino resorts.

Instead of merely weathering a potential recession, gaming companies can position for sustained success by reviewing strategic plans and focusing on key business objectives. Financial discipline will be another priority, particularly if changes in consumer spending affect revenue growth during 2023.

Retention has a big payoff in a recessionary environment

Despite the rate of inflation in the US reaching levels not seen in more than 40 years during 2022, consumer spending has remained relatively strong. According to data from the Bureau of Economic Analysis (BEA), disposable personal income and personal consumption expenditures both increased slightly more than expected during September. Interest rates have continued to rise, however, and there are indications that some consumers are delaying the purchase of big-ticket items, which suggests a slowdown in some areas of spending.

To help mitigate the effects of a potential recession, gaming companies may consider shifting more attention to customer retention in addition to customer acquisition. That strategy could be especially important for sports betting, a subsector that has invested heavily in customer acquisition in recent years—and may not be as recession-proof as some had predicted. According to a TransUnion study, 54% of US sports bettors earn at least $100,000 per year, but even high-income earners show signs of cutting back on discretionary spending like gambling. Nevertheless, many sportsbooks have seen relatively low rates of customer churn this year despite inflation, which could be due partly to the growth in popularity of unique multi-leg wagers such as same-game parlays.

High costs for customer acquisition due to digital competition can pose challenges for companies trying to grow their consumer base, and recessionary pressures make it even more important to keep existing customers engaged. Fragmentation and evolving competition also complicate predictions for the lifetime value of a new customer. The longer a customer stays, however, the bigger the return on initial acquisition costs.

Retention strategies

Strategies that focus on retention can help reduce churn amid growing recessionary pressures. These strategies vary for different types of companies, such as online gambling (iGaming), land-based casinos, or a hybrid of online and on-premises gaming. Taking steps to improve customer experience and leverage data analytics can both help increase engagement. Such initiatives can include customized loyalty and reward programs based on a customer’s unique habits, as well as data insights about the most popular types of games and bets that enable cross-promotion. Reload bonuses, referral bonuses, free bets, and percentage back on losses are examples of other strategies to help keep existing players engaged. Critically, even small improvements in retention can have a significant impact on margins and profitability.

Growth potential remains, but a downturn would impact industry subsectors differently

If recessionary pressures prove to be a drag on consumer spending in the months ahead, it may affect some gaming sectors differently than others. Even if consumers reduce discretionary spending, casino resorts could still fare well because of their diversified offerings, but they also have much higher operating costs than dedicated iGaming companies. Land-based casinos in particular should practice financial discipline and manage labor costs. They can achieve this by maintaining balanced staffing levels, expanding electronic casino games, and adopting cashless gaming and digital payments.

Overall, casino resorts can provide a relatively affordable range of unique leisure experiences. People remain eager to travel after dealing with pandemic-related restrictions, and recent TSA checkpoint data indicates airport activity has been near or above 2019 levels. BEA data also indicates that consumer spending on services, such as travel and dining, has outpaced spending on goods in recent months.

Although research has shown flat levels of growth for casino gambling during previous recessions, the industry has seen several notable changes in recent years. Digital gaming remains a convenient option for consumers and has experienced a spike in adoption in recent years, which aids both digital-only operators and land-based casinos that offer a digital component. Casino resorts can also use data-backed insights to help convert their online customers into on-premises customers through targeted offers and other marketing initiatives.

Sports betting has also grown rapidly during the past five years, which provides an accessible platform for a much larger population of customers than previously. Before the US Supreme Court’s 2018 decision in Murphy v. National Collegiate Athletic Association, only a few states could claim partial exemption to the 1992 federal ban on sports betting. As of November 2022, more than 30 states and the District of Columbia allow sports betting, and additional states are considering similar legislation.

Recession-related shifts in discretionary spending may not impact gaming as much as other consumer sectors. A May 2022 YouGov poll of 16 countries shows that while monthly gamblers may cut back on betting, they are more likely to reduce spending in other areas to maintain their monthly budget. A recession would still likely impact growth, so it is critical for gaming companies to protect revenue during a downturn.

Other developments also hold promise for the gaming industry. Casino stocks recently surged following China’s announcement of eased travel restrictions that would allow tour groups into Macau, the world's largest gambling jurisdiction. Overall, publicly traded gaming companies have enjoyed relatively strong earnings during 2022 despite market volatility, and many analysts have maintained “buy” ratings. A downturn could also give well-capitalized companies an opportunity to gain market share through acquisitions and partnerships.

Looking ahead: A sure thing

To help guard against the impact of recessionary pressures, managing costs and finding efficiencies will continue to be priorities. However, cutting back spending across the board can constrain growth and exacerbate customer churn. By combining financial discipline with a business strategy tailored to the effects of a potential downturn, gaming companies can continue the pandemic recovery and even thrive during volatility.

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

• What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
• Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
• Has the cyber risk management plan been tested?
• Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
• Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
• What percentage of our IT budget is dedicated to cybersecurity?
• Does that allocation conform to industry standards?
• Is it adequate based on our threat profile?
• What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
• What is the interaction model between senior management and the board for communications regarding cybersecurity?
• Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

• How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
• Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
• Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

• Does the board play an active part in determining an organization’s cybersecurity strategy?
• What are the key elements of a good cybersecurity strategy?
• Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
• How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
• How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

• What are the potential cyber threats to the organization?
• Who is responsible for management oversight of cyber risk?
• Has a formal cyber assessment been performed? Does it need to be updated?
• Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
• What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
• Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

• Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
• Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
• Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
• Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

• Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
• What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
• How effective are the organization’s risk management activities and controls identified in the assessment?
• Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
• Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
• How does the company remain apprised of laws and regulations and ensure compliance?
• What cloud services does our organization use and how risky are they?
• How are we protecting sensitive data?

Threat intelligence and collaboration

• What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
• Does our organization share threat intelligence with law enforcement?
• What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
• What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

• Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
• How regularly should a board obtain IT metric information?
• Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
• How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

• How does management validate the type and volume of cyber-attacks?
• Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
• How does an incident response and recovery plan fit into the overall cybersecurity strategy?
• Is the board’s response role clearly defined?
• Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
• Is there a culture of cyber awareness and reporting at all levels of the company?
• Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

• How does the board remain current on cybersecurity developments in the market and the regulatory environment?
• Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
• Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
• Are directors provided with educational opportunities in this area?
• Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

• Has oversight of cybersecurity reporting been defined for management and the board?
• Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
• Does the company have a mechanism for timely reporting of material cybersecurity incidents?
• Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Read this if you are responsible for cybersecurity at your organization.

Cybersecurity threats aren’t just increasing in number—they’re also becoming more dangerous and expensive. Cyberattacks affect organizations around the globe, but the most expensive attacks occur in the US, where the average cost of a data breach is $9.44 million, according to IBM’s 2022 Cost of a Data Breach Report. The same report shows that the cost of a breach is $10.10 million in the healthcare industry, $5.97 million in the financial industry, $5.01 million in the pharmaceuticals industry, and $4.97 million in the technology industry.

Cyber threat actors are a serious danger to your company, and your customers, stakeholders, and shareholders know this. They expect you to be prepared to defend against and manage cybersecurity threats. How can you demonstrate your cybersecurity controls are up to par? By obtaining a SOC for cybersecurity report.

What is a SOC for cybersecurity report?

It provides an independent assessment of an organization’s cybersecurity risk management program. Specifically, it determines how effectively the organization’s internal controls monitor, prevent, and address cybersecurity threats.

What’s included in a SOC for cybersecurity report?

The report is made up of three key components:

1. Management’s description of their cybersecurity risk management program, aligned with a control framework (more on that below) and 19 description criteria laid out by the AICPA.
2. Management’s assertion that controls are effective to achieve cybersecurity objectives.
3. Service auditor’s opinion on both management’s description and management’s assertion.

Why should you consider a SOC for cybersecurity report?

A SOC for cybersecurity report offers several important benefits for your organization, which include:

• Align with evolving regulatory requirements. The cybersecurity regulatory environment is constantly evolving. In particular, the SEC’s cybersecurity guidelines are becoming stricter over time. A SOC for cybersecurity report can demonstrate you’re aligned with these guidelines. If you’re a public company or are considering going public in the future, you need to be prepared to meet not just the SEC’s guidelines of today, but their evolved guidelines in the future.
• Keep your board of directors informed. Your board is responsible for ensuring the business is effectively addressing and mitigating risks—and that includes cyber risk. A SOC for cybersecurity report offers your board a clear and practical illustration of your organization’s cybersecurity risk management controls.
• Attract and retain more customers. It’s becoming increasingly common for companies to require that their vendors have a SOC for cybersecurity report. Even for companies that don’t require such a report, it’s important to know their vendors are keeping their data safe. Having this report differentiates you from vendors who have not prepared one.
• Improve your cybersecurity posture. A SOC for cybersecurity report can identify current gaps in your cybersecurity risk management program. Once you’ve addressed these gaps, you can show your customers, stakeholders, and shareholders that you’re continuously improving and evolving your cybersecurity risk management approach.

How do I prepare for my SOC for cybersecurity assessment?

There are several steps you should take to prepare for your assessment.

1. Choose your control framework. You have several options, including the NIST Cybersecurity Framework, ISO 27002, and the Secure Controls Framework (SCF). There are multiple online resources to help you choose the framework that’s right for your organization.
2. Determine who your key internal stakeholders are for your cybersecurity risk management program. You’ll need to select a point person to be responsible for ensuring the independent services auditor has all the documentation they need to complete their assessment and act as liaison across internal and external stakeholders.
3. Collect all cybersecurity-related documentation in one location. Make sure you have an organizational system that makes sense to your point person so it’s easy for them to pull the appropriate materials to give to the independent services auditor.
4. Conduct a readiness assessment. You can work with an independent services auditor to conduct such an assessment which will identify gaps you can address before performing the attestation.
5. Select an independent services auditor to perform the attestation. SOC for cybersecurity services are provided by independent CPAs approved by the AICPA. Ideally, you’ll want to select a firm that is experienced in your industry, has a diverse and robust team of cybersecurity professionals, and is accessible when and where you need them.

As always, if you have questions about your specific situation or would like more information about SOC for cybersecurity services, please contact our IT security experts. We’re here to help.

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

1. Access controls
   Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
2. Patching
   One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
3. Logging 
   Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
4. Test backups and more
   Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
5. Incident Management Plan 
   We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
6. Training—phishing attacks
   Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

• Security awareness training on phishing emails and overall IT security practices for all organization users
• Multi-factor authentication 
• Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
• Anti-malware software installed on devices that connect to organization systems 
• Use of Zero Trust data management tools for backups
• Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

• Disaster recovery plans/business continuity plans 
• Incident response plans
• Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

A version of this article was previously published on the Massachusetts Nonprofit Network. 

Editor’s note: While this article is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.¹  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.²  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.³ While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.⁴ Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

• Established IT security policies
• Routine, monitored patch management practices (for all servers and workstations)
• Change management controls (for both software and hardware changes)
• Anti-virus/malware on all servers and workstations
• Specific IT security risk assessments 
• User access reviews
• System logging and monitoring 
• Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.⁵ 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.⁶  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.⁶ 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team. 
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

• Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

• Availability: Information and systems are available for operation and use to meet the entity's objectives.

• Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

• Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

• Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

• Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.

• Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.

• Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.

• Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.

• Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts.