Cybersecurity Framework “SOCs” It to Cyber Threats

Businesses are increasingly reliant on technology to achieve organizational objectives. However, with the convenience and efficiency of technology come intensifying risks of data loss and theft. High-profile data breaches top news headlines daily. Protecting your organization’s electronic assets from theft is an utmost priority.

Cybersecurity deficiencies can expose organizations to irreparable reputational damage. Evaluating your organization’s cybersecurity risks and controls is paramount. Until recently, however, there was not a unified framework that allowed organizations to communicate with stakeholders in a common and concise language about the extent and effectiveness of controls in place to mitigate cybersecurity risk.

To offer a solution to this issue, the AICPA developed a cybersecurity risk management reporting framework. The framework is an essential component of the System and Organization (SOC) for Cybersecurity engagement. This engagement allows certified public accountants (CPAs) to issue an opinion on the effectiveness of the organization’s cybersecurity controls and threat mitigation.

For those familiar with Service Organization Control reports already issued by CPAs, the fundamentals are the same: a qualified CPA reports on the accuracy of management’s description and evaluates the effectiveness of management’s controls over cybersecurity risk. The key difference, however, is that these reports are not limited to service organizations. In fact, the AICPA renamed the reporting method so that the “S” in SOC now stands for “System” instead of “Service.” This change broadens the scope of the report to cover any industry and organization that would find itself at risk from cyber threats.

An additional benefit of the cybersecurity risk management reporting framework is that it is flexible, yet consistent. This advantage allows the framework to seamlessly complement existing cybersecurity risk management frameworks. Management can encourage organizations to use the framework to evaluate their own programs and standardize assessment of their cybersecurity control environment. Once management has established a thorough system of controls to mitigate cybersecurity risk, a qualified CPA may attest to management’s control description, as well as the design and operating effectiveness of the controls.

CPAs can provide both advisory and attestation engagements related to cybersecurity frameworks. Advisory engagements are designed to help clients strengthen their cybersecurity control programs, while attestation engagements provide an opinion on the entity’s description and effectiveness of controls.

Lastly, organization stakeholders benefit from having their financial and reputational interests secured, thereby increasing confidence in an organization’s due diligence to proactively address and reduce risks from both external and internal cyber threats.

PYA has released a white paper that discusses the importance of the AICPA’s cybersecurity risk management framework and SOC for Cybersecurity in assessing the strength and effectiveness of cybersecurity risk management programs.  Download the white paper here.

If you would like more information about SOCs for cybersecurity, or would like to request a speaker for your organization or event, contact one of our PYA executives below at (800) 270-9629.

Barry Mathis

Barry Mathis


Mike Shamblin

Mike Shamblin

Managing Principal of Audit & Assurance Services

Related Posts
Bundled Payments for Care Improvement – Advanced (BPCI-A) is the Center for Medicare and Medicaid Innovation’s (CMMI) latest voluntary alternative payment model (APM), and it is garnering a great deal...
Read More

Choosing Wisely – BPCI-A Episode Selection Due August 1

About one-third of all hospitals and clinicians now participate in the Medicare Shared Savings Program (MSSP).  For those considering participation, the Centers for Medicare & Medicaid Services (CMS) offers a...
Read More

While You Are Waiting: Getting Ready to Apply for the MSSP

PYA has released a new white paper explaining how competing health systems may overcome antitrust obstacles to merger by formally committing to population health improvement in the communities they serve....
Read More

PYA White Paper Explains How Pro-Competitive Impacts of Hospital Consolidation Can Overcome Antitrust Concerns

PYA announces that Marci Nielsen, Ph.D., has joined as a Principal within its Consulting service line. Marci Nielsen has a passion for equitable, person-centered care.  Given her background, with -...
Read More

Health policy expert Marci Nielsen, Ph.D., noted for putting patients in the center of healthcare, is the newest principal at PYA.

The new Tax Cuts and Jobs Act (TCJA) can be confusing for many-- especially small business owners.  Although many aspects of the TCJA have been discussed, one component of the...
Read More

Government Clamps Down on “Deductible Fun” for Businesses

As businesses consider the impact of the Tax Cuts and Jobs Act (TCJA) introduced late last year, the corporate tax rate is receiving substantial attention.  However, according to a 2014...
Read More

2018 Tax Reform – The Excess Loss Limitation Likely to Squeeze Owners of Cyclical Businesses

A recent Accounting Standards Update (ASU) addresses land easements and their accounting under the new lease standards.  In January 2018, the Financial Accounting Standards Board (FASB) issued ASU 2018-01 Leases:...
Read More

Land Easements—Guidance for Implementing New Lease Accounting Standards

PYA Principals David McMillan, Michael Ramey, and Martie Ross authored an article that was recently published in the AHLA Transactions Guide.  The article, “Overcoming Antitrust Obstacles to Mergers by Committing...
Read More

Overcoming Antitrust Obstacles to Mergers by Committing to Population Health Improvement

PYA has released a new white paper offering healthcare organizations guidance for conducting claims-based reviews in light of the U.S. Department of Health and Human Services Office of Inspector General’s...
Read More

PYA White Paper Offers Guidance for Conducting Claims-Based Reviews of Inpatient Quality Reporting Data and the Link Between Payment and Quality

Share This Insight

If you received value from this article, please share it with your network (e.g., Facebook, Twitter, LinkedIn). Icons below for your convenience.

Stay Current

* indicates required
Monthly eNewsletters
See more newsletter and alert options.

PYA Population Health Ascend

PYA Healthcare Blog

PYA Thought Leadership Services

The Healthcare Loop