Financial professionals have a primary role in financial reporting, among many other responsibilities. However, reporting is intricately intertwined with another critical domain — cybersecurity. Whether they are preparing the company’s financial statements, verifying internal controls related to financial reporting (ICFR), or ensuring that IT-related financial risks are mitigated, cybersecurity significantly impacts the daily responsibilities of finance professionals.

To keep cybersecurity at the forefront, you can start by emphasizing accountability, implementing fundamental controls, and fostering communication. Here are some key areas where you can make a difference:

Outsourced Services

While outsourcing relieves internal pressures, it introduces potential new risks. As more third-party resources are used, the company’s risk profile continues to change, and new considerations might be necessary. It falls to the company’s responsibility to ensure that contracted vendors maintain the necessary controls and standards for data security.

Third-party vendors may provide a System and Organization Control (SOC) 1 report that outlines their services and controls that could impact the company’s internal controls related to financial reporting. An additional report that might be available from a third-party vendor could be a SOC 2 report, which would address security and an optional trust category such as confidentiality. It is necessary to establish policies and procedures to review available SOC reports from your vendor to understand their controls and the potential impact on your company.

Cybersecurity Insurance

Acquiring cybersecurity insurance has become more complex, with coverage varying between carriers. Close collaboration with your insurance broker is critical to grasp what’s covered and review any potential limitations to the policy.

The company must establish, maintain and monitor its technology environment and information security controls to retain cybersecurity insurance. Before applying for coverage, consider conducting an IT risk assessment to identify potential threats to equipment and controls better. Even though this could require time and financial investment, an IT risk assessment will help identify and mitigate high-risk areas.

Access Management

Establishing an IT environment that supports cybersecurity hygiene is vital. Access, security, and change management work in tandem to prevent potential threats.

While it’s usually the first security principle to address, access management is often the most likely failure when managing cybersecurity controls. Access management involves a two-step process that begins with granting access to an application and then removing access promptly when necessary.

Security roles must be clearly defined to ensure employees receive only the necessary access for their roles. When it’s time to remove an employee’s access, clear communication and expectations are critical to the process, typically initiated by human resources and overseen by IT to ensure complete termination of access rights. This helps prevent hackers from taking control of any departing user’s accounts.

Network Security Management

Understanding network security’s impact on the company’s ICFR is essential. Critical controls include anti-virus/malware applications, network vulnerability assessment and network threat monitoring. Whether these efforts are handled in-house or outsourced to a third-party vendor, management must stay involved and updated on activities that could impact the company. For internal resources, there must be constant review and assessment of the network security, including monitoring any threats from when they are identified to when they are resolved.

Application Change Management

Change management is another critical cybersecurity control area and trails only behind access management as a common failure area. Risks can arise during authorization, testing, and approval processes. Proper authorization and approval ensure that changes are not implemented until they have been thoroughly reviewed and approved by the appropriate individuals.

Companies using third-party-hosted applications should establish controls to keep track of changes made by the vendor and their impact on the company’s operations. Even with third-party vendors, companies must continue to manage whether a purchased application functions as expected and provides correct reports to meet the company’s needs.

It is important to recognize that cybersecurity management shouldn’t solely fall on the IT department. Every team member has a role in safeguarding the company by following established policies and procedures. Finance professionals can contribute positively to cybersecurity by remaining vigilant and attentive to cybersecurity risk factors.

RKL’s team of IS assurance and advisory professionals can help your organization navigate the complexities of cybersecurity.

________________

Michael T. McAllister, CPA.CITP, CISA, is the leader of RKL’s IS Assurance Practice. He serves clients in a variety of industries through information technology internal audits; IT governance, revaluation, and design; and QA/IV&V (Quality Assurance, Independent Verification and Validation) engagements. McAllister also provides SOC services for various types of entities, ranging from national service bureaus, financial institutional support entities, and data hosting services.