Cyber risk has historically ranked high and has been an area of concern in internal audit risk assessments over the past decade. As such, it’s likely that your audit plan has evaluated some of these areas with a close nexus to the new reporting requirements. Given the short ramp-up time, though, an independent and holistic evaluation may be necessary to assess readiness both from a first- and second-line perspective. Here are a few topics worth considering:
- Cyber governance: Disclosure management, board reporting and oversight.
- Cyber risk management: Cyber risk assessment and scenario threat modeling; Key Risk Indicators (KRIs); cyber risk and control frameworks anchored to authoritative sources such as NIST CSF, NIST 800-53 and other sources; NIST CSF cyber program capability maturity assessment.
- Cyber incident reporting: Process and controls and maturity assessments in the key areas of incident response management, security operations center (SOC), security incident information and event management (SIEM), technical and executive tabletops.
The new cyber disclosure rule requires even greater communication and connections among IT and security, finance, general counsel…
