COSO-Focused Cyber Risk Assessment for Internal Auditors September 2015 Siah Weng Yew, Deloitte Risk Consulting Thio Tse Gan, Deloitte Risk Consulting

COSO-Focused Cyber Risk

Assessment for Internal


September 2015

Siah Weng Yew, Deloitte Risk Consulting

Thio Tse Gan, Deloitte Risk Consulting

Cyber risk—High on the agenda

Audit committees and board members are seeing cybersecurity as a top risk,

underscored by recent headlines and increased government and regulatory


The Executive Order highlights the focus on an improved cybersecurity framework

and the rapid changes of regulatory agency expectations and oversight

Recent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosure

obligations relating to cybersecurity risks and incidents…..

“Registrants should address cybersecurity risks and cyber

incidents in their Management’s Discussion and Analysis of

Financial Condition and Results of Operations (MD&A), Risk

Factors, Description of Business, Legal Proceedings and

Financial Statement Disclosures.” SEC Division of Corporate

Finance Disclosure Guidance: Topic No. 2 - Cybersecurity

Ever-growing concerns about cyber-attacks affecting the nation’s critical infrastructure prompted the

signing of the Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.

One of the foundational drivers behind the update and release of the 2013 COSO Framework was

the need to address how organizations use and rely on evolving technology for internal control


Cyber Risk – COSO

Framework 2013


Transformation of IT when the COSO 1992 framework was initially


COSO 2013 Framework

• Different business environment:

1. There were less than 14 million Internet users worldwide in 1992, compared

to nearly 3 billion today.

2. America Online (AOL) for Microsoft DOS had been recently released.

3. Microsoft Internet Explorer did not exist.

4. Some of the most popular cell phones were “bag phones.”

5. Telephone and fax were the predominant ways businesses communicated.

• Nowadays:

1. Customers’ orders are now processed over electronic data interchanges on

the Internet with little or no human intervention.

2. More and more corporate personnel work remotely or from home, with little

need to come into the office. Online only banks exist, and nearly all banks

offer Internet banking to customers.

Cyber Risk COSO Cube

COSO 2013 Framework

• Control Environment — Does the board of directors understand the

organization’s cyber risk profile and are they informed of how the

organization is managing the evolving cyber risks management faces?

• Risk Assessment — Has the organization and its critical stakeholders

evaluated its operations, reporting, and compliance objectives and

gathered information to understand how cyber risk could impact such


• Control Activities — Has the entity developed control activities, including

general control activities over technology, that enable the organization to

manage cyber risk within the level of tolerance acceptable to the

organization? Have such control activities been deployed through

formalized policies and procedures?

• Information and Communication — Has the organization identified information requirements to

manage internal control over cyber risk? Has the organization defined internal and external

communication channels and protocols that support the functioning of internal control? How will the

organization respond to, manage, and communicate a cyber risk event?

• Monitoring Activities — How will the organization select, develop, and perform evaluations to

ascertain the design and operating effectiveness of internal controls that address cyber risks? When

deficiencies are identified how are these deficiencies communicated and prioritized for corrective

action? What is the organization doing to monitor their cyber risk profile?

Effective risk management is the product of multiple layers of risk

defense. Internal Audit should support the board’s need to

understand the effectiveness of cybersecurity controls.

COSO 2013 - Control Environment

• Establish governance and oversight

• Set risk baselines, policies, and standards

• Implement tools and processes

• Monitor and call for action, as appropriate

• Provide oversight, consultation, checks and balances, and

enterprise-level policies and standards

• Incorporate risk-informed decision making into day-to-day

operations and fully integrate risk management into operational


• Define risk appetite and escalate risks outside of tolerance

• Mitigate risks, as appropriate

• Independently review program effectiveness

• Provide confirmation to the board on risk management


• Meet requirements of regulator disclosure obligations focused

on cybersecurity risks

1st Line of defense

business and IT


2nd Line of defense

information and technology

risk management


3rd Line of


internal audit

Roles and responsibilities

Given recent high profile cyber attacks and data losses, and the regulators’ expectations, it is critical for Internal

Audit to understand cyber risks and be prepared to address the questions and concerns expressed by the audit

committee and the board

The forces driving growth and efficiency may

create a broad attack surface

COSO 2013 - Risk Assessment

Technology becomes more pervasive

• Internet, cloud, mobile, and social are mainstream

platforms inherently oriented for sharing

• Employees want continuous, real-time access to

their information

Changing business models

• Service models have evolved—outsourcing, offshoring,

contracting, and remote workforce

More data to protect

• Increased volume of customers’ personal, account, &

credit card data, as well as employee’s personal

identifiable information and also company trade secrets

• The need to comply with privacy requirements across a

wide array of jurisdictions

Threat actors with varying motives

• Hackers to nation states

• Continuously innovating & subverting common controls

• Often beyond the reach of a country’s law enforcement







Data growth



COSO 2013 - Risk AssessmentUnderstanding the actors and their attributes

COSO 2013 - Risk AssessmentLifecycle of an attack – Monetisation

“The biggest retail hack in U.S. history wasn’t particularly

inventive, nor did it appear destined for success”Business Week

Intense & prolific media

coverage exposing breach

Loss of consumer

confidence & sales;

Brand reputation & market

confidence damaged

One of Target’s 3rd parties

breached via phishing email

– credentials stolen to

procurement application

Target’s CEO, CIO &

Security Officer resign

>90 lawsuits filed against

Target by customers & banks -

>$61m spent within 3 mos to

increase security capabilities

Attackers used credentials to

breach network, infect Target’s

POSs & commit largest data

breach to date

Vulnerabilities identified – attack

detected early enough to avoid

breach – risks were neither

articulated nor managed

appropriately by executive


Number of credit card numbers


Current cost of Target’s data breach

Drop in earnings reflecting more

cautious consumer spending

Time Target will provide free credit

screening services to any customers


Forrester Research’s forecasted

total cost to Target resulting from




1 Year



The Target breach reiterated several realities

• No industry is immune & all will be compromised

• Security damages go well beyond dollars

• The speed of attacks are increasing while

response times are decreasing

• Everything can’t be protected equally

• Traditional controls are necessary but not


• A secure, vigilant & resilient program requires

strong governance & risk management


BY THE NUMBERS*In December 2013, Target disclosed that it was victim to the world-

largest data breach which affected more than 100M customers


Risk Appetite - How to erode a successful brand

COSO 2013 - Risk Assessment

• Perimeter defenses

• Vulnerability management

• Asset management

• Identity management

• Secure SDLC

• Data protection

Cyber Risk Program and Governance

Risk Appetite - Management should develop an understanding of

who might attack, why, and how

COSO 2013 - Risk Assessment

• Cyber criminals

• Hactivists (agenda driven)

• Nation states

• Insiders/partners

• Competitors

• Skilled individual hackers

• Theft of IP/strategic plans

• Financial fraud

• Reputation damage

• Business disruption

• Destruction of critical infrastructure

• Threats to health and safety

Who might attack?

What are they after, and what business risks do I

need to mitigate?

What tactics might they use?

• Governance and operating model

• Policies and standards

• Management processes and capabilities

• Risk reporting

• Risk awareness and culture

• Spear phishing, drive by

download, etc.

• Software or hardware vulnerabilities

• Third-party compromise

• Multi-channel attacks

• Stolen credentials

• Incident response

• Forensics

• Business continuity /

disaster recovery

• Crisis management

SecureAre controls in place to guard against known and

emerging threats?

VigilantCan we detect malicious or unauthorized activity, including

the unknown?

ResilientCan we act and recover quickly to reduce impact?

• Threat intelligence

• Security monitoring

• Behavioral analysis

• Risk analytics

An internal audit assessment of cybersecurity should cover all domains

and relevant capabilities, and involve subject matter specialists when


COSO 2013 - Risk Assessment

Phase III: Risk


Phase II: Understand

current state

Phase IV: Gap assessment

and recommendationsPhase I: Planning and scoping




ey a









• Identify specific internal and

external stakeholders: IT,

Compliance, Legal, Risk, etc.

• Understand organization

mission and objectives

• Identify industry requirements

and regulatory landscape

• Perform industry and sector risk

profiling (i.e., review industry

reports, news, trends,

risk vectors)

• Identify in-scope systems

and assets

• Identify vendors and third-party



• Conduct interviews and

workshops to understand the

current profile

• Perform walkthroughs of in-

scope systems and processes

to understand existing controls

• Understand the use of third-

parties, including reviews of

applicable reports

• Review relevant policies and

procedures, including security

environment, strategic plans,

and governance for both

internal and external


• Review self assessments

• Review prior audits


• Document list of potential risks

across all in-scope capabilities

• Collaborate with subject matter

specialists and management to

stratify emerging risks, and

document potential impact

• Evaluate likelihood and impact

of risks

• Prioritize risks based upon

organization’s objectives,

capabilities, and risk appetite

• Review and validate the risk

assessment results with

management and identify



• Document capability

assessment results and

develop assessment scorecard

• Review assessment results

with specific stakeholders

• Identify gaps and evaluate

potential severity

• Map to maturity analysis

• Document recommendations

• Develop multiyear

cybersecurity/IT audit plan


• Assessment objectives and


• Capability assessment scorecard



• Understanding of environment

and current state


• Prioritized risk ranking

• Capability assessment findings


• Maturity analysis

• Assessment scorecard

• Remediation recommendations

• Cybersecurity audit plan

A cybersecurity assessment can drive a risk-based IT internal audit plan.

Audit frequency should correspond to the level of risk identified, and

applicable regulatory requirements/expectations.

Representative internal audit plan

Internal Audit FY 2015 FY 2016 FY 2017 Notes (representative)

SOX IT General

Computer ControlsX X X

Annual requirement but only covers financially

significant systems and applications

External Penetration and

Vulnerability TestingX X X Cover a portion of IP addresses each year

Internal Vulnerability Testing X Lower risk due to physical access controls

Business Continuity Plan/Disaster

Recovery PlanX X

Coordinate with annual 1st and 2nd line of

defense testing

Data Protection and

Information Security X Lower risk due to …

Third-party Management X Lower risk due to …

Risk Analytics X X XAnnual testing to cycle through risk areas, and

continuous monitoring

Crisis Management X X Cyber war gaming scenario planned

Social Media X Social media policy and awareness program

Data Loss Protection (DLP) X Shared drive scan for SSN / Credit Card #

Certain cybersecurity domains may be partially covered by existing IT audits, however many

capabilities have historically not been reviewed by internal audit

• Account provisioning

• Privileged user management

• Access certification

• Access management and governance

SOX (financially relevant systems only) Penetration and vulnerability testing BCP/DRP Testing






• Data classification and inventory

• Breach notification and management

• Data loss prevention

• Data security strategy

• Data encryption and obfuscation

• Records and mobile device management

Data management and protection

• Secure build and testing

• Secure coding guidelines

• Application role design/access

• Security design/architecture

• Security/risk requirements

Secure development life cycle

• Compliance monitoring

• Issue and corrective action planning

• Regulatory and exam management

• Risk and compliance assessment and mgmt.

• Integrated requirements and control framework

Cybersecurity risk and compliance management

• Incident response and forensics

• Application security testing

• Threat modeling and intelligence

• Security event monitoring and logging

• Penetration testing

• Vulnerability management

Threat and vulnerability management




• Change management

• Configuration management

• Network defense

• Security operations management

• Security architecture

Security operations

• Security training

• Security awareness

• Third-party responsibilities

Security awareness and training

• Recover strategy, plans, and procedures

• Testing and exercising

• Business impact analysis

• Recover strategy, plans, and procedures

• Testing and exercising

Crisis management and resiliency

• Information gathering and analysis around:

– User, account, entity

– Events/incidents

– Fraud and anti-money laundering

– Operational loss

Risk analytics

• Security direction and strategy

• Security budget and finance management

• Policy and standards management

• Exception management

• Talent strategy

Security program and talent management

• Evaluation and selection

• Contract and service initiation

• Ongoing monitoring

• Service termination

Third-party management Identity and access management

• Information and asset classification and inventory

• Information records management

• Physical and environment security controls

• Physical media handling

Information and asset management

Deloitte cybersecurity framework

* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.

Maintaining and enhancing security capabilities can help mitigate cyber

threats and help the organization to arrive at its desired level of maturity

COSO 2013 - Assessment maturity analysis

Cybersecurity domain

Cybersecurity risk and compliance mgmt.

Third-party management

Secure development life cycle

Information and asset management

Security program and talent management

Identity and access management

Threat and vulnerability management

Data management and protection

Risk analytics

Crisis management and resiliency

Security operations

Security awareness and training

Initial Managed Defined Predictable Optimized

Current state CMMI maturity*

Maturity analysis

• Recognized the issue

• Ad-hoc/case by case

• Partially achieved goals

• No training, communication, or


• Process is managed

• Responsibility defined

• Defined procedures with


• Process reviews

• Defined process

• Communicated procedures

• Performance data collected

• Integrated with other processes

• Compliance oversight

• Defined quantitative performance

thresholds and control limits

• Constant improvement

• Automation and tools implemented

• Managed to business objectives

• Continuously improved

• Improvement objectives


• Integrated with IT

• Automated workflow

• Improvements from new


Stage 1: Initial Stage 2: Managed Stage 4: PredictableStage 3: Defined Stage 5: Optimized

*The industry recognized

Capability Maturity Model

Integration (CMMI) can be used

as the model for the assessment.

Each domain consists of specific

capabilities which are assessed

and averaged to calculate an

overall domain maturity.








Desired / Target state

COSO 2013 - Communication

Important to communicate to the various


• Communication

1. To all personnel

2. To those Explicitly Responsible for Managing and

Monitoring Cyber Risks and Controls

3. To the Board of Directors

4. External parties

COSO 2013 – Control Environment & Monitoring

Control Environment and

Monitoring Activities — Managing

Cyber Risk is not possible Without


• The Control Environment and Monitoring

Activities internal control components are

foundational for an organization to properly

manage its cyber risk exposures.

• Qualified cyber risk professionals are also

critically important to the Monitoring Activities of

the organization.

Internal Audit Areas

- Email Phishing

- Cybersecurity Simulations

Examples of new areas coveredSocial Engineering – Email or USB phishing


Attacker uses spear phishing or mass-mailing attacks to

distribute malware.


Confirmation of objective (flags)

Confirmation of “target” distribution list Engagement

Simulate a ‘phishing’ attack against the agreed address list

Demonstrate the relative success of the attack by collecting

non-personally identifiable information for statistical



Client Briefing/Presentation

Phishing awareness workshop and e-learning

Scenarios that challenge

Simulations need to be designed which focus on the business and strategic consequences of

high impact events and which are genuinely challenging and informative for senior


• Rise in reinsurance claims – strategic impact

• Medium / long term productivity planning

• Geographical handover strategies

• Resource management

• Workload distribution

• Reinsurance claims - estimation / escalation

• Data theft – Regulatory and media impacts

• Cyber investment strategy – options

• Media management - cyber attack

• Technical failure

• Escalation and invocation channels

• Cyber attack – pre-emptive measures

• Asian crisis – disruption to growth initiative

• Protectionism

• Future market assessment – political risk, war

• Analysis of 2nd and 3rd order effects

• Single team market analysis

• APAC Resource management

• Workload distribution

• Stakeholder strategy and communications

• Counterparty appraisal strategy review

• Analysis of 2nd and 3rd order effects

• Workarounds for affected processes

• Review of legal positions/contract documentation

• Risk exposure analysis & interdependencies

• Geographical restructuring strategies

• Future market assessment – currency risk

• Firm strategy - Portfolio management

• Workload handover – office disruption

• Internal and external communications

• Single team market analysis

• Organisational / structural changes

• Managing reinsurance demand - strategies

o Short / Medium / Long term

• Coordination of BAU process changes

• Contract / data review and management

• Examine tech/financial model adjustments


Pandemic or

Natural Disaster




Sovereign Debt€

Cyber Security

Strategic Focus Operational focus

Example topic areas

Examples of new areas covered

Cyber attack through a third party vendor

• To provide education and awareness of key cyber threats the bank faces as

well as the opportunity to review how the Group Crisis Management Team would

respond to a hypothetical cyber threat scenario in a safe environment:

• Practising the response to emerging cyber threats will help speed up the

decision-making during an actual event and lessen its impact



• Provide education and awareness

• Have engaging discussion around critical decision making

• Build teamwork, collaborative working and confidence

• Identify key stakeholders and associated roles and responsibilities

• Derive lessons learned and follow up actions

• Support the development of a Cyber Contingency Plan



• Develop a real-time Communications Strategy & Framework, to be used for

internal and external communications (during business as usual and crises)

• Review all existing critical activities to confirm that all single points of failure

(SPOFs) (internal and external) have been identified, that a ‘BCM mentality’

has been applied to them, and that necessary contingency strategies are in place

• Review the process for how to embed resilience into all design changes

• Review, from a Legal perspective, the degree of control at times of

incidents/crisis over key vendors

Supported a Global bank to design and deliver it’s annual Global Crisis Management

Exercise, focussing on Cyber preparedness. We designed and delivered a 3-hour Cyber

Workshop which included external guest speakers on Cyber and external communications,

as well as a high-level facilitated scenario walkthrough.

4-stage unfolding &

escalating scenario


20 Executive members

participated via video

conference across 3

global locations

2 external luminary

speakers involved to

provide views of macro

Cyber threats in FS and

strategic management of

the media in a Crisis

Examples of new areas covered

ConclusionKey Questions to Ask

