ISA Auditing Recommendations and the Presidential Commission on Enhancing National Cybersecurity

ISA Auditing Recommendations Source: Chapter 13 of The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity	Presidential Commission on Enhancing National Cybersecurity
The Regulatory Systems that Come into Play in Breach Situations Should Allow for an Appropriate Assessment of Cyber Defenses Deployed by Management, Including The Timeliness of Remediation and the Resiliency of the Company
“Without positive reinforcement for good actors, there may not be sufficient incentives for companies to step up to the costly process of maximizing their protections. Our regulatory and legal processes should never act as a disincentive to installing appropriate internal controls necessary to protect the company and its stakeholders. In other words, if a company sees the regulatory and legal downside of a security breach as being no different whether they make a good faith effort to prevent, detect and remediate for such exposures or not, then some companies will do less and “hope” that nothing bad happens.”	Commission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement. (SHORT TERM) Commission text: The next Administration and Congress should pass legislation that provides appropriate liability protections for businesses that engage in cyber risk mitigation practices that are consistent either with the Cybersecurity Framework or with common industry segment practices, and that engage in cyber collaboration with government and industry. Safe harbors would be particularly appropriate to consider in the context of providing business certainty for companies that operate in regulated sectors. Additional benefits to encourage enhanced cybersecurity might include tax incentives, government procurement incentives, public recognition programs, prioritized cyber technical assistance, and regulatory streamlining. In addition, research and development efforts should specifically include a detailed study of how best to improve network security through incentives.
Improvements Driven by The Private Sector Significantly Increase the Opportunity to Produce Meaningful and Timely Improvements in Current Practice
“Although the AICPA has begun development of a new attest service, we believe that the decision to utilize such a service should rest with each individual company and its board and management and should not become a regulatory requirement.”	Commission Foundational Principle 10: The right mix of incentives must be provided, with a heavy reliance on market forces and supportive government actions, to enhance cybersecurity. Incentives should always be preferred over regulation, which should be considered only when the risks to public safety and security are material and the market cannot adequately mitigate these risks. Commission Action Item 1.4.5: The government should extend additional incentives to companies that have implemented cyber risk management principles and demonstrate collaborative engagement. (SHORT TERM) Commission text: The next Administration and Congress should pass legislation that provides appropriate liability protections for businesses that engage in cyber risk mitigation practices that are consistent either with the Cybersecurity Framework or with common industry segment practices, and that engage in cyber collaboration with government and industry. Safe harbors would be particularly appropriate to consider in the context of providing business certainty for companies that operate in regulated sectors. Additional benefits to encourage enhanced cybersecurity might include tax incentives, government procurement incentives, public recognition programs, prioritized cyber technical assistance, and regulatory streamlining. In addition, research and development efforts should specifically include a detailed study of how best to improve network security through incentives.

Tags: auditing