The largest ever breach of sensitive information has occurred by way of Equifax and may have affected 143 million people, or as many as 50% of Americans. In response, Equifax is selling their TrustID service to consumers. Signing up for the service also acts as an agreement to not participate in a lawsuit. One such class action suit has already been filed by OlsenDaines in Oregon.
With cyberattacks becoming more common, all companies’ cybersecurity risk programs could benefit from an independent validation from a CPA. This June the AICPA released a new cybersecurity risk program examination, as part of its redefined SOC reports. SOC previously stood for Service Organization Controls; now the term stands for System and Organization Controls. SOC for cybersecurity has been added to the SOC 1, SOC 2, and SOC 3 reports.
The new SOC for cybersecurity examination offers a structured approach to implementing security controls to protect information and systems from compromise and to detect and recover from security events that are not prevented.
While the SOC 2 report is a general use report for service organizations who provide services to other organizations the cybersecurity examination is not limited. It is also broader allowing no carve out, Organizations are responsible for all controls within the risk management program regardless of who is responsible for performing the controls.
The cybersecurity risk management engagement does not include details on the operating effectiveness of controls over a period of time.
The SOC 2 report includes the following components: a description of the cybersecurity risk management program created by the organization and presented to the auditor, a management assertion letter vouching for the description of the program and an audit opinion on the organization’s cybersecurity program from the auditor.
Bloomberg reported executives sold stock in the company before going public with the leak which occurred July 29th and made public September 7. The transactions in question were initiated by CFO and Corporate VP John Gamble, who sold $946,374 worth of shares, President of U.S. Information Solutions Joseph Loughran dumped $584,099 and President of Workforce Solutions Rodolfo Ploder sold $250,458 in shares. As Bloomberg notes, these transactions were not pre-scheduled trades and they took place on August 2, three days after the company learned of the hack.