COSO Issues Guidance on Cyber Risk Management

Updated: Jan 7, 2020

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations that was established in the United States. COSO provides guidance to executive management and government entities on the topics of organizational governance, business ethics, internal control, business risk management, fraud and financial reports. COSO does this through the development of various frameworks and guidance on enterprise risk management, internal control and fraud deterrence. Many companies use the frameworks developed by COSO to manage financial and non-financial risks.

On Tuesday, COSO published new guidance in collaboration with Deloitte Risk & Financial Advisory, addressing how companies can use COSO's Enterprise Risk Management Framework – Integrating with Strategy and Performance (ERM Framework), one of the most widely recognized and applied risk management frameworks in the world, to assess cyber risks. The ERM Framework was last updated in 2017.

The new guidance, titled “Managing Cyber Risk in a Digital Age,” is written to boards of directors, audit committee members, executive management, and cyber practitioners and provides insight into how organizations can leverage the five components and 20 principles of the ERM Framework to identify and manage cyber risks. The guidance "provides context related to the fundamental concepts of cyber risk management techniques but is not intended to be a comprehensive guide to develop and implement technical strategies."

Some of the suggestions included in COSO's voluntary guidelines include the following: Companies should establish a cyber risk-management team led by a chief information officer. This team should include executives overseeing risk, finance, audit and other areas. Companies should also consider setting minimum credentialing requirements for information technology executives, as well as consider adding directors with cybersecurity expertise to their boards.

Among the statistics included in the recent research commissioned by COSO are the following:

  • Digital incidents [are] now costing small businesses $200,000 on average, according to insurance carrier Hiscox, and 60% going out of business within six months of being victimized. The frequency with which these attacks are happening is also increasing, with more than half of all small businesses having suffered a breach within the last year and 4 in 10 having experienced multiple incidents.

  • The percentage of public companies that have appointed technology-focused board members has grown over the last six years from 10 percent to 17 percent.

  • For nearly half of organizations (49%), cybersecurity is on the board’s agenda, at least quarterly.

  • While cyber and IT issues have grown to represent nearly 20 percent of the average internal audit plan, individually these key issues continue to lag behind others considered lower risks by boards, such as operational, financial, reporting, and compliance/regulatory.

  • By 2021, cybercrime damage is expected to hit $6 trillion annually—the equivalent of almost 10% of the world’s economy.

Based on these sobering statistics and the major cyber breaches that have occurred in recent years, companies both large and small would be well advised to critically consider COSO's guidance on managing ever-evolving cyber risks.

To read the full guidance, “Managing Cyber Risk in a Digital Age,” written by Deloitte & Touche LLP and commissioned and released by COSO, see here:

#cybercrime #cyberrisk #cyberthreat #cybersecurity #COSO #ERM #riskmanagement #compliance #internalcontrols

24 views0 comments

©2019 by Compliance Notes. Proudly created with