Leverages Information and Technology

Last time, I introduced the 5th and final COSO guiding principle – Information, Communication and Reporting. This time, let’s dig into the first point under that principle, which is Leverages Information and Technology

As a reminder, the COSO guiding principle of Information, Communication and Reporting has three points: 

1. Leverages Information and Technology

2. Communicates Risk Information

3. Reports on Risk, Culture and Performance

As I mentioned last time, organizations leverage data to make better and faster business decisions. Threats, such as ransomware, have become prevalent over the past several years, and have significantly impacted organizations' critical systems and data availability, reliability, and has even sometimes impacted physical safety.

Cyber threats like ransomware not only have internal repercussions, but also, if customer data is exposed or revenue generating services are taken offline, may result in significant reputational impact or non-compliance to a regulatory requirement. Organizations may also use internal information systems for critical financial reporting and decision-making support.

Recovering from ransomware, or any cybersecurity incident, for that matter, can be extremely expensive; however, since ransomware has become so prevalent, let’s focus on some statistics that should drive the point home. This may sound like FUD, but it is meant to “prep the battlefield”, so to speak:

• Cybersecurity Ventures predicts that a business will fall victim to a ransomware attack every 11 seconds in 2021.

• Colonial Pipeline just paid $4.4 million to Darkside. The total cost to recover is still to be determined

• The NotPetya ransomware 2017 caused about $10B in damages globally.

  • Merck alone was hit by $870M in total damages, and FedEx about $400M.

• Norsk Hydro was attacked in March 2019 that forced it to fallback to manual processes. Their damages approach the $100M mark.

These threats may also impact internal tools used to aid in cyber risk management and reporting, such as governance, risk, and compliance (GRC) systems that track and report risks using automated workflows. SIEMs and SOAR platforms can act on the big data that security tooling generates to facilitate alerting, reporting, and response to security events. Take particular care in protecting the integrity of these systems. Otherwise, a cascading effect may leave executive leadership blind to material threats and risks facing the organization.

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.

Have a great week!