Skip To Main Content
Businessman typing at a computer keyboard, with virtual digital wall of security between his hands and the computer screen

Establishing a cybersecurity risk management program

Learn about developing a cybersecurity risk management program, and get up to speed on the current disclosure environment for registrants and reporting issuers.

Cybersecurity continues to be one of the top risks on the minds of all levels of stakeholders from the public, private, not-for-profit or government sectors. Given the significant reputational, operational, financial, legal and regulatory implications of data breaches, establishing a risk management program is one way to understand an organization’s exposure to cybersecurity risk and the related policies, processes and controls it has in place to address this risk.

Key takeaways: 

  • the basics of the cyber security reporting framework issued by the American Institute of Certified Public Accountants (AICPA) known as System and Organization Controls (SOC) for Cybersecurity 
  • questions for management of all entities to consider in developing a cybersecurity risk management program based on the AICPA’s guidance 
  • guidance issued by the Canadian Securities Administrators (CSA) and Securities and Exchange Commission (SEC) on cybersecurity risk disclosure