Fraud and Cybersecurity: Top Issues for the CPA
Copyright © 2019 by
DELTACPE LLC
All rights reserved. No part of this course may be reproduced in any form or by any means, without permission in
writing from the publisher.
The author is not engaged by this text or any accompanying lecture or electronic media in the rendering of legal,
tax, accounting, or similar professional services. While the legal, tax and accounting issues discussed in this
material have been reviewed with sources believed to be reliable, concepts discussed can be affected by changes
in the law or in the interpretation of such laws since this text was printed. For that reason, the accuracy and
completeness of this information and the author's opinions based thereon cannot be guaranteed. In addition,
state or local tax laws and procedural rules may have a material impact on the general discussion. As a result, the
strategies suggested may not be suitable for every individual. Before taking any action, all references and citations
should be checked and updated accordingly.
This publication is designed to provide accurate and authoritative information in regard to the subject matter
covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other
professional service. If legal advice or other expert advice is required, the services of a competent professional
person should be sought.
—From a Declaration of Principles jointly adopted by a committee of the American Bar Association and a
Committee of Publishers and Associations.
Course Description
Cybercrime continues to escalate, ranking as one of the most reported economic crimes. The interconnectivity of
people, devices and organizations in today’s digital world, opens up a whole new playing field of vulnerabilities
and access points where the cybercriminals can get in. Cyberattacks are becoming more destructive globally. In
today’s cybercrime environment, the issue is not whether a business will be compromised, but rather how
successful an attack will be.
This course covers digital technology as it continues to transform and disrupt the world of business, exposing
organizations to both opportunities and threats. Key elements of effective cybersecurity risk management include
threats and vulnerabilities awareness, understanding of cyber risks, implementation of an effective framework,
as well as the detection of and response to cyberattacks. The challenges, such as leadership engagement and
approach to managing cyber risks, are discussed along with the government’s efforts to address potential
cybersecurity risks threatening the nation, businesses, and individuals.
Field of Study Auditing – Fraud
Level of Knowledge Overview
Prerequisite None
Advanced Preparation None
Table of Contents
Learning Objectives ................................................................................................................ 1
Course Introduction ................................................................................................................ 2
I. The Basis of Fraud ............................................................................................................ 4
Definition of Fraud ............................................................................................................................ 4
Conditions of Fraud ........................................................................................................................... 5
The Fraud Triangle ......................................................................................................................................5
The Fraud Diamond .................................................................................................................................. 10
Computer and Internet Fraud .......................................................................................................... 11
Overview ................................................................................................................................................. 11
The Concept of the Cyber World ............................................................................................................... 12
Types of Cyber Fraud ................................................................................................................................ 16
Impact of Security Breaches ...................................................................................................................... 29
Review Questions - Section 1 .......................................................................................................... 34
II. Trends in the Cyber World ......................................................................................... 35
The Internet of Things ..................................................................................................................... 35
Cybersecurity Framework Adoption ................................................................................................ 37
The Adaption to the New Reality .............................................................................................................. 37
New Approaches for a Changing Business Environment ............................................................................. 38
The Rising Threats of Corporate Cybercrime .................................................................................... 40
III. Challenges in the Cyber World ............................................................................... 45
Overview ........................................................................................................................................ 45
Engagement of Leadership .............................................................................................................. 46
Managing Cyber Risks ..................................................................................................................... 48
Internet of Things - Security Concerns ............................................................................................. 50
IV. Government Acts to Enhance Cybersecurity ..................................................... 52
An Overview of Key Legislations ...................................................................................................... 52
Cybersecurity Strategy and Implementation Plan ............................................................................ 54
Executive Order - Critical Infrastructure Cybersecurity ..................................................................... 55
Background .............................................................................................................................................. 55
Summary of the Key Provisions ................................................................................................................. 56
Cybersecurity Systems and Risk Reporting Act ................................................................................. 58
V. Cybersecurity Standards ............................................................................................. 62
ISO/IEC 27001:2013......................................................................................................................... 62
NIST Cybersecurity Framework ........................................................................................................ 64
CIS Critical Security Controls ............................................................................................................ 64
ETSI − ICT Standards ........................................................................................................................ 65
Review Questions - Section 2 .......................................................................................................... 67
VI. SEC Enforcement Action ........................................................................................... 68
SEC Cybersecurity Initiative ............................................................................................................. 69
Background .............................................................................................................................................. 69
Cybersecurity Examination Sweep Summary ............................................................................................. 70
Areas of Focus for Cybersecurity Examinations .......................................................................................... 72
Cybersecurity Guidance No. 2015-02 ............................................................................................... 74
Risk Mitigation ......................................................................................................................................... 74
Prevention, Detection, and Response to Threats ....................................................................................... 75
Policies and Procedures and Training ........................................................................................................ 75
Cybersecurity Disclosure Obligations ............................................................................................... 76
Background .............................................................................................................................................. 76
An Overview of CF Disclosure Guidance − Topic No. 2................................................................................ 76
Review Questions - Section 3 .......................................................................................................... 81
VII. Cybersecurity Risk Management........................................................................... 82
Recognize Threats and Vulnerabilities ............................................................................................. 83
The Cyber Criminal Profile ........................................................................................................................ 83
The Cybersecurity Threats ........................................................................................................................ 89
Understand Cyber Risks .................................................................................................................. 92
Review Questions - Section 4 .......................................................................................................... 94
Define Cyber Risk Roles and Responsibilities ................................................................................... 95
Detect and Respond to Cyberattacks ............................................................................................... 95
Detection ................................................................................................................................................. 95
Response ................................................................................................................................................. 98
Recover from Cyberattacks ............................................................................................................. 99
Review Questions - Section 5 ........................................................................................................ 103
VIII. Changes to Internal Audit ...................................................................................... 104
Maximize the Internal Audit Values ............................................................................................... 104
Identify IIA Standards Related to Cybersecurity ............................................................................. 107
Review Questions - Section 6 ........................................................................................................ 111
Appendix A: Disclosing Risk Factors ............................................................................ 112
Appendix B: Data Breach Disclosure ............................................................................ 114
Appendix C: Financial Statement Disclosure ............................................................. 115
Appendix D: Forward Looking Statements Disclosure .......................................... 117
Glossary .................................................................................................................................. 118
Index ........................................................................................................................................ 120
Solutions to Review Questions ....................................................................................... 122
Section 1 ....................................................................................................................................... 122
Section 2 ....................................................................................................................................... 124
Section 3 ....................................................................................................................................... 125
Section 4 ....................................................................................................................................... 127
Section 5 ....................................................................................................................................... 129
Section 6 ....................................................................................................................................... 130
Fraud and Cybersecurity: Top Issues for the CPA
1
Learning Objectives Upon completion of this course, students will be able to:
• Recognize concepts used in the cybersecurity world
• Identify trends such as cyber threats and their evolution
• Identify cyber challenges, including issues related to cyber engagement
• Recognize government acts to address potential cybersecurity risks threatening the nation, businesses, and
individuals
• Recognize cybersecurity standards, including ISO/IEC 27001 and other standards
• Identify SEC regulatory cybersecurity expectations, including public companies’ disclosure requirements
• Recognize elements of effective cybersecurity risk management, such as threats and vulnerability awareness,
and the understanding of cyber risks
• Identify the leading practices in the fight against cyber threats
• Recognize the evolution of the internal audit function
Fraud and Cybersecurity: Top Issues for the CPA
2
Course Introduction This course includes the following sections:
I. The Basis of Fraud
II. Trends in the Cyber World
III. Challenges in the Cyber World
IV. Government Acts to Enhance Cybersecurity
V. Cybersecurity Standards
VI. SEC Enforcement Action
VII. Cybersecurity Risk Management
VIII. Change to Internal Audit
Cybercrime continues to escalate, ranking as one of the most reported economic crimes in the U.S. The
interconnectivity of people, devices and organizations in today’s digital world opens up a whole new playing field
of vulnerabilities and access points where cybercriminals can enter. The actual and potential threats organizations
consider in their risk analyses are generally only a subset of the risks that can impact them. All too often events
occur that come from completely unexpected and unforeseen threat factors, which can have a significant effect.
The origin of the word “cyber”, the meaning of a cyber environment, and the impact of increased connectivity are
discussed in the “The Basis of Fraud” section.
Industry 4.0 is no longer a “future” trend - for many companies, it is now at the heart of their strategic and research
agenda. Companies are combining advanced connectivity and automation, cloud computing, sensors, and 3D
printing, connected capability, computer-powered processes, intelligent algorithms, and services to transform
their businesses. Digital technology continues to transform and disrupt the world of business, exposing
organizations to both opportunities and threats. Cyber trends, such as the Internet of Things, the cybersecurity
framework adoption, the cybersecurity job market, and the evolution of threats, are discussed in the “Trends in
the Cyber World” section.
Cyberattacks are becoming more destructive globally. In today’s cybercrime environment, the issue is not
whether a business will be compromised, but rather how successful an attack will be. According to International
Data Group’s (IDG’s) 2017 US State of Cybercrime Survey, over half (61%) of all company boards view cybersecurity
as an IT risk, while 43% see cybersecurity through the lens of corporate governance. Too many organizations
have assigned the responsibility for first response to cyberattacks to their IT teams, ignoring the need for adequate
support from senior management and other key players. However, even with so much at risk, C-level executives
and boards are still reluctant to tackle cybersecurity issues. Cybersecurity has graduated from an IT risk to a
strategic business risk. As such, it should be addressed regularly by organizations’ boards of directors. Boards and
audit committees must, therefore, be kept up to date on the state of technologies used in their organizations.
Related challenges, such as promoting effective leadership engagement and the approach to managing cyber risks,
are discussed in the “Challenges in the Cyber World” section.
The nation increasingly relies on the internet to conduct business with all levels of government, from applying for
student loans to running systems that provide power to homes and ensuring that water is safe to drink. The
Fraud and Cybersecurity: Top Issues for the CPA
3
security of the nation’s critical infrastructures has become a top priority for the government. Cybersecurity
legislation has been a topic of interest on Capitol Hill for a number of years, as Congress has spent the last decade
addressing our nation’s cybersecurity posture. Examples of government’s efforts to address potential
cybersecurity risks threatening the nation, businesses, and individuals are discussed in the “Government Acts to
Enhance Cybersecurity” section.
Cybersecurity standards are published materials that attempt to protect the operating environment of a user or
organization by reducing risk and preventing or mitigating cyberattacks. The published materials consist of tools,
policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best
practices, and technologies. Highlights of widely recognized cybersecurity standards, such as ISO/IEC 27001:2013,
NIST Framework, and Critical Security Controls, are discussed in the “Cybersecurity Standards” section.
As the financial industry is increasingly targeted by cyberattacks, the ability to prevent, detect, respond and
recover from cyberattacks has become a growing concern to consumers and regulators. The Securities and
Exchange Commission (SEC) demonstrated an escalating focus on cybersecurity issues by releasing cybersecurity
guidelines, enforcing public companies’ disclosure obligations, conducting a series of examinations of broker-
dealers and investment advisers, and placing cybersecurity as the top concern on its examination priorities list.
Companies must disclose the risks associated with cyberattacks that may have a material effect on their financials
in their public filings. Critical areas to meet SEC’s expectations as well as an overview of SEC cybersecurity
guidance are discussed in the “SEC Enforcement Action” section.
Cyber risks must be identified, understood, quantified and planned for in the same way as any other potential
business threat or disruption. They should be viewed as one might view a natural disaster, with a response plan,
roles, and responsibilities, monitoring and scenario planning. Key elements of an effective cybersecurity risk
management strategy, including threats and vulnerabilities awareness, understanding of cyber risks,
implementation of an effective framework, detection of and response to cyberattacks, are discussed in the
“Cybersecurity Risk Management” section.
An effective internal audit function has an enterprise-wide perspective to help businesses anticipate, withstand,
and recover from a cyberattack. It also functions as an independent assurance provider, analyzing and testing to
identify the organization’s cybersecurity strengths and weaknesses and improve capabilities. Therefore, a
knowledgeable and effective internal audit function is critical to address the risks associated with digital
transformation, mobile technology, and ongoing regulatory changes. An overview of internal audit’s evolution is
included in the “Change to Internal Audit” section.
Fraud and Cybersecurity: Top Issues for the CPA
4
I. The Basis of Fraud
Definition of Fraud
Fraud is a broad term that refers to a variety of offenses involving dishonest or fraudulent acts. The purpose of
fraud may be monetary or other gain. Consequently, fraud includes any intentional or deliberate act to deprive
another of property or money by deception or other unfair means. Many professional organizations have defined
fraud (see examples below). It is important to adopt the most appropriate definition when performing a fraud
risk assessment.
Definition of Fraud Source Description
Generally Accepted Government
Auditing Standards (GAGAS)
Fraud involves obtaining something of value through willful misrepresentation. (Whether an act is in fact fraud, is a determination to be made through the judicial or other adjudicative system and is beyond an auditors’ professional responsibility.)
Generally Accepted Auditing Standards
(GAAS)
• Fraud: An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a material misstatement in financial statements that are the subject to an audit.
o Fraud Risk Factors: Events or conditions that indicate an incentive or pressure to perpetrate fraud, provide an opportunity to commit fraud, or indicate attitudes or rationalizations to justify a fraudulent action.
The Association of Certified Fraud
Examiners (ACFE)
• Fraud: Any intentional act or omission designed to deceive others and resulting in the victim suffering a loss and/or perpetrator achieving a gain.
• Occupational Fraud: The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets.
International Professional
Practices Framework (IPPF)
Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not dependent on the threat of violence or physical force. Fraud is perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure a personal or business advantage.
Fraud and Cybersecurity: Top Issues for the CPA
5
Conditions of Fraud
The Fraud Triangle
In 1950, Donald R. Cressey, a criminologist, examined why people commit fraud. This resulted in the development
of the ‘Fraud Triangle’, which is the most widely accepted model used to explain why people commit fraud. For
fraud to occur, three elements must be present, according to Cressey: opportunity, pressure, and rationalization.
Although organizations have limited control over a fraudster’s pressure and rationalization, proactive steps can
be taken to significantly reduce the opportunities to commit fraud.
According to the PricewaterhouseCoopers (PwC) Global Economic Crime Survey 2018, nearly six in ten
organizations believe that ‘opportunity’ is the main driver of internal economic crime. This far outweighs ‘pressure
to perform’ and ‘rationalization to justify the crime’. The survey also indicated that a large majority favor stronger
control environments as a means of reducing the opportunity.
Source: PwC Global Economic Crime and Fraud Survey 2018
11%
14%
69%
11%
21%
59%
0% 10% 20% 30% 40% 50% 60% 70% 80%
RATIONALIZATION TO JUSTIFY THE CRIME
PRESSURE TO PERFORM
OPPORTUNITY/ABILITY TO COMMIT THE CRIME
What makes an employee conmmit fraud?
2018 2016
The Fraud
Triangle
Pressure/Incentive The Motive to Commit Fraud
Developed by Donald R. Cressey
Opportunity The Ability to Commit Fraud
Rationalization The Justification to Commit Fraud
Fraud and Cybersecurity: Top Issues for the CPA
6
Each element is discussed in the following sections.
Pressure (Incentive)
Pressure (incentive) is what causes a person to commit fraud. In simpler terms, motivation is typically based on
greed or need. Although many people are faced with the opportunity to commit fraud, only a minority of greedy
or needy individuals seize this opportunity. According to the Chartered Institute of Management Accountants
(CIMA), greed is the number one cause of fraud, along with problems with debt and gambling. Personality and
temperament, including the tendency to be risk-averse, also influence people’s decisions. In some cases, honest
individuals fall into negative behavior patterns and develop expensive tastes, which in turn tempt them to commit
fraud. Others are motivated when faced with personal and/or professional obstacles. The Association of Certified
Fraud Examiners (ACFE) lists the following examples of pressures that commonly lead to fraud:
• Living beyond one’s means
• High bills or personal debt
• Personal financial losses
• Family or peer pressure
• Unexpected financial needs
• Substance abuse or addictions
• Need to meet productivity targets at work
The Public Company Accounting Oversight Board (PCAOB) specifies that an individual may have incentives to
manipulate earnings when any of the following four conditions occur:
1. Financial stability or profitability is threatened by economic, industry, or company operating conditions
(e.g. high degree of competition, operating losses, and significant declines in demand)
2. Excessive pressure exists for management to meet the requirements or expectations of third parties (e.g.
shareholders, analysts)
3. The information available indicates that management or the board of directors' personal financial
situation is threatened by the company’s financial performance
4. There is excessive pressure on management or operating personnel to meet financial targets set up by
the board of directors or management, including sales or profitability incentive goals
Opportunity
Opportunity is the ability to commit fraud or to conceal it. Thus, fraud is more likely in an organization where the
following factors are present:
1. Weak internal controls;
2. Poor security over assets;
3. Weak ethical culture;
4. Little fear of exposure and likelihood of detection;
5. Lack of consequences for perpetrators;
Fraud and Cybersecurity: Top Issues for the CPA
7
6. Ineffective anti-fraud programs;
7. Poor supervision and lack of training;
8. Unclear policies regarding acceptable behavior;
9. Lack of financial expertise (e.g. insufficient knowledge or lack of ability);
Various surveys conclude that deficiency in internal control is usually a significant factor for organizations
victimized by fraud. A failure to establish adequate controls to detect fraudulent activity will increase the
opportunities for, and the likelihood of, fraud. As demonstrated by KPMG International’s Global Profiles of the
Fraudster 2016, a weak internal control system is a significant issue for organizations victimized by fraud.
Compared to 2013, 2016 showed a large increase (from 18% to 27%) in the number of fraudsters who committed
their acts because an opportunity presented itself due to lacking or weak controls. Specifically, the majority (62%)
of fraudsters surveyed by KPMG indicated that weak internal controls were a contributing factor in allowing the
fraud to occur and go undetected. The 2018 PwC Global Economic Crime Survey is consistent with KPMG’s findings
which indicate that opportunity or ability to commit fraud is the factor that contributed the most (at a rate of
59%) to economic crime in public sector entities.
Source: KPMG International Global Profiles of the Fraudster 2016
Although it is often a challenge to spot, opportunity is fairly easy to control through improvements to internal
controls and adequate changes to policies and procedures. It is essential that organizations establish processes,
procedures, and controls that do not give employees access that allows them to commit fraud. For example, an
employee may see an opportunity to write a check payable to himself/herself if he/she has access to blank checks.
However, the fraudulent check would likely be identified during the bank statement reconciliation process,
resulting in the employee being caught. If the control environment is weak, and adequate segregation of duties
is not in place (e.g. the same employee has access to blank checks and reconciles the company’s bank statements),
the employee has an increased opportunity to commit fraud.
Although financial audits serve a key role in corporate governance, the Association of Certified Fraud Examiners
(ACFE) advises that “they should not be relied upon as organizations’ primary anti-fraud mechanism.” Many
people mistakenly assume that their annual financial statement audits provide sufficient coverage to detect and
deter fraud among their employees. It is important to understand that opportunity often occurs when the
fraudster knows the timing, nature, and extent of the auditor’s procedures. For example, if an employee knows
62%22%
11%5%
Factors Contributing to the Facilitation of the Fraud
Weak internal controls
Reckless dishonesty regardlessof controls
Collusion circumventing goodcontrols
Other
Fraud and Cybersecurity: Top Issues for the CPA
8
that the auditor always tests large transactions occurring in June, he/she can commit fraud on smaller transactions
in other months. By comparison, a surprise audit more closely examines the company’s internal controls that are
intended to prevent and detect fraud. According to the ACFE study, data monitoring and analysis and surprise
audits were correlated with the most significant reductions in fraud duration; as these two controls were also
associated with some of the largest loss reductions.
Rationalization
Rationalization is the process of justifying a crime in order to make the crime acceptable. It must occur before the
crime takes place. Rationalization is usually detected by observing the fraudster’s comments or attitudes. In
general, people rationalize fraudulent actions as:
• Necessary − especially when it is done for the business
• Harmless − because the victim is large enough to absorb the impact
• Justified − because the victim deserved it or because the perpetrator or someone they knew was mistreated
According to the Naval Sea Systems Command Office of Inspector General, there are two aspects of
rationalization:
1. The fraudster concludes that the gain to be realized from fraudulent activities outweighs the possibility of
detection, and
2. The fraudster needs to justify committing the fraud. Justification usually relates to job dissatisfaction or
perceived entitlement or saving one’s family, possessions, or status.
The ACFE identified the following common excuses given by fraudsters to explain their corrupt conduct:
• Everyone else does it.
• We have always done it.
• It was the only way we could compete.
• We thought our anti-corruption programs were sufficient, so it must have been OK.
• We did not know the conduct would be considered a bribe.
• It was not a bribe; it was part of conducting business.
• Bribery is part of the culture in the country.
The PCAOB identifies the following risk factors related to attitudes and rationalization that justify fraudulent
behavior:
• Inappropriate ethical standards
• Excessive participation by nonfinancial management in the selection of accounting standards
• A history of legal and regulatory violations by management on board members
• Obsessive attention to the stock price or earnings trend
• Aggressive commitments to third parties
• Failure to correct known compliance problems
• Minimizing earnings inappropriately for tax reporting
Fraud and Cybersecurity: Top Issues for the CPA
9
• Continued use of materiality to justify inappropriate accounting
• A strained relationship with the current or previous auditor
However, management may reduce rationalization through its actions by implementing fair work and pay
practices, as well as equitable and consistent treatment of employees, and the right tone at the top.
The following case studies from the Department of Defense (DoD) highlight the presence of motivation,
opportunity, and rationalization in each fraud scheme.
Case Study
Case Study #1: Disclosure of Information
Case Facts − A DoD employee responsible for assisting the contracting officer with funding, performance, and technical issues relating to a DoD program admitted to Federal investigators that he disclosed contractor bid and source selection information to a company bidding on a new contract. The employee gave the company this information so they would have a competitive advantage during contract bidding.
Motivation − In exchange for the information, the company provided the employee with a new car.
Opportunity − The contracting officer was overwhelmed with his workload and paid little attention to contract awards less than $3 million.
Rationalization − The employee had been passed over for promotion several times and believed he was mistreated and not valued by DoD.
Outcome − The employee was prosecuted in Federal court and received a maximum sentence of 20 years in prison and a fine of $250,000.
Case Study #2: Trafficking Counterfeit Parts and Money Laundering
Case Facts − During a 5-year period, a DoD parts supplier purchased counterfeit semiconductors from sources in Hong Kong and China. The individual went to great lengths to conceal the true origin of the parts and sold them as legitimate and reliable components for use in submarines and other complex machinery.
Motivation − The supplier was motivated by money. Through the sale of about 14,000 counterfeit parts, they were paid several million dollars.
Opportunity − Counterfeit parts are difficult to detect once they enter the DoD supply chain. Globalization of the supply chain has resulted in many suppliers receiving goods from second- and third-tier suppliers. Quality assurance tests may not detect all counterfeit parts because manufacturers are skilled at making parts appear authentic.
Rationalization − Because the scheme was successful over time, the fraudsters believed their chances of getting caught were minimal or nonexistent.
Outcome − The fraudsters were indicted on eight counts that included conspiring to traffic in counterfeit military goods, trafficking in counterfeit goods, and conspiring to commit wire fraud and money laundering. When convicted, they were sentenced to 75 years in federal prison.
Source: Department of Defense Inspector General − Approach for Establishing Fraud Risk Assessment Programs and Conducting Fraud Audit Risk Assessment within the Department of Defense
Fraud and Cybersecurity: Top Issues for the CPA
10
The Fraud Diamond
Although Cressey’s classic Fraud Triangle applies to most fraud cases, it does not explain all situations. There have
been significant social changes since Cressey’s study in the 1950s. For example, corporations have evolved to rely
heavily on global partnerships and outsourcing. The corporate ladder structure, common in the 1950s, has been
replaced with matrix organizations where individuals have the authority across the organization. CFOs are under
more pressure to deliver fast and reliable reporting to management and stakeholders. This shift might have
prompted the CFOs and their financial teams to use aggressive accounting and reporting practices.
Social Changes: Then & Now
1950s 2000s
• Straight-line reporting authority
• Manual processes
• Dual responsibility
• Single suppliers
• Local or regional service area
• Step-up salary structure
• Matrixed organizations
• Automation
• Autonomous authority
• Multiple vendors and global trading partners
• Global reach
• Performance-based pay
Source: Crowe Horwath LLP
Inevitably, the Fraud Triangle had to be enhanced to help organizations better understand and respond to fraud
risks. Many anti-fraud experts have changed it by incorporating the element of “capability” because personal traits
and abilities play a major role in whether fraud will actually occur. This fourth element transforms Cressey’s model
from a triangle into a diamond:
According to David Wolfe and Dana Hermanson, The Fraud Diamond: Considering the Four Elements of Fraud,
“Opportunity opens the doorway to fraud, and incentive and rationalization can draw the person toward it. But
the person must have the capability to recognize the open doorway as an opportunity and to take advantage of it
by walking through, not just once, but time and time again. Accordingly, the critical question is, who could turn
an opportunity for fraud into reality?” Wolf and Hermanson observed the following six common traits for
committing fraud, especially those that involve large sums of money or last a long time:
The Fraud Diamond
Pressure/Incentive Opportunity
Capability Rationalization
Developed by Wolfe and Hermanson
Fraud and Cybersecurity: Top Issues for the CPA
11
Common Traits Associated with the Capability Element Trait Description
Functional Authority within the Organization
The person’s position or function might provide the ability to create or exploit an opportunity to commit fraud. For example, a person in a position of authority has more influence over particular situations and has greater capability to commit fraud.
Sufficient intelligence to Understand and Exploit a
Situation
The person has the capacity to understand and exploit control weaknesses and to use position or authorized access to their greatest advantage.
Strong Ego and Personal Confidence
The person is confident that he will not be caught or believes that if he is caught, he can talk his way out of trouble. Common personality types include someone who is driven to succeed at all costs, self-absorbed, and often narcissistic. According to the Diagnostic and Statistical Manual of Mental Disorders, people with such personality disorders believe they are superior or unique and are likely to have inflated views of their own accomplishments and abilities.
Strong Coercive Skills The person is persuasive and can coerce others to commit or conceal fraud. An individual with a persuasive personality can successfully convince others to go along with the fraud or look the other way.
Effective at Being Deceptive
Successful fraud requires effective and consistent lies. The individual must be able to lie convincingly and keep track of the story in order to avoid detection.
High Tolerance for Stress The person is good at dealing with the stress that comes from committing fraudulent acts.
Computer and Internet Fraud
Overview
Criminal activity involving the perpetration of fraud through the use of computers or the internet can take many
different forms. One common form includes hacking, in which a perpetrator uses sophisticated technological
tools to remotely access a secure computer or internet location. A second common criminal activity involves
illegally intercepting an electronic transmission not intended for the interceptor. This may result in the capture
of private information such as passwords, credit card information, or other types of so-called identity theft.
Federal law defines computer fraud as “the use of a computer to create a dishonest misrepresentation of fact as
an attempt to induce another to do or refrain from doing something which causes loss.” There are a number of
ways that criminals create fraudulent misrepresentation:
• Alter computer input in an unauthorized way. For example, employees may embezzle company funds by
altering/manipulating input data.
• Alter or delete stored data.
Fraud and Cybersecurity: Top Issues for the CPA
12
• Rewrite software codes and upload them into a bank main system to steal its users’ identities. The
criminals can use this information to make unauthorized credit card purchases.
Violators may be prosecuted under:
✓ 18 U.S.C. § 506: No Electronic Theft Act
✓ 18 U.S.C. § 1028: Identity Theft and Assumption Deterrence Act of 1998
✓ 18 U.S.C. § 1029: Fraud and Related Activity in Connection with Computers
✓ 18 U.S.C. § 1343: Wire Fraud
✓ 18 U.S.C. §1362: Communication Lines, Stations, or Systems
✓ 18 U.S.C. § 2511: Interception and Disclosure of Wire, Oral, or Electronic Communications Prohibited
✓ 18 U.S.C. § 2701: Unlawful Access to Stored Communications
✓ 18 U.S.C. § 2702: Disclosure of Contents
✓ 18 U.S.C. § 2703: Requirements for Government Access
The Concept of the Cyber World
Cyberspace, the globally-interconnected digital information, and the communications infrastructure supports
almost every facet of modern society and provides critical support for the economy, civil infrastructure, public
safety, and national security. The evolution of technology has transformed the global economy and connected
people in ways never imagined. Meanwhile, cybersecurity risks pose some of the most serious economic and
national security challenges of the 21st century.
The word cyber is a prefix used to describe a person, thing, or idea as part of the computer and information age.
It originates from the Greek verb “kybereo”, which means to steer, guide, and control. It was first used in
cybernetics by Norbert Wiener, an American mathematician, to describe computerized control systems in 1948.
Cyber can mean “computer”, “computer network”, or “virtual reality”, and by extension means expressing a vision
of the future. The prefix cyber is often seen in conjunction with computers and robots. Some of the most common
words that use the cyber prefix including cybercrime, cyber fraud, cybersecurity, and cyberattack. Each word is
defined in the following table.
The Cyber World Term Description
Cyberattack
Any type of offensive maneuver employed by individuals or whole organizations that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts. It usually originates from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system.
Cybercrime Involves any criminal act dealing with computers and networks, and traditional crimes conducted through the internet, such as hate crimes, telemarketing and internet fraud, and identity theft.
Cyber Forensics
A branch of digital forensic science that pertains to evidence found in computers and digital storage media in order to provide a conclusive description of cybercrime.
Fraud and Cybersecurity: Top Issues for the CPA
13
Cyber Fraud When credit and financial information is stolen online by a hacker and used in a criminal manner.
Cyberlaw A term that encapsulates the legal issues related to the use of the internet and computer offenses, especially fraud or copyright infringement.
Cybersecurity The body of technologies, processes, and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.
Cyberspace
The interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors as well as controllers in critical industries. Common usage of the term also refers to the virtual environment of information and the digital interactions between people.
Cyber Threat The possibility of a malicious attempt to damage or disrupt a computer network or system.
The cyber environment includes users themselves, networks, devices, software, processes, information in storage
or transit, applications, services, and systems that can be connected directly or indirectly to networks.
Cyberspace touches practically everything and everyone. It includes users, networks, devices, software,
processes, data in storage or in transit, applications, services, and systems that can be connected directly or
indirectly to networks. Information and communication technologies are universal. The trend towards digitization
is growing, and virtually all modern services depend on the use of information technologies, including the
electrical grid, transportation, infrastructure, military services, and logistics. Advances in technology and rapid
digitization are fundamentally transforming societies, economies, and individuals’ lifestyles. For example, emails
have displaced traditional letters, online web representation has become more important for businesses than
Cyber Environment
Users
Networks
Devices
Software
ProcessesInformation in Storage or
Transit
Application
Services
Systems
Fraud and Cybersecurity: Top Issues for the CPA
14
printed publicity materials, and internet-based communication and phone services are growing faster than
landline communications.
Exhibit A highlights the market forces, the changing threat landscape, and the impact of growing connected
technology in cyberspace.
Fraud and Cybersecurity: Top Issues for the CPA
15
Exhibit A: Cyber World at Glance
Cyber World at a Glance
Market Force
➢ According to Statista, worldwide mobile payment revenue will $1 trillion in 2019
➢ By the year 2020, 85% of business relationships will be managed without human interaction
➢ By the year 2020, 44 zettabytes of data will be created by 7 billion people and more than 50 billion devices
will be connected to the internet
➢ Mobile phones will be used for 80% of all internet access in 2019, as reported by Zenith, a media agency
➢ The cyber insurance market is currently estimated to be worth around $2 billion in premiums worldwide,
with US business accounting for approximately 90%. The cyber insurance market is expected to grow by
double-digit figures year-on-year and could reach more than $20 billion in the next 10 years
The Ever-Changing Threat Landscape
➢ The increasing interconnectivity (e.g., the Internet of Things) and “commercialization” of cybercrime drive greater frequency and severity of incidents, including data breaches
➢ The pressure to disclose breaches and threat responses in a timely manner will intensify
➢ Business interruption, intellectual property theft, cyber extortion attacks, and ransomware attempts will increase
➢ Organizations put more data in the cloud and with third parties; attractive, but dangerous, with the loss of control, increased threats and unexpected connectivity
The Impact of Widespread Use of Connected Technology
➢ Any system’s security almost certainly will be breached, and attention is shifting to the issue of how to recover from the intrusion and limit both the financial fallout and reputation damage that follow
➢ A recent study indicates that almost three in ten organizations are unlikely to detect a sophisticated cyberattack
➢ Cybersecurity Ventures projected that cybercrime is expected to cause damage of over $6 trillion annually by 2021
➢ Data protection legislation will toughen globally. More notifications and significant fines for data breaches in the future can be expected
➢ BYOD (Bring Your Own Device), the practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes, is having a fundamental impact on IT security framework
➢ Organizations must adopt cybersecurity framework either as a best practices initiative or to fulfill a contractual or regulatory requirement
➢ The evolution of internal audit functions is critical to address the risks associated with digital transformation, mobile technology, and ongoing regulatory changes
Fraud and Cybersecurity: Top Issues for the CPA
16
Types of Cyber Fraud
Instances of cyber fraud have become a real threat in modern society because they can be single-handedly
committed and do not require the physical presence of the criminals. These instances of fraud can be committed
from a remote location, and the criminals may not worry about the law enforcement agencies in the country
where they are committing the crimes. Wherever the rate of return on investment is high and the risk is low, we
can always find people willing to take advantage of the situation. This is exactly what happens with cyber fraud.
Catching cybercriminals is difficult. As a result, cyber fraud across the world has continued to rise. The most
common types of cyber fraud are explained below:
Business Email Compromise
The evolving nature of cybercrime presents a unique set of challenges because crimes often overlap jurisdictional
boundaries and perpetrators can attack from anywhere. Business email compromise (BEC) is a sophisticated scam
targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer
payments. BEC involves taking over an email account or spoofing an email address in order to initiate theft via
unauthorized ACH or wire transfers. In 2018, the FBI received 20,373 BEC/E-mail Account Compromise (EAC)
complaints with adjusted losses of about $1.3 billion. EAC is a sophisticated scam targeting individuals performing
wire transfer payments. The following table summarizes crime types by victim loss reported to the FBI in 2018.
2018 Crime Types by Victim Loss
Crime Type Loss Crime Type Loss
BEC/EAC $1,297,803,489 Tech Support $38,697,026
Confidence Fraud/Romance $362,500,761 Harassment/Threats of Violence $21,903,829
Investment $252,955,320 Misrepresentation $20,000,713
Non-Payment/Non-Delivery $183,826,809 IPR/Copyright and Counterfeit $15,802,011
Real Estate/Rental $149,458,114 Civil Matter $15,172,692
Personal Data Breach $148,892,403 Malware/Scareware/ Virus $7,411,651
Corporate Data Breach $117,711,989 Health Care Related $4,474,792
Identity Theft $100,429,691 Ransomware $3,621,857
Advanced Fee $92,271,682 Denial of Service/TDos $2,052,340
Credit Card Fraud $88,991,436 Re-Shipping $1,684,179
Extortion $83,357,901 Charity $1,006,379
Spoofing $70,000,248 Gambling $926,953
Government Impersonation $64,211,765 Crimes Against Children $265,996
Other $63,126,929 Hacktivist $77,612
Lottery/Sweepstakes $60,214,814 Terrorism $10,193
Overpayment $53,225,507 No Lead Value $0.00
Phishing/Vishing/Smishing/Pharming $48,241,748
Employment $45,487,120
Source: FBI - 2018 Internet Crime Report
Fraud and Cybersecurity: Top Issues for the CPA
17
BEC scams usually target a company’s senior executives and senior employees who are authorized to transfer
payments. The scam is carried out to conduct unauthorized transfers of funds. Common BEC methods include
spoofed email to employees allegedly from senior executives (e.g. CEO, CFO) or a vendor that:
• Request an emergency wire transfer
• Refer to a “confidential deal” and directs an employee to contact an outside “attorney” for further
instruction
• Request a change to the vendor’s address and payment information in the system
Attackers often research their target’s schedule, waiting until the target is traveling or otherwise unavailable for
immediate verification. Someone from the accounting team recognizes the CFO’s email address and carries out
the wire instructions, unaware that the email did not legitimately come from the CFO. The funds are then received
by an account under the control of the hacker. Despite the large impact of BEC schemes, recognizing many of the
attacks is fairly easy. For example, the email subjects used in BEC schemes are simple and vague, at times
composed only of one word such as:
• Request For
• Transfer
• Request
• Urgent
• Transfer Request
BEC continues to evolve. Victims have reported being contacted by subjects posing as lawyers or law firms
instructing them to make secret or time-sensitive wire transfers. Public and private companies of all sizes have
been affected by this type of scam. Companies with international business dealings are frequently targeted
because transfers to overseas banks would not be out of the ordinary. The scam is carried out by compromising
legitimate business email accounts through social engineering or computer intrusion techniques to conduct
unauthorized transfers of funds. These fraudulent transfers have gone through accounts in many countries, with
a large majority traveling through Asia.
Prevention is critical since recouping stolen cash is rare. Once funds have been wired, recovering the stolen funds
may be possible if the scam is detected within the first 24 to 48 hours, but only with the help of law enforcement.
However, the following controls can help stop these scams:
1. IT controls can prevent and detect fraudulent activities by keeping the scammer out of the system
2. Treasury controls that require multiple approvals of wire transfers
3. Purchasing controls to validate the setup of vendor accounts and changes in vendor payment information
It is critical to have a culture that encourages a questioning mindset, especially when it comes to unusual or
unexpected requests from executives. Encouraging or requiring the recipient of a wire transfer request to confirm
its validity via phone can go a long way toward protecting the company’s assets. Therefore, promoting employee
security awareness can prevent an organization from being a victim of such crime. Employees should be trained
to:
Fraud and Cybersecurity: Top Issues for the CPA
18
• Be wary of irregular email requests from C-suite executives because they are frequently used to trick
employees into acting with urgency.
• Always examine email headers, domain names in the “from” field of the email, and the “reply-to” field of
emails. For more suspicious emails, employees should request help from the IT department.
• Do not open links within the email right away. Examine the links by hovering over the link with the mouse
cursor to expose the web address. If a suspicious address is revealed, further investigation/authentication
must be conducted before initiating the wire transfer.
• Question strange payment requests via email. Examples of these anomalies include requests received at
odd hours, international wires, or unusual payment amounts. Companies should require telephone call-
backs to confirm the authenticity of higher-risk transactions. Always use the known familiar numbers
instead of the one provided in the email requests.
• Report the incident immediately to the appropriate level of management and law enforcement if you
suspect that you are being targeted by a BEC email.
The FBI issued the following tips for BEC victims:
1. Contact the originating Financial Institution as soon as fraud is recognized to request a recall or reversal
as well as a Hold Harmless Letter or Letter of Indemnity.
2. File a detailed complaint with www.ic3.gov. It is vital the complaint contains all required data in provided
fields, including banking information.
3. Visit www.ic3.gov for updated public service announcements (PSAs) regarding BEC trends as well as other
fraud schemes targeting specific populations (real estate, pre-paid cards, W-2, etc.).
4. Never make any payment changes without verifying with the intended recipient; verify email addresses
are accurate when checking mail on a cell phone or other mobile device.
Real-World Case: Infront Consulting Group Inc.
The following case is extracted from IIROC, “Cybersecurity Best Practices Guide for IIROC Dealer Members”, 2016
The chief financial officer for Infront Consulting Group Inc., based in Toronto and Las Vegas, received an email
that appeared to come from the company’s chief executive, instructing her to “process a payment of $169,705.00
USD.” Attached wire transfer instructions directed that payment be made to an investment brokerage in Naples,
Florida.
The scheme failed only because the Infront CEO, by coincidence, called the CFO as she was reviewing the request.
When she asked what the money was for, the CEO said he knew nothing about it. Further scrutiny revealed that
the email was sent from an address similar to the company’s, but that lacked the letter “I” in “consulting.”
Fraud and Cybersecurity: Top Issues for the CPA
19
Identity Theft
Identity theft is one of the most common types of cyber fraud. The term “Identity Theft” is used when a person
purports to be someone else, with an intention to act fraudulently for financial gain. It is also called Online Identity
Theft. The most common sources of identity theft are data breaches affecting governmental or federal websites.
Data breaches also occur at e-commerce websites containing sensitive and important information, such as credit
card information, addresses, email IDs, etc.
The second most common technique for stealing identity information is phishing. Most people will ignore emails
that ask for personal information. However, some phishing attacks, such as the one referred to as the Nigerian
Phishing Scam, do succeed in stealing personal or financial data by preying on naive or unsuspecting people who
fall into criminals’ traps.
Another maneuver is social engineering. This is where the criminals befriend victims in person or over the phone,
email or social media. Once they become “friends”, the criminals can easily get the information needed to
impersonate the victims. According to the Identity Theft Resource Center, there are four main types of Identity
Theft:
Types of Identity Theft
Criminal Identity Theft
A criminal will impersonate someone else, whose details he/she secured via data breaches, phishing or social engineering.
Governmental ID Theft
This is mainly related to income tax issues. The criminal (in this case, it is usually an illegal immigrant) may be working somewhere under another person’s name and identity, and he/she would not file income tax returns. However, the W-2’s are being reported to the IRS, leaving the true person open to IRS inquiries about the additional income that was not reported on the tax return.
Financial Identity Theft
This is related to ID thieves taking out loans or credit cards using a victim’s information. The victim may receive a lender’s letter to find out that he/she has not repaid a loan that he/she did not take.
Medical ID Theft
This refers to ID thieves using victim’s medical benefits at hospitals and pharmacies.
Although criminals target various types of information, the most relevant data are social security and passport
numbers, date of birth, addresses and phone numbers, and passwords. In the U.S., the social security number
(SSN) can be used to open financial accounts, take over existing financial accounts, and obtain credit or run up
debt. Date of birth, addresses, and phone numbers can be used to commit identity theft if they are combined with
other information such as the SSN. Such information is available on a large scale on the internet - either published
voluntarily in one of the various profile settings or stored for other reasons on websites.
Identity theft is a very serious issue. Losses may not only be financial; they may also include damage to reputations.
The actual incidence of identity theft is likely to far exceed the number of reported cases because many victims
do not report such crimes and financial institutions often do not wish to receive negative press.
Fraud and Cybersecurity: Top Issues for the CPA
20
The Federal Trade Commission revealed that up to 9 million Americans have their identities stolen each year, and
at least 534 million personal records have been compromised since 2005 through attacks on the databases of
businesses, governments, institutions, and organizations. Webroot suggests the following seven steps to
preventing identity theft online:
1. Protect your computer and smartphone with strong, up-to-date security software
2. Learn to spot spam and scams
3. Use strong passwords
4. Monitor and review credit scores
5. Place a security freeze on your credit
6. Use only reputable websites when making purchases
Following is the Federal Trade Commission’s Identity Theft Recovery Plan that can be used in the event of an
identity theft:
Identify Theft: A Recovery Plan
Federal Trade Commission www.identitytheft.gov
What To Do Right Away
Step 1: Call The Companies Where You Know Fraud Occurred.
☐ Call the fraud department. Explain that someone stole your identity.
☐ Ask them to close or freeze the accounts. Then, no one can add new charges unless you agree.
☐ Change logins, passwords, and PINs for your accounts.
You might have to contact these companies again after you have an Identity Theft Report.
Step 2: Place A Fraud Alert And Get Your Credit Reports.
☐ To place a free fraud alert, contact one of the three credit bureaus. That company must tell the other two. • Experian.com/help 888-EXPERIAN (888-397-3742) • TransUnion.com/credit-help 888-909-8872 • Equifax.com/personal/credit-report-services 1-800-685-1111
Get updates at IdentityTheft.gov/creditbureaucontacts A fraud alert lasts one year. It will make it harder for someone to open new accounts in your name. You'll get a letter from each credit bureau. It will confirm that they placed a fraud alert on your file.
☐ Get your free credit reports from Equifax, Experian, and TransUnion. Go to annualcreditreport.com or call 1-877-322-8228.
Fraud and Cybersecurity: Top Issues for the CPA
21
Did you already order your free annual reports this year? If so, you can pay to get your report immediately. Or follow the instructions in the fraud alert confirmation letter from each credit bureau to get a free report. That might take longer.
☐ Review your reports. Make note of any account or transaction you don't recognize. This will help you report the theft to the Federal Trade Commission (FTC) and the police.
Step 3: Report Identity Theft To The FTC.
☐ Go to IdentityTheft.gov or call 1-877-438-4338. Include as many details as possible. Based on the information you enter, IdentityTheft.gov will create your Identity Theft Report and recovery plan.
• If you create an account, we'll walk you through each recovery step, update your plan as needed, track your progress, and pre-fill forms and letters for you. • If you don't create an account, you must print and save your Identity Theft Report and recovery plan right away. Once you leave the page, you won't be able to access or update them.
Your Identity Theft Report is important because it guarantees you certain rights.
What To Do Next
Take a deep breath and begin to repair the damage.
Close New Accounts Opened In Your Name.
☐ Now that you have an Identity Theft Report, call the fraud department of each business where an account was opened.
• Explain that someone stole your identity. • Ask the business to close the account. • Ask the business to send you a letter confirming that:
• the fraudulent account isn't yours • you aren't liable for it • it was removed from your credit report
• Keep this letter. Use it if the account appears on your credit report later on.
The business may require you to send them a copy of your Identity Theft Report or complete a special dispute form.
☐ Write down who you contacted and when.
Remove Bogus Charges From Your Accounts.
☐ Call the fraud department of each business. • Explain that someone stole your identity. • Tell them which charges are fraudulent. Ask the business to remove the charges. • Ask the business to send you a letter confirming they removed the fraudulent charges. • Keep this letter. Use it if this account appears on your credit report later on.
The business may require you to send them a copy of your Identity Theft Report or complete a special dispute form.
☐ Write down who you contacted and when.
Fraud and Cybersecurity: Top Issues for the CPA
22
Correct Your Credit Report.
☐ Write to each of the three credit bureaus. • Include a copy of your Identity Theft Report and proof of your identity, like a copy of your driver's license or state ID. • Explain which information on your report is fraudulent. • Ask them to block that information. Mail your letters to:
• TransUnion Fraud Victim Assistance Department P.O. Box 2000 Chester, PA 19022-2000
• Equifax P.O. Box 105069 Atlanta, GA 30348-5069
• Experian P.O. Box 9554 Allen, TX 75013
If someone steals your identity, you have the right to remove fraudulent information from your credit report. This is called blocking. Once the information is blocked, it won't show up on your credit report, and companies can't try to collect the debt from you. If you have an Identity Theft Report, credit bureaus must honor your request to block fraudulent information.
If you don't have an Identity Theft Report, you still can dispute incorrect information in your credit file. It can take longer, and there's no guarantee that the credit bureaus will remove the information. To dispute information without an Identity Theft Report, contact each credit bureau online or by phone.
Consider Adding An Extended Fraud Alert Or Credit Freeze.
Extended fraud alerts and credit freezes can help prevent further misuse of your personal information. There are important differences. This chart can help you decide which might be right for you.
An Extended Fraud Alert A Credit Freeze
Lets you have access to your credit report as long as companies take steps to verify your identity
Stops all access to your credit report unless you lift or remove the freeze
Free to place and remove. Available if someone stole your identity.
Free to place and remove. Available to anyone.
Lasts for seven years Lasts until you lift or remove
Set it by contacting each of the three credit bureaus. • Report that someone stole your identity • Request an extended fraud alert • Complete any necessary forms and send a copy of your Identity Theft Report
Set it by contacting each of the three credit bureaus.
Fraud and Cybersecurity: Top Issues for the CPA
23
Hacking
Hacking is a type of fraud where a person’s computer is broken into so that personal or sensitive information can
be accessed. In the U.S., hacking is classified as a felony and it is punishable as such. In hacking, the criminal uses
a variety of software and techniques to secretly access a person’s computer. And, as a result, the person may not
be aware that his/her computer is being accessed from a remote location. All organizations are vulnerable to
attack and no security system is infallible. Famous targets of hacking attacks include NASA, the US Air Force, the
Pentagon, Yahoo, Google, eBay, and the German government.
Hackers take advantage of basic security vulnerabilities in computer systems. The vulnerabilities and weaknesses
allow an intruder to execute commands, access unauthorized data, and conduct denial-of-service attacks.
Examples of vulnerabilities and weaknesses include:
• Unpatched software (e.g., Adobe, Microsoft, and Oracle)
• Unprotected ports
• Poor physical security
• Weak passwords
• Insufficient backup and recovery
• Improper destruction (e.g., discarded electronic devices, portable drives processing and storing sensitive
data)
• Poor security policy
• Outdated infrastructure
• Lack of end-user education
In general, organizations that do not scan for vulnerabilities and proactively address information system
weaknesses face an increased likelihood of having their systems compromised. Best practices to reduce the risk
of being a cyber target suggests that organizations should implement the following procedures:
• Develop automated vulnerability assessment tools for all systems on the network
• Ensure that the scanning tools are regularly updated and contain the latest security information
• Communicate prioritized lists of the most critical vulnerabilities to responsible system administrators
• Ensure that software/applications are updated with security patches regularly
• Subscribe to vulnerability intelligence services in order to stay aware of emerging threats and exposures
Real-World Case: Mega Metals Inc.
The following case is extracted from IIROC, “Cybersecurity Best Practices Guide for IIROC Dealer Members”, 2016
Mega Metals Inc., a 30-year-old scrap processor, was defrauded in 2015 when the email account used by an
Italian-based third party broker was compromised. Mega Metals had wired $100,000 to a German vendor to pay
for a 40,000-pound container load of titanium shavings. Following the transaction, the vendor complained that it
had not received payment. An investigation revealed that malicious software implanted on the Italian broker’s
computer systems allowed criminals to collect passwords that provided access to the broker’s email system. They
then sent falsified wire-transfer instructions to Mega Metals for a legitimate purchase.
Fraud and Cybersecurity: Top Issues for the CPA
24
DDoS
A Denial of Service (DoS) message is the error message that a computer user receives when trying to access an
unavailable website, either because the system is completely down or because a website is bogged down with an
excessive amount of Internet traffic. A “DoS attack” typically uses one computer and one Internet connection to
flood a targeted system or resource, thereby reducing or eliminating access to the system. A DoS attack is
different from a DDoS attack. A DDoS (Distributed Denial of Service) attack is when multiple compromised
systems, often infected with a Trojan Horse virus, are used to target a single system causing a Denial of Service
(DoS) problem.
The DDoS attack can use multiple computers and internet connections around the world to essentially disable the
targeted resources. Cloud service providers must have solutions in place to protect their infrastructure as DDoS
attacks continue to evolve.
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources - potentially
hundreds of thousands or more. Therefore, it is impossible to stop the attack simply by blocking a single IP
address. The attacking software may have laid dormant on the computers for months, or longer, and then ‘woke
up’ at a specific time to launch the attack. In addition, it is very difficult to distinguish legitimate user traffic from
attack traffic because it is spread across so many points of origin.
There are many types of DDoS attacks. Common attacks include the following:
Types of DDoS Attacks
Traffic Attacks
Traffic flooding attacks send a huge volume of different data packets to the target. Legitimate requests get lost and these attacks may be accompanied by malware exploitation.
Bandwidth Attacks
This DDoS attack overloads the target with massive amounts of junk data. This results in a loss of network bandwidth and equipment resources and can lead to a complete denial of service.
Application Attacks
Application-layer data messages can deplete resources in the application layer, leaving the target’s system services unavailable.
Botnets
DDoS attacks are often global attacks distributed via botnets. Botnets, derived from “robot network”, are
networks of compromised computers controlled by remote attackers in order to perform such illicit tasks such as
sending spam or attacking other computers, without owners’ knowledge and consent.
There are two methods for detecting bots, including Static Analysis to check a computer’s characteristics against
a list of known threats, and Behavioral Analysis to monitor communications in a network for behaviors that are
known to be exhibited by botnets. If it is discovered that an organization’s network has been infected, it is the
organization’s responsibility to notify stakeholders about a potential compromise of all data residing on the
network. Therefore, cleanup efforts resulting from botnet infestation can be costly and damaging to an
organization’s reputation.
Fraud and Cybersecurity: Top Issues for the CPA
25
Spam
Spam is a very common form of cyber fraud, and it is difficult to control. “Spam” is named after Spam luncheon
meat by way of a Monty Python sketch that suggests Spam is unwanted and unavoidable. Email is the most
common form of spam. Although many email spam messages are commercial in nature, they may also contain
disguised links leading to phishing web sites or sites that host malware. Spam emails can also contain malware as
scripts or other executable file attachments.
Spam emails are highly profitable. The senders have no operating costs beyond the management of the mailing
lists, servers, IP ranges, and domain names. For example, a Dutch spammer reported a profit of around $50,000
by sending out at least 9 billion spam emails.
Most email providers have reacted to rising levels of spam emails by installing anti-spam filter technology. This
technology identifies spam using keyword filters or blacklists of spammers’ IP addresses. To ensure that spam
reaches its intended audience, spammers are increasingly using tactics to avoid. According to Cisco Security
Research, snowshoe spam, which involves sending low volumes of spam from a large set of IP addresses to avoid
detection, is an emerging threat.
Phishing
Phishing is a method where cyber criminals bait the victim into giving out sensitive information. The bait can be
in the form of a business proposal, announcement of a lottery to which the victim never subscribed, and anything
that promises the victim money for nothing or a small favor. Or, it may a false email requesting a profile update
at a bank or other website. Phishing attacks are growing in both frequency and sophistication. For example, the
majority of phishing cases feature phishing as a means to install persistent malware. The main perpetrators for
phishing attacks are organized crime syndicates and state-sponsored actors.
Spear phishing is a type of targeted phishing that is directed towards a specific individual or group of individuals.
It usually has the following characteristics:
• A high level of targeting sophistication and appears to come from an acquaintance (e.g. an associate,
client, friend)
• Contextually relevant to our position/job/interests
• Contains graphics to make the email look legitimate or familiar
The U.S. Cybercrime Center warns people to not get into any kind of agreement that promises something that
seems too good to be true. It is critical that organizations promote security-conscious behavior by employees.
A cybersecurity chain is only as strong as its weakest link, and organizations should be careful when disclosing
commercially sensitive data to its suppliers and advisors, including accountants, lawyers, and financiers.
Fraud and Cybersecurity: Top Issues for the CPA
26
Simple Steps for Internet Safety from the FBI
http://www.fbi.gov October 11, 2016
In today’s digital world, online safety should be of paramount concern for all individuals and organizations because the threats
posed by cybercriminals can’t be ignored. And to counteract these threats, there are steps you can take to minimize the risks
associated with doing any kind of business online, surfing the Internet, and/or sharing information on social media sites.
The first step to greater Internet safety is a basic yet vital one—change online passwords several times a year. Use different
passwords for each online account and make them unique but not easily guessed.
Additional levels of cybersecurity, like two-factor authentication (TFA), can provide even greater protection for your
information. TFA is a technology that increases security by incorporating requirements beyond a password, like a particular
physical trait, a dynamic PIN, or the location or time of a login attempt. Many e-mail service providers and social media
platforms offer TFA as a free service—most require a strong password and supply a PIN that changes periodically. Users can
receive these PINs easily via mobile applications or text messages.
In terms of social media, remember that once personal or organizational information has been posted to a social networking
site, that information can no longer be considered private and can be—and sometimes is—used for criminal purposes. The
highest security settings on an Internet account may not be enough to prevent a leak of sensitive data—for example,
cybercriminals often can obtain personal passwords regardless of their complexity. In doing so, they can gain access to
banking credentials and credit card numbers, get hold of social security information, download malware to a computer, or
hijack a device to perpetrate further crimes. So be careful—post as little personal information as possible, use two-factor
authentication and beware of embedded links that—if clicked on—may lead to scam webpages and malware being
downloaded to your computer or mobile device.
Another level of online security involves protecting your mobile devices from cyber intruders in public places. Not all Wi-Fi
hotspots at coffee shops, airports, or hotels have strong security protections. Persons in close proximity may be able to access
that open network and collect your login information and the content of your online browsing. Securing your phone or tablet
is as simple as avoiding sensitive sites that require a login, so try to avoid signing into bank accounts, e-mail, or social media
accounts while on a public Wi-Fi hotspot. But if you have to, use a reliable personal virtual private network (VPN) service
provider. A VPN enables data encryption and adds a layer of security to communications, making it more difficult for
cybercriminals to spy on you.
An out-of-band backup is another useful cybersecurity technique. This involves backing up your data to a virtual, cloud
environment or storing hard copies of digital data at a physical location elsewhere. Using this method is ideal in combating
ransomware, a type of malware which restricts access to files or threatens their destruction unless a ransom is paid to the
cyber-based criminal.
Kids too can learn steps to Internet safety through the FBI’s Safe Online Surfing (SOS) program. SOS is a nationwide initiative
designed to educate children from grades 3 to 8 about the dangers faced when surfing the web. SOS promotes good cyber
citizenship among students by engaging them in a fun, age-appropriate, competitive online program where they learn how
to safely and responsibly use the Internet.
Though myriad methods and tools exist to protect the public and organizations from the risks of cybercrime, your best
defense is understanding and implementing strong security practices and maintaining them regularly. Doing so can raise a
perpetual firewall against cybercriminals and keep your sensitive data safe.
Fraud and Cybersecurity: Top Issues for the CPA
27
Ransomware
Ransomware, one of the most reprehensible malware-based attacks, is a form of malware that targets both
human and technical weaknesses. The goal is to deny access to critical data and/or systems, both in businesses
and in-home networks.
Recently, ransomware has gained notoriety in the field of cybersecurity due to the growth in the number of victims
and the significant profits that cybercriminals can obtain from this type of malicious campaign. In May 2017, a
worldwide ransomware attack was performed, relying on vulnerabilities found in outdated software. Due to their
failure to update their system regularly, some major health systems, such as the UK’s National Health System,
were attacked and held ransom.
In 2019, the FBI’s Internet Crime Complaint Center received 1,493 complaints identified as ransomware with
losses of over $3.6 million. This number does not include estimates of lost business, time, wages, files, equipment,
or any third-party remediation services acquired by a victim. In some cases, victims do not report any loss amount
to the FBI, thereby creating an artificially low ransomware loss rate. The FBI expects that this type of attack will
continue to rise.
Ransomware is usually delivered through spear-phishing emails to end-users. Once the email recipient clicks on
a malware file, the malware will rapidly encrypt sensitive files or all of the files on a network. However, in newer
instances of ransomware, cybercriminals may not use emails at all. They can bypass the need for an individual to
click on a link by seeding legitimate websites with malicious code, taking advantage of unpatched software on
end-user computers. As a result, the computer could get infected with ransomware when the user clicks on a
malicious link in an email, an instant message, a social networking site or in a compromised website - or if the user
downloaded and open a malicious email attachment.
After the victim organization determines that they are no longer able to access their data, the cybercriminal
demands the payment of a ransom, typically in virtual currency such as Bitcoin. The encrypted files can be
damaged beyond repair, creating a fatal outcome if the user fails to comply with the malware author’s request.
After payment of the ransom, the cybercriminal will supposedly provide a way for the victim to decrypt their data.
Real-World Case: Mahone Bay and Bridgewater
The following case is extracted from IIROC, “Cybersecurity Best Practices Guide for IIROC Dealer Members”, 2016
Mahone Bay and Bridgewater, small towns in Nova Scotia, reported infections in municipal computers that
occurred in June 2015. The virus, known as CryptoWall 3.0, attacked non-networked directories either through a
spear-phishing email sent to a system user, or perhaps an infected website visited by a town employee. Once the
link was clicked, the systems were infected with CryptoWall 3.0 and a second virus called CryptoLocker, meant to
encrypt files on the targeted system. Once activated, the viruses delivered an automated message to the user
requesting payment of roughly $900 in return for unlocking the infected files - it is virtually impossible to decrypt
the files unless the ransom is paid. The virus is thought to have originated with criminal groups in Russia. The use
of CryptoLocker techniques is widespread. The U.S. Justice Department estimated that CryptoLocker attacks
infected more than 234,000 machines - resulting in $27 million in ransom payments - in just its first two months
of attacks.
Fraud and Cybersecurity: Top Issues for the CPA
28
Ransomware has become a serious security problem. However, there are certain preventive measures for
ransomware encryption, such as:
• Use fully updated modern operating systems, a good antivirus software or an Internet Security Suite
including an updated secure browser and email client
• Take regular backups to minimize the damage caused in the case of the computer getting infected
• Never click on unknown links or download attachments from unknown sources
• Disable files running from AppData/Local folders
• Promote security awareness and provide training to all employees
• Patch commonly exploited third-party software such as Java, Flash, and Adobe
• Restrict administrative rights
• Scan to identify exploitable vulnerabilities
• Review service provider’s security policy
Ransomware - Warning from the FBI
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large
businesses—these are just some of the entities impacted by ransomware, an insidious type of malware that
encrypts, or locks, valuable digital files and demands a ransom to release them. The inability to access the
important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or
proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files,
and the potential harm to an organization’s reputation. Home computers are just as susceptible to ransomware
and the loss of access to personal and often irreplaceable items— including family photos, videos, and other
data—can be devastating for individuals as well.
In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an
attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious
ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are
directed to a website that infects their computer with malicious software.
Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives,
backup drives, and potentially other computers on the same network that the victim computer is attached to.
Users and organizations are generally not aware they have been infected until they can no longer access their
data or until they begin to see computer messages advising them of the attack and demands for a ransom payment
in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with
bitcoins because of the anonymity this virtual currency provides.
Ransomware attacks are not only proliferating, but they’re also becoming more sophisticated. Several years ago,
ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out
spam, cybercriminals turned to spear phishing e-mails targeting specific individuals. And in newer instances of
ransomware, some cybercriminals aren’t using e-mails at all—they can bypass the need for an individual to click
on a link by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-
user computers.
Fraud and Cybersecurity: Top Issues for the CPA
29
The FBI doesn’t support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee
an organization that it will get its data back—there have been cases where organizations never got a decryption
key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more
organizations, but it also offers an incentive for other criminals to get involved in this type of illegal activity. And
by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.
So what does the FBI recommend? As ransomware techniques and malware continue to evolve—and because it’s
difficult to detect a ransomware compromise before it’s too late—organizations, in particular, should focus on
two main areas:
• Prevention efforts—both in terms of awareness training for employees and robust technical prevention
controls; and
• The creation of a solid business continuity plan in the event of a ransomware attack.
Here are some tips for dealing with ransomware (primarily aimed at organizations and their employees, but some
are also applicable to individual users):
• Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
• Patch operating system, software, and firmware on digital devices (which may be made easier through a
centralized patch management system).
• Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
• Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely
needed, and only use administrator accounts when necessary.
• Configure access controls, including file, directory, and network share permissions appropriately. If users only
need to read specific information, they don’t need write-access to those files or directories.
• Disable macro scripts from office files transmitted over e-mail.
• Implement software restriction policies or other controls to prevent programs from executing from common
ransomware locations (e.g., temporary folders supporting popular Internet browsers,
compression/decompression programs).
• Back up data regularly and verify the integrity of those backups regularly.
• Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.
Impact of Security Breaches
The Target data breach in 2014 was one of the largest in history. The personal details of some 70 million people
may have been compromised. Although Target had invested over $100 million in cybersecurity measures, it had
failed to establish end-to-end monitoring and response capabilities and could not respond quickly enough when
hackers targeted its point of sale (PoS) system during an intensely busy period. The security breach damaged its
reputation and created a loss of business and was followed by the company’s chief executive leaving the position.
Details of the impact of cybersecurity incident on Target’s financial statements are addressed in “Appendix C:
Financial Statement Disclosure -Target Corporation 2015 Quarterly Report”.
According to an annual research report made by the Ponemon Institute and IBM:
Fraud and Cybersecurity: Top Issues for the CPA
30
• In 2018, the average cost of a data breach increased by 6% to $3.8 million.
• The mean time to identify a data breach was 197 days, and the meantime to contain it was 69 days.
• The average cost per stolen record worldwide increased to $154 in 2018.
The scope and severity of the impact of a security breach will depend on the nature of the attack and the
organization’s ability to react and minimize its effect. Examples of the business effect of a cyberattack include:
1. Loss of personal data, such as customer contact or bank details, or sensitive personal data
2. Inability to operate and conduct business, such as a DDoS attack that overwhelms the email servers
3. Loss of customers and business with reductions in customer satisfaction and retention
4. Damage to the value of the organization leading to a stock price drop
Deloitte identified the domino effect following a security breach:
In general, the costs of cybercrime presented below are related to both dealing with cybercrime as the internal
cost (e.g. detection, recovery, and incident response) and the consequences of the cyberattack as the external
consequences (e.g. business interruption, and revenue loss). The Ponemon Institute identified the following cost
framework for cybercrime.
Internal Cost Activity Centers External Consequences & Costs
• Detection
• Investigation & Escalation
• Containment
• Recovery
• Ex-post Response
• Information Loss or Theft
• Business Interruption
• Equipment Damage
• Revenue Loss
Based on an Experian study, Security as Business Risk: How Data Breaches Impact Bottom Lines, the management
of data breaches should be assessed from a traditional business risk perspective. Risk management typically
weighs the business uncertainties within the following key categories:
Security incident occurs
Negative social media coverage
Staff unable to access systems
Extreme pressure on operations
Forensic investigation
Negative local/national press
Cost of notifying customers
Contractual breachRegulatory
investigation/fineRemediation costs
Loss of customers Lost sales Loss of jobsLoss of
organization/ business
Fraud and Cybersecurity: Top Issues for the CPA
31
Reputation Damage
Security breaches not only impact a company’s bottom line, but also its reputation, brand, and intellectual
property. A recent study revealed that reputational damage is considered the most significant impact of a security
breach, followed closely by legal, investment and/or enforcement costs. The risk to a company’s reputation can
cause more long-term damage than any other type of risk. Damaged reputations shrink shareholder value and
involve negative publicity, loss of clients or key employees and decreased revenue. Reputation risk has become
so critical that a number of online tools have emerged which use social medial to track how corporate reputations
are impacted during a crisis.
According to Reputation Impact of a Data Breach study conducted by the Ponemon Institute, in terms of
reputation impact, not all data breaches are equal. Some breaches are more devastating than others to an
organization’s reputation and brand image. The following are the most meaningful findings in instances when
three different types of information assets are lost or stolen as a result of data breaches:
1. When records containing confidential customer information are lost or stolen: the study asked
respondents to evaluate the consequences to an organization that had a data breach involving the loss or
theft of more than 100,000 confidential consumer records. About 81% of respondents said it would affect
the economic value of their organization’s reputation as well as its brand image. According to
respondents, the average diminished value of the brand as a direct result of the incident is 21%. To restore
the organization’s reputation would take on average about one year (11.8 months).
2. When records containing confidential employee information are lost or stolen: the study asked
respondents to evaluate the consequences to an organization that had a data breach involving the loss or
theft of more than 100,000 confidential employee records. About half (51%) of respondents said this
would affect the economic value of their organization’s reputation and brand image. According to these
respondents, the average diminished value of the brand as a direct result of the incident is 12%. To restore
the organization’s reputation would take an average of about 8 months.
3. When records containing confidential business information are lost or stolen: the study asked
respondents to evaluate the consequences to an organization that had a data breach involving the loss or
theft of trade secrets, new product designs, source code or strategic plans. The breach involved a small
number of extremely sensitive files. About 80% of respondents said this would affect the economic value
of their organization’s reputation and brand image. According to these respondents, the value of the
company’s brand was diminished on average by 18% as a direct result of the incident. To restore the
organization’s reputation would take on average about 8 months.
A Risk to Brand and Shareholder Value
Brand value is what a company’s actual name means to a customer. According to an Experian study, higher brand
equity translates into customer loyalty, premium pricing, and higher stock values. Brand risk constitutes anything
that detracts from its equity. High brand risk and low brand equity means lower customer trust, loss of sales and
higher marketing costs to rebuild equity. As an example, the American automobile industry suffered from a large
Fraud and Cybersecurity: Top Issues for the CPA
32
quality perception gap during the 1980s, and their brand equity suffered as global competitors grabbed market
share and customer base at the expense of these U.S. companies.
As shareholders maintain an equity position in a company, any risks they face become risks to equity value. A large
loss of customers during a crisis may lower equity value which could result in more expensive credit, curtailing of
research and development as well as changes in corporate leadership. This type of risk is tactical in nature,
although it expresses itself in a very public manner. Most data breaches result in some loss of equity value in the
short-term.
Compliance
Compliance risks stem from the application, or lack thereof, of laws and regulations instituted by a wide range of
countries such as privacy laws in the European Union, India, and Japan, and in the U.S. regulations also exist for
specific market verticals, such as for companies allowing credit card payments (PCI) or holding patient health
information (HIPAA).
Real-World Example: Sony
Corporate Overview
Sony is a highly respected multinational conglomerate based in Japan, with FY 2011 earnings of $86 billion. While the company has many distinct business units, Sony is best known for producing high-quality electronics.
Sustained Breaches
Sony’s challenges began in April 2011 with a massive breach of its PlayStation Network, later followed by additional breaches, including one directed against its online entertainment division. These breaches resulted in the loss of 100 million customer records and the shutdown of business operations for several Sony units over a period of weeks.
Sony Response
Sony’s major challenge with responding to these data breaches was to deftly manage its image. In this respect, Sony failed miserably. The company received tremendously negative media attention for its perceived delay in notifying customers of the breach. This became such an issue that the CEO himself, Howard Stringer, was forced to address the onslaught of media questions. However, Stringer’s defense of Sony’s one-week delay fell on disbelieving ears and only worsened the public reaction.
When considering the public apology offered, it’s important to remember that Sony is based in Japan, where an apology of this sort would simply be accepted and the matter closed. Suffice it to say, this broader cultural context was lost amidst the firestorm of damaging publicity. From a security professional’s perspective, Sony was technically prudent and responsive. From a consumer’s perspective, however, the perception of Sony’s misguided response created a backlash.
While meant to be a positive development, the May 2011 announcement that Sony was creating a Global CISO role raised more concerns than it settled the matter. Given the wide range of systems breached and business units affected, the belated implementation of this role begs the question of why didn’t Sony have a CISO in place before these breaches. The perception is that security was an afterthought not taken seriously by Sony and that individual business units were left to handle security on their own. Little else can explain the breakdown of Sony’s cyber defenses.
Fraud and Cybersecurity: Top Issues for the CPA
33
Sony’s initial customer responses included offering credit-monitoring services to affected customers, enhanced customer support, creation of welcome back programs and implementation of new security systems. Direct costs to date are approximately $171 million, but given its legal fees and other potential lost revenues, Sony’s total cost estimates from these breaches range from $13 billion to $20 billion over the long term.
Victimology
Sony’s breaches invite an examination of victimology. Initial reports suggest that the personal information of 75 million PlayStation users was compromised by these breaches. One might imagine these PlayStation users to be teenaged and young adult gamers. The reality is that many of these gamers don’t own credit cards. Instead, it is their parents or legal guardians whose information was lost. The real loss, however, is one of trust. Sony’s damaged reputation might plant the following question in the minds of millions of consumers: If this company doesn’t care enough to secure my information, do they really create the kind of reliable high-end appliances my family needs in the future?
Source: Experian - Security as Business Risk: How Data Breaches Impact Bottom Lines
Fraud and Cybersecurity: Top Issues for the CPA
34
Review Questions - Section 1
1. An employee made a false claim for reimbursement of inflated business expenses. He believes that his behavior was harmless because the financial loss to the agency was immaterial. Which of the fraud triangle elements best explains his action?
A. Opportunity B. Capability C. Rationalization D. Pressure
2. An individual steals online credit and financial information and uses them in a criminal manner. What term
describes this behavior?
A. Financial Statement Fraud B. Business Email Compromise C. Cyber Fraud D. Email Account Compromise
3. What type of cyber fraud sends a victim an enticement in the hopes that the victim will provide confidential
information?
A. Ransomware B. Hacking C. Phishing D. Spam
4. What is the most effective technique to reduce the risk of being a business email compromise victim?
A. Requiring two-factor authentication for all remote access sessions B. Conducting vulnerability assessment scans of the wireless network C. Implementing secure backup and recovery processes D. Promoting employee security awareness behavior
5. Which of the following offenses involves criminals taking out loans or credit cards using a victim’s information?
A. Payment card skimmers B. Exploits C. Financial Identity theft D. Business email compromise
6. Hundreds of thousands of computers are part of some network being used for performing malicious actions,
such as sending spam and launching denial of service attacks. Which of the following terms describes this type of threat?
A. Payment card skimmers B. Point-of-Sale Intrusions C. Zero-day attacks D. Botnets
Fraud and Cybersecurity: Top Issues for the CPA
35
II. Trends in the Cyber World Industry 4.0, the current trend of automation and data exchange in manufacturing technologies, includes cyber-
physical systems, the Internet of Things, and cloud computing. On entering Industry 4.0, the fourth industrial
revolution, organizations will need to overcome hurdles caused by digitization and integration of vertical value
chains (i.e., from product development and purchasing through manufacturing, logistics, and services) and
horizontal value chains (i.e., from suppliers to customers and all key partners).
Industry 4.0 is no longer a “future” trend. For many companies, it is now at the heart of their strategic and research
agenda. Companies are combining advanced connectivity and automation, cloud computing, sensors 3D printing,
connected capability, computer-powered processes, intelligent algorithms and the Internet of Things services to
transform their businesses. According to PwC’s Global Digital Operations Study 2018, digitization and smart
automation are expected to contribute as much as 14% to global GDP gains by 2030, equivalent to about US$15
trillion in today’s value.
The Internet of Things
According to Gartner Inc., the Internet of Things (IoT) is the network of physical objects that contains embedded
technologies to communicate with and interact with the external environment. Some common examples of IoT
products include:
• Smart thermostats that interact with a smartphone application
• Smart refrigerators that alert consumers when certain food items run low
• Smart lighting systems and outlets
• Security systems that are accessible remotely
• Health monitors family members and doctors can access
• Connected cars as well as car and truck tracking devices
• Wearables such as Fitbit health monitors, Apple Watch, etc.
• Amazon Echo and Google Home
• Smart payment systems using smartphones to increase convenience and reduce transaction costs
• Inventory-tracking sensors and devices used in warehouses as well as during shipments
• Automatic toll tracking and payment systems, as well as smart parking lots
With billions of people connected to the internet today and the number of connected devices expected to exceed
50 billion by the year 2020, IoT represents a major transformation in the digital world. It has the potential to
1ST Mechanization, Water Power, Steam Power
2ND Mass Production,
Assembly Line, Electricity
3RD Computer and
Automation
4THCyber Physical Systems
Fraud and Cybersecurity: Top Issues for the CPA
36
affect every individual and business. It also encompasses technologies such as smart grids, smart homes,
intelligent transportation, and smart cities, as well as all the necessary computing infrastructure to make
widespread communication between those devices possible.
IoT is fast becoming the must-have element of business technology as it offers opportunities such as cost
reductions and improved decision-making with real-time updates and more accurate fact-finding. However, new
technologies also create new vulnerabilities as cybercriminals can exploit the resulting increase in
interconnectivity. This is especially concerning as businesses become more reliant upon real-time data. Any
interruption in the process chain - even for a minute - could cause a severe business interruption, thus impacting
the balance sheet and income statement. In addition, as technology evolves, older devices that remain in use also
create vulnerabilities. This also applies to outdated operating systems and unsupported software.
IoT will increasingly rely on cloud computing and smart devices with built-in sensors, along with thousands (if not
millions) of applications to support them. The use of outsourced services and storage such as cloud computing
also presents many risks. Cloud computing was originally developed to address cost, convenience, and reduced
complexity. However, cloud computing needs serious improvement in terms of security because safeguards for
protecting integrated environments are severely lacking.
One major cloud provider problem can result in data breach losses for many. An HP study reveals that 70% of the
most commonly used IoT devices contain vulnerabilities. According to a Business Insider Intelligence Survey, 39%
of the respondents said that security is the biggest concern in adopting IoT technology. IoT also suffers from
platform fragmentation and a lack of technical standards. The variety of IoT devices, in terms of both hardware
variations and differences in the software running on them, makes the task of developing applications difficult.
Customers will be hesitant to bet their IoT future on
proprietary software or hardware devices using
proprietary protocols that may diminish or become
difficult to customize and interconnect.
Since many opportunities for connected devices will
develop through technological integration and
collaboration, security risks to IoT are growing and
changing rapidly. According to EY, the increased use of the
internet and mobile devices shows that the “responsibility
boundary” is disappearing. As a result, the risk landscape
becomes more muddied. As such, who is responsible when
a 3-year old Wi-Fi-connected outlet in the home is targeted
by overseas hackers in order to cause a power surge in the
New York area? Is it the homeowner, the device
manufacturer, the Wi-Fi router developer, or the utility
company?
In a company, a cybersecurity system must also include the organization’s broader network, including clients,
customers, suppliers/vendors, collaborators, business partners, and even alumni. Together, they constitute the
Risk Landscape
Data & Apps
Physical Environ-
ment
Change Mgt.
Third-Party
Suppliers & Vendors
Internal Employees
Security & Privacy
Infra-structure
Legal & Regulatory
Fraud and Cybersecurity: Top Issues for the CPA
37
entire “business ecosystem.” A standard approach to risk management assumes that the trust boundary is already
defined. However, the definition of “risk” must be expanded and enhanced to address new security
concerns/issues as new technologies are implemented to handle new functions, new processes, new devices, new
policies, and structures.
Cybersecurity Framework Adoption
The Adaption to the New Reality
An information security framework is a series of documented processes that are used to define policies and
procedures around the implementation and ongoing management of information security controls in an
enterprise environment.
The technology revolution has dramatically changed the way organizations conduct business. Traditional
boundaries have shifted as organizations operate in a dynamic environment that is increasingly interconnected,
integrated, and interdependent. The ecosystem includes not only employees, partners, and customers but other
participants such as law firms, investment banks, service providers, government agencies, regulators, industry
affiliations, and competitors. An organization’s data constantly flows in and out and is distributed and disbursed
throughout the ecosystem. This expands the domain that organizations need to protect. As a result, the integrity
and stability of an organization’s business are now, more than ever, dependent on other entities in the ecosystem.
The exposure and impact on the business can significantly increase when attackers actively target the
vulnerabilities throughout the ecosystem. For example, a law firm may be targeted in order to obtain the strategic
documents related to a business deal at one of its clients. A Fortune 500 company can be hacked through a
phishing attack at the weakest link in their supply chain. As cybersecurity risks dramatically evolve, and
cyberattacks accelerate at an unprecedented rate, an organization’s approach to cybersecurity must keep pace.
The following table lists highlights of how businesses should adapt to the new reality.
The Reality Historical IT Security Perspectives Today’s Leading Cybersecurity Insights
Scope of the Challenge Limited to your “four walls” and the extended enterprise.
It spans the entire interconnected global business ecosystem.
Ownership and Accountability
IT-led and operated. Businesses must be aligned; CEO and board must be accountable.
Attackers’ Characteristics
One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain.
Organized, funded, and targeted; motivated by economic, monetary, and political gain.
Information Asset Protection
One-size-fits-all approach. Prioritize and protect your “crown jewels”, which are those information assets or processes that, if stolen, compromised, or used
Fraud and Cybersecurity: Top Issues for the CPA
38
inappropriately would render significant hardship to the business.
Defense Posture Protect the perimeter; respond if attacked.
Know you will be attacked. Plan, monitor, and rapidly respond when attacked.
Security Intelligence & Information Sharing
Keep to yourself. Public/private partnerships; collaboration with industry working groups.
Source: PwC - 10 Minutes on the Stark Realities of Cybersecurity
New Approaches for a Changing Business Environment
As IT security becomes a top priority for all modern organizations, a wide range of security frameworks are
available to guide companies in their efforts to protect their critical systems and data. Dimensional Research
conducted a 2016 survey sponsored by Tenable Network Security to identify trends in the adoption of security
frameworks. IT and security professionals were asked to understand which security frameworks were adopted
around a wide range of topics, the motives for such adoption, and how fully they were adopted. Many security
frameworks have a strong reputation in specific areas. The following table lists some security framework
acronyms used with a brief description.
Security Framework Acronyms Description
ISO = ISO/IEC 27001/27002
ISO is international. ISO/IEC 27001 is a robust framework that helps organizations protect information such as financial data, intellectual property or sensitive customer information. The key requirements are discussed in the “ISO/IEC 27000:2013” chapter.
CIS = CIS Critical Security Controls
The CIS controls are a set of internationally recognized measures developed, refined, and validated by leading security experts from around the world. The key controls are discussed in the “Critical Security Controls” chapter.
CSF = NIST Framework for Improving Critical Infrastructure Cybersecurity
CSF is an initiative of the U.S. federal government from 2013 Executive Order 13636, which calls for the development of a voluntary cybersecurity
framework. Details of CSF are discussed in the “Executive Order − Critical Infrastructure Cybersecurity” and “Cybersecurity Framework Best Practice: The NIST Framework” chapters.
PCI = Payment Card Industry Data Security Council Standard
The PCI is a proprietary information security standard for organizations handling branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
Adoption of Security Frameworks as Common Practice
Based on survey results, the adoption of a security framework is a common practice. 84% of organizations are
leveraging a security framework. The adoption of security frameworks is the norm in banking and financing (88%),
information technology (87%), government (86%), and manufacturing (83%). All these industries boast security
Fraud and Cybersecurity: Top Issues for the CPA
39
framework adoption rates above 80%. Education and healthcare are only slightly behind at 77% and 61%
respectively.
A lack of data protection has played a critical part in the high-profile hacking stories of the past few years, such as
those concerning the Office of Personnel Management, Sony and Target. All organizations are at risk - it really
doesn’t matter if a company is a public or a private organization, a big or a small firm, a for-profit or a not-for-
profit organization. The sensitive information that a company processes, archives or transmits requires extensive
protection measures.
Organizations adopt security frameworks and standards to protect data protection and/or to fulfill a contractual
or regulatory requirement. Measures may be established by the company’s own initiative, or measures may be
mandated by other parties, such as suppliers, partners, clients or the government. A smart company knows that
the implementation of, and compliance with, new security standards is necessary in order for the organization to
remain competitive and achieve its long-term objectives.
Adoption of Wide Range of Security Frameworks as a Norm
Although there is no single security framework being used by the majority of companies, the security frameworks
most commonly used are PCI (47%), ISO (35%), CIS (32%), and CSF-NIST (29%). It is also common for organizations
to adopt multiple security frameworks, as 15% of companies are using three or more of these.
Currently, PCI is slightly more common than the other frameworks. However, when considering the current
adoption of each security framework combined with the plans for adoption, as seen in the following chart, it is
expected that CSF-NIST (43%), CIS (44%), and ISO (44%) will have equivalent levels of adoption, moving closer to
that of PCI (55%).
Source: Dimensional Research - Trends in Security Framework Adoption 2016
Increased Adoption of the NIST Framework as Best Practices
The National Institute of Standards and Technology (NIST) Framework, an initiative stemming from Executive
Order 13636, is a U.S. federal risk-based framework that serves as a foundation for organizations. However, the
survey shows that security frameworks are not limited to specific industries. For example, there is a broad range
0%
10%
20%
30%
40%
50%
60%
CSF - NIST Framework CIS Critical SecurityControls
ISO 27001/27002 PCI
Security Framework Adoption
Have Adopted Plan to Adopt Total by the End of 2016
Fraud and Cybersecurity: Top Issues for the CPA
40
of industries in addition to governments using CSF - NIST Framework, including banking (19%), information
technology (17%), healthcare (12%), manufacturing (11%), education (5%), and more. Although the vast majority
of organizations already leverage a security framework, many of them plan to adopt additional frameworks in the
coming years, with CSF - NIST Framework at the top of the list, followed by CIS and ISO.
Companies implement security frameworks in order to comply with the requirements of a business relationship,
government, or a certification mandate. The survey results below show that the most common reason for
adopting CSF - NIST Framework was linked to best practices (70%), followed by requirements by a business partner
(29%), compliance with a federal contract (28%), or related to other organizations (20%).
Source: Dimensional Research - Trends in Security Framework Adoption 2016
The Rising Threats of Corporate Cybercrime
The technology revolution has dramatically changed the way organizations conduct business. Traditional
boundaries have shifted, and organizations operate in a dynamic environment that is increasingly interconnected,
integrated, and interdependent. The ecosystem includes not only employees, partners, and customers but other
participants such as law firms, investment banks, service providers, government agencies, regulators, industry
affiliations, and competitors. Consequently, it expands the domain that organizations need to protect.
Companies are increasingly vulnerable to incoming cybersecurity threats from new directions and adversaries. IT
assets that are commonly compromised and used during attacks include, but are not limited to, servers, network
components, user devices, storage media, people, network and system design specifications, and VPN
configurations. Attacks in various forms, such as hacktivism, corporate espionage, insider, and criminal activity,
can cost an organization time, resources, and irreparable harm to its reputation.
Cybercrimes can be committed from a remote location, outside any local law enforcement agencies. Catching
such criminals is difficult. Therefore, this has led to a rise in cybercrimes across all industries. In a recent McAfee
Labs publication, The Hidden Data Economy, the following prices were identified as average selling prices for
stolen cards:
20%
28%
29%
70%
NON-FEDERAL ORGANIZATIONS CONTRACT REQUIREMENTS
FEDERAL CONTRACT REQUIREMENTS
BUSINESS PARTNER REQUIREMENTS
ALIGNING WITH CYBERSECURITY BEST PRACTICES
0% 10% 20% 30% 40% 50% 60% 70% 80%
Key Motivations for the Adoption of CSF - NIST Framework
Fraud and Cybersecurity: Top Issues for the CPA
41
Payment Card Number with Card Verification Value (CVV2)
United States
United Kingdom Canada Australia
European Union
Payment Card Information $5-$8 $20-$25 $20-$25 $21-$25 $25-$30
Personal Health Information $15 $25 $25 $25 $30
Personal Data $15 $30 $30 $30 $35
Non-Card Financial $30 $35 $40 $40 $45
Source: McAfee, The Hidden Data Economy
Cyber attackers are continuously changing tactics, increasing their persistence and expanding their capabilities.
Threat actors in the 21st century are highly trained and incorporate sophisticated attack techniques.
The threats exist across all industries, and organized crime is becoming increasingly sophisticated in its use of
technology to commit crimes. These threat actors may target PoS systems or customer databases to gather user
credentials, stored financial data, and stored personal information. The Verizon 2019 Data Breach Investigations
Report revealed that:
• External actors have long been the primary culprits behind confirmed data breaches
• Financial gain is the most common motive behind data breaches
• Phishing and the hacking action variety of use of stolen credentials are prominent fixtures
• Ransomware is still a major issue for organizations
• DoS attacks are at the top of action varieties associated with security incidents
• When the method of malware installation was known, email was the most common point of entry
• Workstations, web applications, and mail servers are in the top group of assets affected in data breaches
The report analyzed the following nine classification patterns to help companies prioritize their efforts in
addressing breach possibilities.
Category Description Key Findings
Web App Attacks
Any incident in which a web application was the vector of attack. This includes exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms
Over one-half of breaches in this pattern are associated with unauthorized access to cloud-based email servers.
Point-of-Sale Intrusions
(PoS)
Remote attacks against the environments where card-present retail transactions are conducted. POS terminals and POS controllers are the targeted assets.
The Accommodation industry is still the most common victim within this pattern, although breaches were less common this year.
Insider and Privilege Misuse
All incidents tagged with the action category of Misuse—any unapproved or malicious use of organizational resources—fall within this pattern.
This is mainly insider misuse, but former and collusive employees, as well as partners, are present in the data set.
Fraud and Cybersecurity: Top Issues for the CPA
42
Miscellaneous Errors
Incidents in which unintentional actions directly compromised a security attribute of an asset.
Misdelivery of sensitive data, publishing data to unintended audiences, and misconfigured servers account for 85% of this pattern.
Physical Theft and Loss
Any incident where an information asset went missing, whether through misplacement or malice.
The top two assets found in Physical Theft and Loss breaches are paper documents and laptops. When recorded, the most common location of theft was at the victim work area, or from employee-owned vehicles.
Crimeware
All instances involving malware that did not fit into a more specific pattern. The majority of incidents that comprise this pattern are opportunistic in nature and are financially motivated.
Command and control (C2) is the most common functionality (47%) in incidents, followed by Ransomware (28%).
Payment Card Skimmers
All incidents in which a skimming device was physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card (e.g. ATMs, gas pumps, POS terminals, etc.).
Physical tampering of ATMs and gas pumps has decreased from last year. This may be attributable to EMV and disruption of card-present fraud capabilities.
Cyber-espionage
Incidents in this pattern include unauthorized network or system access linked to state-affiliated Actors and/or exhibiting the motive of espionage.
Threat actors attributed to state-affiliated groups or nation-states combine to make up 96% of breaches, with former employees, competitors, and organized criminal groups representing the rest. Phishing was present in 78% of Cyber-espionage incidents.
Denial-of-Service Attacks
Any attack intended to compromise the availability of networks and systems. This includes both network and application attacks designed to overwhelm systems, resulting in performance degradation or interruption of service.
This pattern is based on the specific hacking action variety of DoS. The victims in our data set are large organizations over 99 percent of the time.
Sources: Verizon, 2019 Data Breach Investigations Report
To understand the cyber threats relevant to an organization, it is critical to determine what information would be
valuable to outsiders or what information would cause significant disruption if unavailable or corrupt. For
example, retailers set a top priority on protecting customer data. R&D organizations are usually focused on
protecting intellectual property. Manufacturers need reliability of production, quality of products and supply chain
systems.
Fraud and Cybersecurity: Top Issues for the CPA
43
The following table highlights security breaches by industry based on the Verizon Data Breach Investigations
Report:
Industry Top 3 Data Breaches Threat Actors Actor Motives Data
Compromised
Accommodation and Food Services
Point of Sale intrusions, Web applications and Crimeware patterns represent 93% of all data breaches
External (95%), Internal (5%)
Financial (100%) Payment (77%), Credentials (25%), Internal (19%)
Educational Services
Miscellaneous Errors, Web Application Attacks, and Everything Else represent 80% of breaches
External (57%), Internal (45%), Multiple parties (2%) (breaches)
Financial (80%), Espionage (11%),
Fun (4%),
Grudge (2%), Ideology (2%)
Personal (55%), Credentials (53%), and Internal (35%)
Financial and Insurance
Web Applications, Privilege Misuse, and Miscellaneous Errors represent 72% of breaches
External (72%), Internal (36%), Multiple parties (10%),
Partner (2%)
Financial (88%), Espionage (10%)
Personal (43%), Credentials (38%), Internal (38%)
Healthcare
Miscellaneous Errors, Privilege Misuse and Web Applications represent 81% of incidents
Internal (59%), External (42%), Partner (4%), and
Multiple parties (3%)
Financial (83%), Fun (6%), Convenience (3%), Grudge (3%), and Espionage (2%)
Medical (72%), Personal (34%), Credentials (25%)
Information
Miscellaneous Errors, Web Applications, and Cyber- Espionage represent 83% of breaches
External (56%), Internal (44%), Partner (2%)
Financial (67%), Espionage (29%)
Personal (47%), Credentials (34%), Secrets (22%)
Manufacturing
Cyber-Espionage, Web Applications, and Privilege Misuse represent 71% of breaches
External (75%), Internal (30%), Multiple parties (6%),
Partner (1%)
Financial (68%), Espionage (27%), Grudge (3%), Fun (2%)
Credentials (49%), Internal (41%), Secrets (36%)
Professional, Technical and
Scientific Services
Web Applications, Everything Else, and Miscellaneous Errors represent 81% of breaches
External (77%), Internal (21%), Partner (5%), Multiple parties (3%)
Financial (88%), Espionage (14%), Convenience (2%)
Credentials (50%), Internal (50%), Personal (46%)
Retail
Web Applications, Privilege Misuse, and Miscellaneous Errors represent 81% of breaches
External (81%), Internal (19%)
Financial (97%), Fun (2%), Espionage (2%)
Payment (64%), Credentials (20%), Personal (16%)
Sources: Verizon, 2019 Data Breach Investigations Report
Finally, according to Kaspersky Lab, Evolution of Cyber Threats in the Corporate Sector, the targeted attacks on
business have evolved as follows:
Fraud and Cybersecurity: Top Issues for the CPA
44
• Financial organizations such as banks, funds and exchange-related companies, including cryptocurrency
exchanges, have been subjected to attacks by cybercriminals.
• The attacks are meticulously planned. For example, the cybercriminals study the interests of potential
victims (e.g. employees at the targeted company), and identify the websites they are most likely to visit;
they examine the targeted company’s contacts, equipment and service providers.
• The information collected at the preparation stage is put to use. The attackers hack legitimate websites
that have been identified and the business contact accounts of the targeted company’s employees. The
sites and accounts are used for several hours to distribute malicious code, after which the infection is
deactivated. It means that the cybercriminals can re-use the compromised resources again later.
• Signed files and legitimate software is used to collect information from the attacked network.
• Attackers often use malicious files signed with valid digital certificates.
• Attackers use legitimate programs in attacks, allowing the attackers to go undetected for longer periods.
• Attacks are diversifying to include small and medium-sized businesses.
Real-World Case: TJX Companies Inc.
The following case is extracted from IIROC, “Cybersecurity Best Practices Guide for IIROC Dealer Members”, 2016
Hackers who stole 45 million customer records including millions of credit card numbers from The TJX Companies
Inc. did so by breaking into the retail company's wireless local area network (LAN).
TJX had secured its wireless network using Wired Equivalent Privacy (WEP) - one of the weakest forms of security
for wireless LANs. According to The Wall Street Journal, hackers cracked the WEP encryption protocol used to
transmit data between price-checking devices, cash registers, and computers at a store in Minnesota. The
intruders then collected information submitted by employees logging on to the company's central database in
Massachusetts, stealing usernames and passwords. With that information, the hackers set up their own accounts
on TJX's system. Over an 18-month period, their software collected transaction data, including credit card
numbers, into approximately 100 large files. Analysts estimated that the breach would cost the company
approximately $1 billion, excluding any litigation costs.
Fraud and Cybersecurity: Top Issues for the CPA
45
III. Challenges in the Cyber World
Overview
Cyberattacks are becoming more destructive
globally. In today’s cybercrime environment, the
issue is not whether a business will be
compromised, but rather how successful or
damaging an attack will be. The increase of the
technological pace accelerates cyber threats, and many organizations are suffering cyber losses because they did
not get the basics right. From insufficient board involvement (or readiness/awareness) to poor system
configurations and inadequate controls over third parties with access to their network, companies are often
leaving the cyber door wide open for intruders. As cybercriminals become more sophisticated in their efforts to
target their victims, organizations must also grow their capabilities to successfully combat and defeat them.
In a 2017 survey, CEOs at Fortune 500 companies revealed that their
top threats and challenges are the pace of technological change and
cybersecurity. Cyber threats create a great cost and resource drain.
According to the Gemalto Breach Level Index, over 2.6 billion data
records were compromised globally in 2017. Fortune Magazine
estimated that cyberattacks cost businesses $400 billion every year.
In addition, there will be an estimated shortfall of 1.5 million
professionals in the global information security workforce within five
years.
It is vital that executives accept more responsibility for managing and mitigating cybercrime risks and set an
appropriate tone at the top. Management must instill a cyber risk-aware culture and ensure that all departments
are aligned in the fight against fraud. This is key in order to succeed in today’s environment. With so much at
risk, C-level executives and boards are still reluctant to tackle cybersecurity issues. Although reasons vary by
organizations, EY identified the following most significant obstacles:
Cybersecurity Obstacles for Executives & Boards
➢ A crowded agenda
Cybersecurity is just one of many pressing issues demanding board-level engagement, particularly
in a time of ongoing economic volatility.
➢ The IT silo
Cybersecurity has traditionally been thought of as an IT issue that focuses on protecting the IT
systems that process and store information, rather than on the strategic value of the information
itself.
➢ “Not our problem”
Increased Technological
Pace
Accelerating Cyber Threats
Greater Cost & Resource Drain
Top 2 Greatest Threats & Challenges
of CEOs
The Pace of Technogical Change
Cybersecurity
Fraud and Cybersecurity: Top Issues for the CPA
46
Cybersecurity has been seen as a significant problem only in select sectors such as the military or
financial services. But if your sector relies on digital data to operate and compete, your information
and IT systems are worthy of appropriate risk management.
➢ Difficult to gauge
Unlike many types of organizational risk, cyber threats are hard to predict, making the risks and
potential impact difficult to gauge. Senior leaders may feel they lack the expertise necessary to
make enterprise-wide decisions or may be wary of being pulled too deeply into technical processes.
➢ Invisible pay-off
In the face of competing demands for scarce resources, it can be hard for executive leadership to
invest money, people and time in the unknown and unpredictable rather than in shareholder
deliverables or more obvious needs.
➢ Wrong priorities
Organizations have overinvested in preventative controls at the expense of detect/ response
capability.
Source: EY - Cyber Program Management: Identifying ways to get ahead of cybercrime, 2014
Engagement of Leadership
The responsibility for addressing cyber vulnerabilities starts at the top. The CEO and boards are responsible for
ensuring the company designs and implements an effective cybersecurity program. However, many boards are
not sufficiently proactive regarding cyber threats. According to PwC, almost half of all boards still view
cybersecurity as an IT matter, rather than as an enterprise-wide risk issue. The survey responses were from more
than 500 executives in U.S. businesses, law enforcement services, and government agencies. 30% of respondents
said their senior security executive makes quarterly security presentations. However, one in five (20%)
respondents stated their Chief Information Security Officer (CISO) or Chief Security Officer (CSO) makes a security
presentation to the board only once a year. Even worse, 29% of respondents said their security leaders make no
presentation at all.
The National Association of Corporate Directors recommends that risk oversight be a function of the full board
because the crucial link between strategy and risks needs a full commitment. Therefore, it was troublesome to
note that 30% of respondents said no board members are engaged in cyber risks. Only 15% of respondents said
the audit committee is engaged in cyber risks, which is surprisingly low considering that cybersecurity has become
one of the hot topics on the audit committee’s agenda in the past several years. One explanation for the
comparatively weak engagement of the audit committee members may be that they lack a deep knowledge of
technical issues. The audit committee often oversees risk management activities and monitor management’s
policies and procedures. It plays a significant strategic role in coordinating cyber risk initiatives and policies and
confirming their efficiency. Thus, the audit committee should be aware of cybersecurity trends, regulatory
requirements, and major threats to the organization. The audit committee must ask questions about the state of
Fraud and Cybersecurity: Top Issues for the CPA
47
specific security programs to determine an organization’s tolerance for risk and to evaluate the decisions made
by management. Examples of questions that the audit committee need to ask about management include:
• Has the company experienced an increase in the number of security breaches?
• Who are the company’s likely threat actors?
• Has the company assessed the insider threat (e.g. BYOD, supply-chain threats)
• Does the company have a security framework to guard against known and emerging threats?
• Can we detect malicious or unauthorized activities, and can we act and recover quickly to minimize the
impact?
• Does the company have cyber insurance? If yes, it provides adequate coverage?
• How does the company know what data is leaving the company and what monitoring controls are in
place?
• How does the company detect malicious or unauthorized activities?
• Is there an ongoing, company-wide awareness and training program established around cybersecurity?
As noted, compounding the problem is the fact that many boards and management still perceive cybersecurity as
strictly an IT issue. Not only does this perception increase an organization’s potential exposure to attack, but it
also widens the communications gap between those charged with protecting the enterprise and those whose
obligations are to ensure a return to investors and shareholders, while maintaining strong corporate governance.
The CEO and the board should take ultimate ownership of the cybersecurity program. It is critical that cybercrime
rank high on the agenda items discussed with the CEO and the board on a regular basis. Research statistics indicate
that the most senior people within organizations are not placing enough emphasis on the importance of managing
the real threats that cybercrime presents to their organizations. PwC also identified the following reasons why
boards should actively oversee cybersecurity issues:
• Incidents can impact an organization’s global operations as the effect of cybersecurity is systemic.
• The financial impact can be significant and can include costly class-action lawsuits, which may reflect on
boards’ fiduciary responsibility to preserve corporate financial value.
• As regulations evolve, compliance is becoming more challenging and increasingly costly. For example, the
European Union’s Data Protection Directive includes a proposal for fines of up to 5% of a company’s global
revenue.
• The IoT has brought new threats, including compromise of industrial controls and smart building systems
that can cause extreme risks and tremendous physical damage.
• Cybersecurity insurance should be considered as a regulatory hedge against cyber risks.
• Adversaries such as nation-states and organized crime are working together to attack organizations for
economic sabotage, theft of trade secrets, money laundering, terrorism, and military and intelligence
operations.
• Cyberattacks can result in substantial financial losses and damaged brand reputation by disrupting an
organization’s strategic objectives, such as a planned merger or acquisition, the launch of a new product,
or a business deal with a potential customer.
Fraud and Cybersecurity: Top Issues for the CPA
48
Managing Cyber Risks
Cybersecurity should be treated as a corporate risk issue rather than just an IT risk. However, a recent EY study
suggests that many board members generally do not understand their organization’s digital footprint well enough
to properly assess the risks. Although technology officers are able to provide relevant data, such as the number
of attempted breaches, it can be difficult to convert the data into meaningful information that could help boards
better understand the possible risks facing the organizations. In addition, board members may not know how to
evaluate the quality of the information received or ask the right questions. A lack of deep knowledge of technical
issues can lead to hesitation and inaction which can damage the company’s brand and/or, reputation, disrupt
business continuity, and lead to financial and legal ramifications.
Executives and boards must get up to speed in understanding and appropriately managing cybersecurity activities
and related obligations. Best practices suggest that a comprehensive oversight program can help companies
streamline board reporting, integrate the multi-department activities required to mitigate operational cyber risks
and demonstrate that reasonable security protocols and procedures are in place. EY suggested that the board
should consider asking the following key questions:
• Where does our risk appetite collide with current and anticipated regulations?
• How do we compare to others?
• What gains in efficiency have been made?
• What are the succession plans for key cybersecurity talent?
• • What is the cyber risk impact of strategic decision X that is being considered?
Organizations that treat cybersecurity as a matter of enterprise-wide risk demonstrate to external stakeholders
that they understand their security and risk obligations and intend to be a good corporate citizen. Only after
cybersecurity is incorporated into the organization’s overall risk management structure can executive leadership
have confidence that their single most important business asset - information - is sufficiently protected against
the threats of today and tomorrow.
Areas of Focus for an Organization’s Cybersecurity
✓ Architecture
✓ Asset management
✓ Awareness
✓ Business continuity management
✓ Data infrastructure
✓ Data protection
✓ Governance and organization
✓ Host security
✓ Identity and access management
✓ Incident management
✓ Metrics and reporting
✓ Network security
✓ Operations
✓ Policy and standards framework
✓ Privacy
✓ Security monitoring
✓ Software security
✓ Strategy
✓ Third-party management
✓ Threat and vulnerability management
Source: EY - Cyber Program Management: Identifying ways to get ahead of cybercrime, 2014
Fraud and Cybersecurity: Top Issues for the CPA
49
The 2016-2017 NACD Public Company Governance Survey revealed the following top 10 cyber-risk oversight
practices being performed by the boards over the previous 12 months:
1. Reviewed the company’s current approach to protecting its most critical data assets
2. Reviewed the technology infrastructure used to protect the company’s most critical data assets
3. Communicated with management about the types of cyber-risk information the board requires
4. Reviewed the company’s response plan in the case of a breach
5. Assessed risk associated with third-party vendor or suppliers
6. Assessed risks associated with employee negligence or misconduct
7. Assigned clearly defined roles to its standing committees with regard to cyber risk oversight
8. Leverage internal advisors, such as internal auditors or the general counsel, for in-depth briefings
9. Discussed the legal implications of a breach
10. Reviewed the scope of cyber coverage in the case of an incident
EY further indicated that business leaders should consider whether the organization’s cybersecurity framework
could respond to the following issues:
What business leaders are asking about their cybersecurity readiness
➢ Regulatory risk
How will governments and regulators respond to the increasing threat of information risk?
➢ Geopolitical shocks
What is our organization’s exposure to these shocks? How responsive is our IT organization?
➢ Reputation risk
How would a cyberattack affect our reputation and brand?
➢ Control failures
Could gaps or weaknesses in our IT controls and security be contributing factors?
➢ Information risk
How will our organization address the key risk areas of security, resilience and data leakage?
➢ Expansion in emerging markets
Does increasing our company’s footprint add to the challenge of business continuity?
➢ Reshaping the business
How much would our information risk profile change?
➢ Regulatory risk
How will governments and regulators respond to the increasing threat of information risk?
➢ Shared service centers
Would using third parties or shared service centers increase risks to our security and IT sourcing?
➢ IP and data security
Is our organization covered against data leakage, loss, and rogue employees?
➢ Acquisitions and integration
Fraud and Cybersecurity: Top Issues for the CPA
50
How successful are our organization’s investments if we’re unable to integrate the information
belonging to an acquired company?
➢ Hitting the headlines
Hacktivists are ideological by nature. How might issues such as tax policy, pay and environmental
management result in our company becoming a cyber target?
Source: EY - Cyber Program Management: Identifying ways to get ahead of cybercrime, 2014
Real-World Case: Office of Personnel Management
In June 2015, the US Office of Personnel Management (OPM) announced that it had been the target of a data
breach targeting the records of as many as four million people. The FBI later determined the number of individuals
targeted was expected to reach 18 million. The data breach, which started in March 2014 (or earlier), was noted
by the OPM in April 2015. It has been described by federal officials as being among the largest breaches of
government data in the history of the U.S.
The OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office of
the Inspector General’s semi-annual report to Congress warned of “persistent deficiencies in OPM’s information
system security program,” including “incomplete security authorization packages, weaknesses in the testing of
information security controls, and inaccurate Plans of Action and Milestones.”
Information targeted in the breach included personally identifiable information such as Social Security numbers,
as well as names, dates, and places of birth, and addresses. The hack went deeper than initially believed and likely
involved the theft of detailed security clearance-related background information. As of July 9, 2015, the estimate
of the number of stolen records had increased to 21.5 million. This included records of people who had undergone
background checks but were not necessarily current or former government employees. The stolen data included
5.6 million sets of fingerprints.
Soon after, Katherine Archuleta, the director of OPM, and former National Political Director for Barack Obama’s
2012 reelection campaign resigned. A July 22nd, 2015 memo by Inspector General Patrick McFarland said that
OPM’s Chief Information Officer Donna Seymour was slowing her investigation into the breach, leading him to
wonder whether or not she was acting in good faith. In February 2016, Donna Seymour resigned, just two days
before she was scheduled to testify before a House panel that is continuing to investigate the data breach.
Internet of Things - Security Concerns
Everything from refrigerators to baby monitors to sprinkler systems are interconnected, and while these devices
have made life easier, they have also created new attack targets for hackers. According to Cloud Security Alliance,
Security Guidance for Early Adopters of the Internet of Things, traditional enterprise security solutions do not
sufficiently address the IoT security concerns and challenges, including:
• Increased privacy concerns that are often confusing
• Platform security limitations that make basic security controls challenging
Fraud and Cybersecurity: Top Issues for the CPA
51
• Ubiquitous mobility that makes tracking and asset management a challenge
• Mass quantities that make routine update and maintenance operations a challenge
• Cloud-based operations that make perimeter security less effective
According to a Business Insider Intelligence Survey, 39% of the respondents said that security is the biggest concern
in adopting IoT technology. IoT also suffers from platform fragmentation and a lack of technical standards. The
variety of IoT devices, in terms of both hardware variations and differences in the software running on them,
makes the task of developing applications difficult.
Fraud and Cybersecurity: Top Issues for the CPA
52
IV. Government Acts to Enhance Cybersecurity
An Overview of Key Legislations
Cybersecurity is one of the most serious economic and national security challenges facing the U.S. and the world
today. As cyber threats have become more sophisticated, and attacks have increased each year, the public is
increasingly aware of the gaping threats facing our nation’s critical infrastructure, national defense, and financial
system in the digital realm. The increased access of the internet opens up vulnerabilities that allow our adversaries
to potentially cause catastrophic economic and physical harm to our country. Cybersecurity legislation has been
a topic of interest on Capitol Hill for a number of years. Congress has introduced hundreds of bills and held many
hearings examining cybersecurity challenges and vulnerabilities to governments, businesses, and our international
partners. Some significant laws that Congress has passed to address cybersecurity include:
➢ The Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, which prohibits various attacks
on federal computer systems and on those used by banks and in interstate and foreign commerce.
➢ The Electronic Communications Privacy Act of 1986, which prohibits unauthorized electronic eavesdropping.
➢ The Computer Security Act of 1987, which gave the National Institute of Standards and Technology (NIST)
responsibility for developing security standards for federal computer systems, except the national security
systems that are used for defense and intelligence missions, and gave responsibility to the Secretary of
Commerce for promulgating security standards.
➢ The Paperwork Reduction Act of 1995, which gave the Office of Management and Budget (OMB) responsibility
for developing cybersecurity policies.
➢ The Clinger-Cohen Act of 1996, which made agency heads responsible for ensuring the adequacy of agency
information security policies and procedures, established the chief information officer (CIO) position in
agencies and gave the Secretary of Commerce authority to make promulgated security standards mandatory.
➢ The Homeland Security Act of 2002 (HSA), which gave the Department of Homeland Security (DHS) some
cybersecurity responsibilities in addition to those implied by its general responsibilities for homeland security
and critical infrastructure.
➢ The Cyber Security Research and Development Act, also enacted in 2002, which established research
responsibilities in cybersecurity for the National Science Foundation (NSF) and NIST.
➢ The E-Government Act of 2002, which serves as the primary legislative vehicle to guide federal information
technology (IT) management and initiatives to make information and services available online, and includes
various cybersecurity requirements.
➢ The Federal Information Security Management Act of 2002 (FISMA), which clarified and strengthened NIST
and agency cybersecurity responsibilities, established a central federal incident center and made OMB, rather
than the Secretary of Commerce, responsible for promulgating federal cybersecurity standards.
➢ The Cybersecurity Information Sharing Act of 2015, which is intended to encourage and facilitate the sharing
of security threat and defensive measure information with government agencies and other companies, in
order to strengthen the country’s overall cybersecurity protections. The Act, arguably the most significant
piece of federal cyber-related legislation enacted to date, establishes a mechanism for cybersecurity
Fraud and Cybersecurity: Top Issues for the CPA
53
information sharing among private-sector and federal government entities. It also provides safe harbors from
liability for private entities that share cybersecurity information in accordance with certain procedures, and it
authorizes various entities, including outside the federal government, to monitor certain information systems
and operate defensive measures for cybersecurity purposes.
According to Congressional Research Services, legislation introduced since the 111th Congress has addressed 10
key areas and proposed changes to current laws:
Legislation Addressed Key Areas Related to Cybersecurity
1. National strategy and the role of government;
2. Reform of FISMA;
3. Protection of critical infrastructure (including the electricity grid and the chemical industry);
4. Information sharing and cross-sector coordination;
5. Breaches resulting in theft or exposure of personal data such as financial information;
6. Cybercrime;
7. Privacy in the context of electronic commerce;
8. International efforts;
9. Research and development, and
10. The cybersecurity workforce Financial services
Source: Congressional Research Services - Cybersecurity: Authoritative Reports and Resources
The government also has directed a series of actions to continue strengthening cybersecurity and modernizing
agencies’ technology infrastructure to address this ever-growing problem, i.e. the increasing severity of cyber
threats. These efforts are highlighted in the following key events on the White House website:
➢ Make cybersecurity one of the Administration’s first cross-agency priority management goals, which is
“Improve cybersecurity performance through ongoing awareness of information security, vulnerabilities, and
threats impacting the operating information environment, ensuring that only authorized users have access to
resources and information; and the implementation of technologies and processes that reduce the risk of
malware”;
➢ Spur information sharing through the President’s executive order to encourage the development of
Information Sharing and Analysis Organizations to serve as the hubs for sharing critical cybersecurity
information and promoting collaboration for analyzing this information within and across industry sectors;
➢ The Federal Chief Information Officer initiated a 30-day Cybersecurity Sprint on June 12, 2015. The
Cybersecurity Sprint Team (Sprint Team), led by the Office of Management and Budget, was comprised of
representatives from the National Security Council, the Department of Homeland Security, the Department
of Defense, and other Federal civilian and defense agencies. The Cybersecurity Strategy and Implementation
Plan (CSIP) is the result of a comprehensive review of the Federal Government’s cybersecurity policies,
procedures, and practices by the Sprint Team.
➢ In early 2015 the Federal Chief Information Officers Council and the Chief Acquisition Officers Council created
a working group to review current contract clauses and information technology acquisition policies and
practices around contractor and subcontractor information system security. As a result of the review,
proposed guidance was released. The intent of the proposed guidance is to take major steps toward
implementing strengthened cybersecurity protections in Federal acquisitions and therefore mitigating the risk
of potential incidents in the future; and
Fraud and Cybersecurity: Top Issues for the CPA
54
➢ The Cybersecurity Information Sharing Act, passed in October 2015, is a US federal law designed to improve
cybersecurity in the US through enhanced sharing of information about cybersecurity threats. Specifically,
the law allows the sharing of internet traffic information between the US government and private technology
and manufacturing companies. The main provisions make it easier for companies to share personal
information with the government, especially in cases of cybersecurity threats, creating a system for federal
agencies to receive threat information from private companies.
Cybersecurity Strategy and Implementation Plan
To strengthen the cybersecurity of federal networks, systems, and data, the Federal Chief Information Officer
(FCIO) initiated a 30-day Cybersecurity Sprint in 2015. The Cybersecurity Sprint Team (Sprint Team), led by the
Office of Management and Budget (OMB), was comprised of representatives from the National Security Council
(NSC), the Department of Homeland Security (DHS), the Department of Defense (DoD), and other Federal civilian
and defense agencies. The initial Sprint memo instructed agencies to implement a number of immediate high-
priority actions to enhance the cybersecurity of Federal information and assets. The Cybersecurity Strategy and
Implementation Plan (CSIP) is the result of the Cybersecurity Sprint, and it incorporates progress-reporting and
corrective actions that are ongoing.
The CSIP consisted of a comprehensive review of the Federal Government’s cybersecurity policies, procedures,
and practices by the Sprint Team. The goal was to identify and address critical cybersecurity gaps and emerging
priorities and make specific recommendations to address these gaps and priorities. The CSIP sought to strengthen
Federal civilian cybersecurity through the following five objectives:
1. Prioritized Identification and Protection of high-value information and assets;
2. Timely Detection of and Rapid Response to cyber incidents;
3. Rapid Incident Recovery and Accelerated Adoption of lessons learned from the Sprint assessment;
4. Recruitment and Retention of the most highly-qualified Cybersecurity Workforce by the Federal
Government, and
5. Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology.
Specifically, the CSIP’s key actions included:
➢ All agencies will continue to identify their high-value assets (HVAs) and critical system architecture in order to
understand the potential impact on those assets from a cybersecurity incident and ensure robust physical and
cybersecurity protections are in place. The identification of HVAs will be an ongoing activity due to the
dynamic nature of cybersecurity risks.
➢ DHS will accelerate the deployment of Continuous Diagnostics and Mitigation (CDM) and EINSTEIN capabilities
to all participating Federal agencies to enhance the detection of cyber vulnerabilities and protection from
cyber threats.
➢ All agencies will improve the identity and access management of user accounts on Federal information
systems to drastically reduce vulnerabilities and successful intrusions.
Fraud and Cybersecurity: Top Issues for the CPA
55
➢ OMB, in coordination with NSC and DHS, will issue incident response best practices for use by Federal
agencies, incorporating lessons learned from past cybersecurity incidents to ensure future incidents are
mitigated in a consistent and timely manner. The best practices will serve as a living document to be
continuously updated.
➢ The National Institute of Standards and Technology (NIST) will provide updated guidance to agencies on how
to recover from cyber events.
➢ The Office of Personnel Management (OPM) and OMB will initiate several new efforts to improve Federal
cybersecurity workforce recruitment, hiring, and training and ensure a pipeline for future talent is put in place.
➢ The Chief Information Officer (CIO) Council will create an Emerging Technology Sub- Committee to facilitate
efforts to rapidly deploy emerging technologies at Federal agencies.
➢ The President’s Management Council (PMC) will oversee the implementation of the CSIP in recognition of the
key role Deputy Secretaries play in managing cybersecurity within their agencies.
➢ CIOs and Chief Information Security Officers will also have direct responsibility and accountability for the
implementation of the CSIP, consistent with their role of ensuring the identification and protection of their
agency’s critical systems and information.
Executive Order - Critical Infrastructure Cybersecurity
Background
Cybersecurity threats have exploited the increased complexity and connectivity of critical infrastructure systems,
placing the nation’s security, economy, and public safety and health at risk. Similar to financial and reputation
risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue, and result in
harming an organization’s ability to innovate, gain and maintain customers.
To address these risks, in February 2013, the Obama Administration issued Executive Order 13636 (EO 13636),
Improving Critical Infrastructure Cybersecurity. EO 13636 directs the Executive Branch to:
• Develop a technology-neutral voluntary cybersecurity framework
• Promote and incentivize the adoption of cybersecurity practices
• Increase the volume, timeliness, and quality of cyber threat information sharing
• Incorporate strong privacy and civil liberties protections into every initiative to secure critical
infrastructure
• Explore the use of existing regulations to promote cybersecurity
EO 13636 defined critical infrastructure as:
“The vital systems and assets in the US such that the incapacity or destruction of such systems and assets would
have a debilitating impact on society, national economic security, national public health or safety, or any
combination of those matters.”
Fraud and Cybersecurity: Top Issues for the CPA
56
The critical infrastructure sectors include both public and private owners and operators. Members of each critical
infrastructure sector perform functions that are supported by information technology (IT) and industrial control
systems (ICS). This reliance on technology, communication, and the interconnectivity of IT and ICS has changed
and expanded the potential vulnerabilities and increased potential risk to operations.
US Critical Infrastructure
1. Chemicals 2. Commercial facilities 3. Communications 4. Critical manufacturing 5. Dams 6. Defense industrial base 7. Emergency services 8. Energy
9. Financial services 10. Food & agriculture 11. Government facilities 12. Healthcare & public health 13. Information technology 14. Nuclear reactors, materials, & waste 15. Transportation systems 16. Water & wastewater systems
Source: Department of Homeland Security - Critical Infrastructure Sector
EO 13636 directed the National Institute of Standards and Technology (NIST) to work with stakeholders in
developing a voluntary framework based on existing standards, guidelines, and practices, for reducing cyber risks
to critical infrastructure. As a result, in February 2014, the NIST released Framework for Improving Critical
Infrastructure Cybersecurity Version 1.0, commonly known as the Cybersecurity Framework (the Framework). The
Framework is a risk-based framework serving as a foundation for organizations for cybersecurity future
regulations. It is created through a collaboration between governments and the private sectors and uses a
common language to address and manage cybersecurity risk in a cost-effective way based on business needs.
Moreover, it leverages and integrates industry-leading cybersecurity practices that have been developed by
organizations such as the NIST and the International Standards Organization (ISO).
Summary of the Key Provisions
Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
A central requirement of the EO was the establishment of a voluntary Cybersecurity Framework (the Framework)
for reducing cyber risks to critical infrastructure entities. The EO directed the NIST to lead the development of the
Framework that would include a set of standards, methodologies, procedures, and processes that align with
policy, business, and technological approaches to address cyber risks. To enable critical infrastructure entities to
benefit from a robust, competitive market for cyber services and products, the Framework itself must be
“technology-neutral.” In addition, to be consistent with the EO, the resulting Framework must also:
• Identify potential opportunities for improvement through future collaboration with particular critical
infrastructure sectors and standards-making organizations;
• Provide guidance for measuring the performance of an entity implementing the voluntary Framework,
and
Fraud and Cybersecurity: Top Issues for the CPA
57
• Include methodologies to identify and mitigate the impact of the Framework’s recommended
cybersecurity measures or controls on business confidentiality and individual privacy and civil liberty
concerns.
Although NIST is the designated lead for the development of the Framework, NIST engages extensively with other
stakeholders and interested parties to ensure the process is collaborative. NIST summarized key stakeholder
inputs shaping the development of the Framework, including:
• The language of the Framework and how it is communicated is critical to success;
• The fact that the Framework must reflect the characteristics of people, processes, and technologies;
• The fact that the Framework must be inclusive and not disruptive of good cyber practices currently in
use;
• The fact that the Framework must include fundamental aspects;
• The fact that the determination of risk tolerance for critical infrastructure entities must be informed by
national interests, and
• The fact that the threat information that is shared must inform the Framework implementation.
It is important to know that the Framework complements, and does not replace, an organization’s risk
management and cybersecurity program. An organization can use its current processes to leverage the
Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while
aligning with industry practices. In February 2014, NIST issued the Framework for Improving Critical Infrastructure
Cybersecurity Version 1.0. Details of the Framework are discussed later in the “Cybersecurity Framework Best
Practice: The NIST Framework” chapter.
The EO expressly requires NIST, consistent with its statutory responsibilities, to review and update the
Cybersecurity Framework and related guidance “as necessary, taking into consideration technological changes,
changes in cyber risks, operational feedback from owners and operators of critical infrastructure, experience from
the implementation of the Framework, and any other relevant factors.”
Cybersecurity Information Sharing
The EO encouraged a renewed commitment to exchange information between critical infrastructure entities and
the government. The goal was to increase the volume, timeliness, and quality of cyber threat information shared
with U.S. private sector entities. The EO delegated to the DHS and the Director of National Intelligence the
responsibility to develop the Enhanced Cybersecurity Services program. The goal here is to ensure the timely
production of unclassified reports of cyber threats to the U.S. homeland, identify a specific targeted entity, and to
establish processes for rapidly sharing those reports with the targeted entity. The program is a voluntary sharing
program that permits critical infrastructure entities to exchange information with the government related to cyber
threats.
DHS’s goal is to use the program to disseminate a broad range of sensitive and classified cyber threats information
through DHS’s network of intra-government cybersecurity organizations. The information would be distributed
to qualified Commercial Service Providers who are authorized to receive classified information, in order to help
protect their customers.
Fraud and Cybersecurity: Top Issues for the CPA
58
However, cyber threat information exchange programs are facing the following challenges:
Challenges of Cyber Threat Information Exchange Programs
Reporting Liabilities
Although most of the programs include procedures to protect the anonymity of reporting companies, participants remain concerned about potential reporting liabilities. For example, companies are wary of the potential improper disclosure of sensitive or proprietary company information to other industry competitors, as well as the disclosure of threat or reach information in a manner that could cause reputational harm.
Exposure to Tort-
Related Claims
Where incident reporting involves potential gaps or vulnerabilities in a third-party’s hardware or software application (e.g., vulnerabilities in a server architecture or malware detection program), companies are highly concerned about the exposure to tort-related claims by the third-party manufacturer or developer.
Personal Privacy
Personal privacy risks also loom large in any discussion of voluntary disclosure programs, as threat disclosures often entail sharing consumer information and personal data with the Government.
Limitations to Share Classified
Information
There exist practical limitations on DHS’s and DoD’s ability to share classified intelligence with industry participants. Classification levels limit the audience’s capability to receive classified threat information and slow the process of disseminating the information.
The Limited Scope of
Information Sharing
Whether the scope of the EO’s information-sharing program, which is limited to critical infrastructure entities, is too narrow and could unintentionally shift the frontline of the cyber battleground to smaller companies, where vendors and support contractors who do not fall under the protections of the EO could become unwitting “back doors” to critical systems they serve.
Source: The Cybersecurity Executive Orders: Implementation Efforts in the First 250 Days
Cybersecurity Systems and Risk Reporting Act
HR 5069, Cybersecurity Systems and Risks Reporting Act, was introduced in April 2016 in the House. This bill would
have amended the Sarbanes-Oxley Act of 2002 (SOX) and apply to cybersecurity systems and cybersecurity
systems officers. In general, requirements for “the principal financial officer or officers” would be extended to
“cybersecurity systems officer or officers”. The bill defines cybersecurity systems as:
“A set of activities or state, involving people, processes, data or technology, whereby the protection of an
information system of the issuer is secured from, or defended against, damage, unauthorized use or modification,
misdirection, disruption or exploitation.”
Here is what the bill proposed:
➢ The definition of an audit is changed by adding information systems to financial statements, i.e. auditing
information systems and financial statements.
Fraud and Cybersecurity: Top Issues for the CPA
59
➢ The audit committee would be responsible for reviewing financial and cybersecurity systems reporting
processes.
➢ The definition of professional standards would be modified to add cybersecurity systems standards and
practices.
➢ Three new terms are defined, including information systems, cybersecurity systems, and cybersecurity risk.
➢ Information systems are a set of activities involving people, processes, data or technology which enable the
user to obtain, generate, use and communicate information.
➢ The responsibility for information systems is added to the existing responsibility for financial reports.
➢ This requirement is added for principal cybersecurity systems officer.
➢ The assessment of information system controls is added to other internal controls stating adequate internal
control and cybersecurity systems structures and procedures for financial and information systems reporting.
➢ The disclosure of cybersecurity systems experts on the audit committee is required.
➢ The SEC is required to define “cybersecurity expert”.
➢ The SEC is required to review an issuer’s information systems and cybersecurity systems statements.
Although the bill did not pass in 2016, it is clear that the board and management need to be held accountable for
managing cyber risk just as they are responsible for managing the remainder of existing financial risks. Cyber risk
is just another form of risk, which should be part of the financial audit process, especially when a cyber breach
has a significant impact on the financial statements.
Real-World Case: Ukraine Power Grid Attack
The following case is extracted from the United Kingdom, 2016 National Security Strategy.
A cyberattack on western Ukrainian electricity distribution companies Prykarpattya Oblenergo and Kyiv Oblenergo
on December 23, 2015, caused a major power outage, with disruption to over 50 substations on the distribution
networks. The region reportedly experienced a blackout for several hours and many other customers and areas
sustained lesser disruptions to their power supplies, affecting more than 220,000 consumers.
The use of the BlackEnergy3 malware has been blamed by some for the attack after samples were identified on
the network. At least six months before the attack, attackers had sent phishing emails to the offices of power
utility companies in Ukraine containing malicious Microsoft Office documents. However, the malware was not
likely to have been responsible for opening the circuit breakers which resulted in the outage. It is probable that
the malware enabled the attackers to gather credentials that allowed them to gain direct remote control of
aspects of the network, which would subsequently enable them to trigger the outage.
This Ukraine incident is the first confirmed instance of a disruptive cyberattack on an electricity network.
Fraud and Cybersecurity: Top Issues for the CPA
60
A Byte Out of History - $10 Million Hack, 1994-Style
www.fbi.gov Stories January 21, 2014
It was hardly the opening salvo in a new era of virtual crime, but it was certainly a shot across the bow.
Two decades ago, a group of enterprising criminals on multiple continents—led by a young computer programmer
in St. Petersburg, Russia—hacked into the electronic systems of a major U.S. bank and secretly started stealing
money. No mask, no note, no gun—this was bank robbery for the technological age.
Our case began in July 1994, when several corporate bank customers discovered that a total of $400,000 was
missing from their accounts. Once bank officials realized the problem, they immediately contacted the FBI.
Hackers had apparently targeted the institution’s cash management computer system—which allowed corporate
clients to move funds from their own accounts into other banks around the world. The criminals gained access by
exploiting the telecommunications network and compromising valid user IDs and passwords.
Working with the bank, we began monitoring the accounts for more illegal transfers. We eventually identified
approximately 40 illegal transactions from late June through October, mostly going to overseas bank accounts and
ultimately adding up to more than $10 million. Meanwhile, the bank was able to get the overseas accounts frozen
so no additional money could be withdrawn.
The only location where money was actually transferred within the U.S. was San Francisco. Investigators
pinpointed the bank accounts there and identified the owners as a Russian couple who had previously lived in the
country. When the wife flew into San Francisco and attempted to withdraw funds from one of the accounts, the
FBI arrested her and, soon after, her husband. Both cooperated in the investigation, telling us that the hacking
operation was based inside a St. Petersburg computer firm and that they were working for a Russian named
Vladimir Levin. (See the sidebar for more on the San Francisco angle of the case from one of the agents who
worked it.)
We teamed up with Russian authorities—who provided outstanding cooperation just days after a new FBI legal
attaché office had been opened in Moscow—to gather evidence against Levin, including proof that he was
accessing the bank’s computer from his own laptop. We also worked with other law enforcement partners to
arrest two co-conspirators attempting to withdraw cash from overseas accounts; both were Russian nationals
who had been recruited as couriers and paid to take the stolen funds that had been transferred to their personal
accounts.
In March 1995, Levin was lured to London, where he was arrested and later extradited back to the United States.
He pled guilty in January 1998.
Believed to be the first online bank robbery, the virtual theft, and ensuing investigation were a needed wakeup
call for the financial industry…and for law enforcement. The victim bank put corrective measures in place to shore
up its network security. Though the hack didn’t involve the Internet, the case did generate media coverage that
got the attention of web security experts. The FBI, for its part, began expanding its cybercrime capabilities and
Fraud and Cybersecurity: Top Issues for the CPA
61
global footprint, steadily building an arsenal of tools and techniques that help us lead the national effort to
investigative high-tech crimes today.
Reflections of a Case Investigator
Special Agent Andrew Black, who back in 1994 was part of a white-collar crime squad in the FBI’s San Francisco
Office, recalled that he became involved in the New York-based investigation when it was discovered that some
of the money moved out of the bank by the hacker ended up in several San Francisco bank accounts.
“At the time,” Black said, “we didn’t have a cybercrime team in the office, so the white-collar crime route seemed
the most logical way to go.” He remembered that in August 1994, after identifying the owners of the bank
accounts as Russian nationals Evygeny and Ekaterina Korlokova—who had an apartment in San Francisco—
Ekaterina attempted to withdraw funds from one of the accounts. “Because the account had been frozen, she
wasn’t able to get the money,” he said. Ekaterina went back to her apartment and started packing her bags. Black
said when he and an FBI interpreter went to her residence to arrest her, her suitcases were in the hallway and she
had a one-way ticket to Russia.
And where was her husband? Black said Evygeny had flown back to Russia, “leaving his young wife alone in the
U.S. to withdraw the illegal funds from their bank accounts.” But Ekaterina, who agreed to cooperate in the
investigation, managed to convince him to return—according to Black, she “read him the riot act over the
phone…in Russian, of course.” He returned, was arrested, and agreed to cooperate as well.
Black remembered that the case garnered a great deal of attention at the time, “which was good because it
resulted in a lot more focus on network security.” And after it ended, he gave presentations on it to raise general
awareness of an emerging criminal threat. “There was a particularly high demand for the presentation from the
banking industry,” he added. And in 1995, Black was asked to become a part of the San Francisco FBI’s newly
formed computer intrusion squad…one of the Bureau’s first.
Fraud and Cybersecurity: Top Issues for the CPA
62
V. Cybersecurity Standards Cybersecurity standards have existed for several decades. Users and providers of these standards have
collaborated in many domestic and international forums. The standards are techniques or technologies that
attempt to protect the cyber environment by reducing risks, including around the prevention or mitigation of
cyberattacks. They may include tools, policies, security concepts, security safeguards, guidelines, risk
management approaches, actions, training, best practices, and technologies. Highlights of widely recognized
cybersecurity standards are discussed in the following sections.
ISO/IEC 27001:2013
An information security management system (ISMS) preserves the confidentially, integrity and availability of
information by applying a risk management process. It provides confidence to interested parties that risks are
adequately managed. The establishment and implementation of an organization’s ISMS are influenced by the
organization’s needs and objectives, security requirements, the processes employed and the size and structure of
the organization. All of these influencing factors are expected to change over time. Therefore, it is important that
information security is considered in the design of an organization’s processes, information systems, and controls.
In October 2013, the International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC), the specialized system for worldwide standardization, published the latest version of ISO/IEC
27001:2013. The official title of the standard is Information technology − Security techniques − Information
security management systems − Requirements, which is part of the growing ISO/IEC 27000 family of standards.
• This latest version of ISO/IEC 27001 puts more emphasis on measuring and evaluating how well an
organization’s ISMS is performing.
• There is also a new section on outsourcing, which reflects the fact that many organizations rely on third
parties to provide some aspects of IT.
• In general, the latest version is relevant to the challenges of modern-day business. It is based on a high-
level structure, which is a common framework for all revised and future ISO management system
standards.
Fraud and Cybersecurity: Top Issues for the CPA
63
Mandatory Clauses Controls
Clause Key Requirements # of Controls
4 Context of the Organization
• Identify all external and internal issues relevant to the organization and its information or information that is entrusted by 3rd parties;
• Establish all interested parties and stakeholders and how they are relevant to the information;
• Identify requirements for interested parties which could include legal, regulatory and/or contractual obligations;
• Define the scope of ISMS linked with the strategic direction of the organization, core objectives and the requirements of interested parties, and
• Demonstrate to the organization how to establish, implement, maintain and continually improve the ISMS in relation to the standard
8
5 Leadership
Top management demonstrates leadership and commitment by:
• Establishing the ISMS and information security policy, and
• Ensuring that the information security policy is compatible with the strategic direction of the organization and that these are made available, communicated, maintained and understood by all parties
19
6 Planning
This clause:
• Outlines how an organization plans actions to address risks to information;
• Focuses on how an organization deals with information security risk and needs to be proportionate to the potential impact they have, and
• Discusses the need to establish information security objectives and the standard defines the properties that information security objectives must-have.
39
7 Support
This clause focuses on getting the right resources and the right infrastructure in place:
• All personnel should be aware of the information security policy, and how they contribute to its effectiveness and the implications of not conforming;
• Internal and external communications relevant to information security and the ISMS are appropriately communicated
• Determine the level of documented information necessary to control the ISMS
28
8 Operation
This clause is all about the execution of the plans and processes that are the subject of previous clauses, such as:
• Dealing with the execution of the actions determined and the achievement of the information security objectives;
• Identifying and controlling outsourced processes and functions, and
• Dealing with the performance of information security risk assessments at planned intervals
9
9 Performance
Evaluation This clause is all about monitoring, measuring, analyzing and evaluating the ISMS to ensure that it is effective and remains so.
29
10 Improvement
• How the organization reacts to nonconformities, takes action, corrects them, and
deals with the consequences;
• How the organization will eliminate the causes of such nonconformities so they
do not occur elsewhere, and
• Demonstrate continual improvement of the ISMS
16
Total control Points 148
Fraud and Cybersecurity: Top Issues for the CPA
64
Since the publication of the 2005 version and its update in 2013, the number of ISO/IEC 27001 certificates granted
has grown every year. For example, based on the annual ISO Survey of Management System Standard
Certifications 2017, a total of 39,501 ISO 27001 certificates were issued, representing an increase of 19% from the
previous year. There is a clear trend towards increasing the number of certifications not only around the world
but also in the U.S.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework (Framework) is a voluntary guidance based on existing standards, guidelines,
and practices for critical infrastructure organizations to better manage and reduce cybersecurity risk. Version 1.0
of the Framework, issued in February 2014, was prepared by the National Institute of Standards and Technology
(NIST) with extensive private sector input. More than 3,000 people from diverse parts of industry, academia, and
government participated in workshops and webinars around the country helped to develop the Framework. The
Framework was developed in response to Executive Order 13636, which outlines responsibilities for Federal
Departments and Agencies to aid in Improving Critical Infrastructure Cybersecurity.
CIS Critical Security Controls
The Center for Internet Security (CIS) is dedicated to enhancing the cybersecurity readiness and response among
public and private sector entities. Led by the CIS, the CIS Critical Security Controls (CIS Controls), aimed at IT users
worldwide, are a prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber-
attacks. These include attacks like credit card breaches, identity theft, ransomware, theft of intellectual property,
loss of privacy, and denial of service. The Controls align with and map to all of the major frameworks, such as the
NIST Cybersecurity Framework, and regulations are validated by a community of leading global experts. According
to CIS, organizations that just apply the first five CIS Critical Security Controls can reduce their risk of cyberattack
by around 85%. Implementing all 20 CIS Controls increases the risk reduction to around 94%.
Top 5 CIS Controls
CIS Controls Highlights of Controls
CSC1: Inventory of Authorized & Unauthorized
Devices
1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization’s public and private networks.
1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory.
1.3 Ensure that all equipment acquisitions automatically update the inventory system as new and approved devices are connected to the network.
CSC 2: Inventory of Authorized &
2.1 Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses.
Fraud and Cybersecurity: Top Issues for the CPA
65
Unauthorized Software 2.2
Deploy application whitelisting technology that allows systems to run software only if it is included in the whitelist and prevents execution of all other software on the system.
2.3 Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops.
CSC 3: Secure Configurations for
Hardware & Software on
Mobile Devices, Laptops,
Workstations & Servers
3.1 Establish standard secure configurations of the organization’s operating systems and software applications.
3.2 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise.
3.3 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the image are possible.
CSC 4: Continuous Vulnerability
Assessment and Remediation
4.1
Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risks.
4.2
Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results.
CSC 5: Controlled Use of
Administrative Privileges
5.1 Minimize administrative privileges and only use administrative accounts when they are required.
5.2 Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive.
Source: Center for Internet Security - The Critical Security Controls
ETSI − ICT Standards
ETSI, the European Telecommunications Standards Institute, produces globally applicable standards for
Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and
internet technologies. ETSI is officially recognized by the European Union as a European Standards Organization.
Although ETSI was initially funded to serve European needs, it has become highly respected as a producer of
technical standards for worldwide use. ETSI has more than 800 member organizations drawn from 66 countries.
Members include the world’s leading companies and innovative R&D organizations. Examples of leading
companies from the U.S. include Oracle Corporation, BROADCOM CORPORATION, SPRINT Corporation, and MITRE
Corporation.
Growing dependence on networked digital systems has brought with it an increase in both the variety and quantity
of cyber threats. The different methods governing secure transactions in various countries make it difficult to
assess their respective risks and ensure adequate security. In 2014, ETSI set up a technical committee, known as
TC CYBER, on cybersecurity to address the growing demands for standards in this field. TC CYBER is responsible
Fraud and Cybersecurity: Top Issues for the CPA
66
for the international standardization of cybersecurity. The activities of TC CYBER include the development of
standards in the following areas:
• Cybersecurity;
• Security of infrastructures, devices, services, and protocols;
• Security advice, guidance and operational security requirements to users; and
• Security tools and techniques to ensure security.
ETSI produces the following specifications, standards, and guides with its own particular purpose:
Different Types of ETSI Standards
Standards Purpose
European Standard
Used when the document is intended to meet needs specific to Europe and requires transposition into national standards, or when the drafting of the document is required under a mandate from the European Commission /European Free trade Association.
ETSI Standard Used when the document contains technical requirements.
ETSI Guide Used for guidance to ETSI in general on the handling of specific technical standardization activities.
ETSI Technical Specification
Used when the document contains technical requirements and it is important that it is available for use quickly.
Source: www.etsi.org/standards/different-types -of-etsi-standards
Fraud and Cybersecurity: Top Issues for the CPA
67
Review Questions - Section 2
7. Which of the following standards is primarily used by organizations that handle branded credit cards, such as
Visa, MasterCard, and American Express?
A. NIST Framework
B. The Standard of Good Practice
C. Payment Card Industry Data Security Council Standard
D. ISO/IEC 27001:2013
8. All of the following are TRUE related to security framework adoption EXCEPT:
A. Security frameworks are used by a broad range of industries
B. Most organizations use a single security framework in their security program
C. Best practice drives the NIST Framework adoption
D. Many organizations plan to adopt additional frameworks with the NIST Framework heading the list
9. Which of the following is NOT one of the top five CIS Critical Security Controls?
A. Perform an inventory of all devices
B. Perform an inventory of all software
C. Establish security configuration
D. Email and Web browser protection
Fraud and Cybersecurity: Top Issues for the CPA
68
VI. SEC Enforcement Action As a result of increasing cyberattacks on SEC registrants, the SEC has dramatically increased its focus on the
adoption and implementation of cybersecurity policies and procedures. Since 2014, the SEC’s Office of
Compliance Inspections and Examinations (OCIE) has developed a series of actions to address rising concerns
about cybersecurity threats. OCIE has published two Risk Alerts on cybersecurity. The SEC has published a
guidance update on cybersecurity and also hosts a Cybersecurity Roundtable. In September 2015, the OCIE
announced its plan to conduct another cybersecurity analysis to collect information on how widely firms have
implemented cybersecurity procedures and controls. Also, the SEC has signaled an intent to expand its efforts not
only for financial institutions subject to extensive SEC oversight (such as broker-dealers and investment advisers)
but for all publicly-traded companies. In addition, cybersecurity remains a top concern on the SEC’s examination
priority list, especially with regard to internal security program assessment and evaluation. The following section
discusses the SEC’s focus on how financial firms address cybersecurity risks and its 2016 examination priorities
list.
The SEC’s Focus on Cybersecurity
SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies & Procedures
As companies increasingly depend on digital technologies to conduct their operations, the risks to companies
associated with cybersecurity have also increased, resulting in more frequent and severe cyber incidents.
The SEC has become more active on cybersecurity issues in recent years and visibly entered the cybersecurity
enforcement arena in 2011 responding to concerns that public companies may not have been providing
adequate disclosures about cyber incidents, both in the wake of recent high-profile cases of data security
breaches.
In September 2015, the SEC issued a cease-and-desist order (the “Order”) and settled charges against R.T.
Jones Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to
safeguard customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the
Securities Act of 1993. Rule 30(a) requires:
“Every broker, dealer, investment company and registered investment adviser to adopt written policies and
procedures reasonably designed to ensure the security and confidentiality of customer information and to
protect customer information from anticipated threats or unauthorized access.”
According to the Order, from September 2009 to July 2013, R.T. Hones stored personal information of its
clients and other persons on its third party-hosted web server without adopting such written policies and
procedures. In July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the
personal information of more than 100,000 individuals vulnerable to theft. The Order specifically notes that
R.T. Jones failed to conduct periodic risk assessment, implement a firewall, encrypt customer information
stored on its server or maintain a response plan for cybersecurity incidents.
The Order’s emphasis on cybersecurity highlights the SEC’s heightened focus on the adoption and
implementation of cybersecurity policies and procedures by registered investment advisers.
Source: SEC Press Release - SEC Charges Investment Adviser with Failing to Adopt Proper Cybersecurity Policies & Procedures
Fraud and Cybersecurity: Top Issues for the CPA
69
SEC Cybersecurity Initiative
Background
In March 2014, the SEC sponsored and invited industry representatives to a Cybersecurity Roundtable to
underscore the importance of cybersecurity. Chair Mary Jo White emphasized the “compelling need for stronger
partnerships between the government and private sector to address cyber threats.” In April 2014, OCIE published
a Risk Alert, OCIE Cybersecurity Initiative, announcing a series of examinations of more than 50 registered broker-
dealers and investment advisers. The OCIE examinations were designed to:
1. Identify cybersecurity risks;
2. Assess cybersecurity preparedness and
3. Obtain information about the industry’s recent experience with certain types of cyber threats.
The examinations were focused on the following areas:
✓ The Entity’s Cybersecurity Governance;
✓ Identification and Assessment of Cybersecurity Risks;
✓ Protection of Networks and Information;
✓ Risks Associated with Remote Customer Access and Funds Transfer Requests;
✓ Risks Associated with Vendors and other Third Parties;
✓ Detection of Unauthorized Activity, and
✓ Experiences with Certain Cybersecurity Threats
In February 2015, OCIE published summary observations of the findings from these examinations, Cybersecurity
Examination Sweep Summary, reflecting the legal, regulatory and compliance issues relating to cybersecurity in
the securities industry. In September 2015, the SEC issued a Risk Alert, OCIE’s 2015 Cybersecurity Examination
Initiative, announcing that OCIE will be conducting a new Cybersecurity Examination Initiative focused on key
topics such as:
• Governance and Risk Assessment;
• Access Rights and Controls;
• Data Loss Prevention;
• Vendor Management;
• Training, and
• Incident Response.
The following sections highlight the observations of the examinations resulting from the Cybersecurity
Examination Initiative and the targeted areas for its second round of cybersecurity examinations.
Fraud and Cybersecurity: Top Issues for the CPA
70
Cybersecurity Examination Sweep Summary
To better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues
associated with cybersecurity (the Cybersecurity Examination Initiative), OCIE’s National Examination Program
staff (the staff) examined 57 registered broker-dealers and 49 registered investment advisers in 2014. Through
these examinations, the staff collected and analyzed information from the selected firms relating to their practices
around:
Cybersecurity Examination Scope
• Identifying risks related to cybersecurity;
• Establishing cybersecurity governance, including policies, procedures, and oversight processes;
• Protecting firm networks and information;
• Identifying and addressing risks associated with remote access to client information and funds transfer request;
• Identifying and addressing risks associated with vendors and other third parties, and
• Determining unauthorized activity.
Source: National Exam Program Risk Alert Volume IV Issue 4, February 3, 2015
In addition to reviewing the related documents, the staff interviewed key personnel at each firm regarding its:
✓ Business and operations;
✓ Detection and impact of cyberattacks;
✓ Preparedness for cyberattacks;
✓ Training and policies relevant to cybersecurity, and
✓ Protocol for reporting cyber breaches
In 2015, the OCIE published the following observations from the examinations conducted under the Cybersecurity
Examination Initiative:
Fraud and Cybersecurity: Top Issues for the CPA
71
Summary Examination Observations
➢ The vast majority of examined broker-dealers (93%) and advisers (83%) have adopted written
information security policies. Most of the broker-dealers (89%) and the majority of the advisers (57%)
conduct periodic audits to determine compliance with these information security policies and procedures.
o Written policies and procedures generally do not address how firms determine whether they are
responsible for client losses associated with cyber incidents. The policies and procedures of only
a small number of the broker-dealers (30%) and the advisers (13%) contain such provisions, and
even fewer of the broker-dealers (15%) and the advisers (9%) offered security guarantees to
protect their clients against cyber-related losses.
o Many firms are utilizing external standards and other resources to model their information
security architecture and processes. Most of the broker-dealers (88%) and many of the advisers
(53%) reference published cybersecurity risk management standards, such as those published by
the NIST the ISO, and the Federal Financial Institutions Examination Council (FFIEC).
➢ The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify
cybersecurity threats, vulnerabilities, and potential business consequences. These broker-dealers (93%)
and advisers (79%) reported considering such risk assessments in establishing their cybersecurity policies
and procedures.
o Fewer firms apply these requirements to their vendors. A majority of the broker-dealers (84%)
and approximately a third of the advisers (32%) require cybersecurity risk assessments of vendors
with access to their firms’ networks.
➢ Most of the examined firms reported that they have been the subject of a cyber-related incident. A
majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-
attacks directly or through one or more of their vendors. The majority of the cyber-related incidents are
related to malware and fraudulent emails.
➢ Many examined firms identify best practices through information-sharing networks. Almost half of the
broker-dealers (47%) were members of industry groups, associations, or organizations (both formal and
informal) that exist for the purpose of sharing information regarding cybersecurity attacks and identifying
effective controls to mitigate harm.
➢ The vast majority of examined firms report conducting firm-wide inventorying, cataloging, or mapping
of their technology resources.
➢ Almost all the examined broker-dealers (98%) and advisers (91%) make use of encryption in some form.
Source: National Exam Program Risk Alert Volume IV Issue 4, February 3, 2015
Fraud and Cybersecurity: Top Issues for the CPA
72
Areas of Focus for Cybersecurity Examinations
In light of recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, the
second round of Cybersecurity Examination Initiative will focus on the following areas:
Cybersecurity Examination Initiative Targeted Areas
Area Description
Governance & Risk Assessment
Examiners may:
✓ Assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below;
✓ Assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business, and
✓ Review the level of communication to and involvement of senior management and boards of directors
Access Rights and Controls
Examiners may review how firms control access to various systems and data via the management of user credentials, authentication, and authorization methods. This may include a review of controls associated with:
✓ Remote access;
✓ Customer logins;
✓ Passwords;
✓ Firm protocols to address customer login problems;
✓ Network segmentation and tiered access.
Data Loss Prevention
Examiners may assess how firms:
✓ Monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads, and
✓ Monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
Vendor Mgt.
Examiners may:
✓ Focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract term, and
✓ Assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
Training
Examiners may:
✓ Focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior, and
✓ Review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
Incident Response
Examiners may assess whether firms have:
✓ Established policies;
✓ Assigned roles;
✓ Assessed system vulnerabilities, and
✓ Developed plans to address possible future events.
Source: National Exam Program Risk Alert Volume IV Issue 8, September 15, 2015
Fraud and Cybersecurity: Top Issues for the CPA
73
In sharing the key focus areas for the Cybersecurity Examination Initiative, the National Exam Program hoped to
encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and
procedures with respect to cybersecurity.
According to SEC 2019 Examination Priorities, examinations will focus on, among other things, proper
configuration of network storage devices, information security governance generally, and policies and procedures
related to retail trading information security. Specific to investment advisers, OCIE will emphasize cybersecurity
practices at investment advisers with multiple branch offices, including those that have recently merged with
other investment advisers, and continue to focus on, among other areas, governance and risk assessment, access
rights and controls, data loss prevention, vendor management, training, and incident response.
Real-World Case: SEC Charges Investment Adviser with Failing to Adopt Proper Cybersecurity
Policies & Procedures
The following case is extracted from SEC Press Release - SEC Charges Investment Adviser with Failing to Adopt
Proper Cybersecurity Policies & Procedures
As companies increasingly depend on digital technologies to conduct their operations, the risks to companies
associated with cybersecurity have also increased, resulting in more frequent and severe cybersecurity incidents.
The SEC has become more active on cybersecurity issues in recent years and visibly entered the cybersecurity
enforcement arena in 2011 responding to concerns that public companies may not have been providing adequate
disclosures about cybersecurity incidents, both in the wake of recent high-profile cases of data security breaches.
In September 2015, the SEC issued a cease-and-desist order (the “Order”) and settled charges against R.T. Jones
Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to safeguard
customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the Securities Act of 1993.
Rule 30(a) requires:
“Every broker, dealer, investment company and registered investment adviser to adopt written policies and
procedures reasonably designed to ensure the security and confidentiality of customer information and to protect
customer information from anticipated threats or unauthorized access.”
According to the Order, from September 2009 to July 2013, R.T. Hones stored personal information of its clients
and other persons on its third party-hosted web server without adopting such written policies and procedures. In
July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the personal information of
more than 100,000 individuals vulnerable to theft. The Order specifically notes that R.T. Jones failed to conduct
periodic risk assessment, implement a firewall, encrypt customer information stored on its server or maintain a
response plan for cybersecurity incidents.
The Order’s emphasis on cybersecurity highlights the SEC’s heightened focus on the adoption and implementation
of cybersecurity policies and procedures by registered investment advisers.
Fraud and Cybersecurity: Top Issues for the CPA
74
Cybersecurity Guidance No. 2015-02
Both registered investment companies (funds) and registered
investment advisers (advisers) increasingly use technology to
conduct their business activities. Due to the rapidly changing
nature of the business environment and cyber threats, the SEC
Division of Investment Management continues to focus on
cybersecurity and monitor events in this area. In April 2015, the
Division issued an IM Guidance Update No. 2015-12 (Guidance), to
highlight the importance of the cybersecurity issues faced by funds
and advisers. The Guidance stated that funds and advisers need to
actively manage their cybersecurity risks and be prepared to
respond in the event of a cyberattack.
In the Division’s view, failure to mitigate exposure to compliance
risk associated with cyber threats through compliance policies and
procedures could constitute a violation of the rules under the U.S. Investment Advisers Act of 1940. The US
Investment Company Act of 1940 requires funds and advisers to adopt and maintain written policies and
procedures designed to assure compliance with federal securities laws. These rules also require annual reviews
to ensure that the policies and procedures are effectively implemented. Similarly, the Guidance states that failure
to mitigate harm from cyberattacks that expose personal identification information, or that prevent investors
from exercising their legal rights, could be violations of the SEC’s identity theft red flag rules, or Section 22(3) of
the Investment Company Act. The Guidance also states that funds and advisers need to protect confidential and
sensitive information related to these activities from third parties, including information concerning fund investors
and advisory clients. In conclusion, the Guidance reinforced a regulatory trend that cybersecurity standards are
viewed as best practices and would now be under the force of laws.
The following section discusses the key measures including risk mitigation, prevention, detection and response to
threats, written policies/procedures and training that funds and advisers may consider when managing
cybersecurity risks.
Risk Mitigation
The Guidance indicated that an effective assessment would assist in identifying potential cybersecurity threats
and vulnerabilities so as to better prioritize and mitigate risk. Therefore, it is critical that funds and advisers should
conduct a periodic assessment of the following factors:
• The nature, sensitivity, and location of information that the firm collects, processes and/or stores, and the
technology systems it uses;
• Internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology
systems;
• Security controls and processes currently in place;
IM Guidance Update
Risk Mitigation
Prevention, Detection
& Response to Threats
Policies, Procedure & Training
Fraud and Cybersecurity: Top Issues for the CPA
75
• The impact should the information or technology systems become compromised, and
• The effectiveness of the governance structure for the management of cybersecurity risk
Prevention, Detection, and Response to Threats
In addition to mitigating risks, the Guidance indicated that funds and advisers should create a strategy that is
designed to prevent, detect and respond to cybersecurity threats. Such a strategy should address the following
matters:
1. Controlling access to various systems and data via management of user credentials, authentication and
authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and
network resources, network segregation, and system hardening
2. Data encryption
3. Protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage
media and deploying software that monitors technology systems for unauthorized intrusions, the loss or
exfiltration of sensitive data, or other unusual events
4. Data backup and retrieval
5. The development of an incident response plan. The effectiveness of the governance structure for the
management of cybersecurity risk
A firm’s obligations do not stop at the front door. Nearly all funds and advisers rely on third-party vendors and
service providers to carry out their daily operations and a cyberattack on one of those third parties may have the
same impact as an attack on the firm itself. Therefore, the Guidance highlighted the importance of assessing
third-party vendors’ cybersecurity policies and procedures, including the use of contractual provisions to ensure
a minimum level of compliance.
Policies and Procedures and Training
To ensure that fund officers and employees understand cybersecurity risks and how to respond to related
incidents, firms should implement policies and procedures and conduct regular training. Firms should also
consider how to educate investors and clients about how to reduce their exposure to cybersecurity threats
concerning their accounts.
Fraud and Cybersecurity: Top Issues for the CPA
76
Cybersecurity Disclosure Obligations
Background
The federal securities laws are in part designed to encourage the disclosure of timely, comprehensive, and
accurate information about risks and events that a reasonable investor would consider important to an
investment decision. The SEC has made clear that material cybersecurity risks and incidents should be disclosed
to investors. Companies must disclose in their public filings the risks associated with cyberattacks as well as any
potential material effect on their financial statements. However, the determination of what materials, as well as
when and how to disclose, is less clear. As a result, the SEC Division of Corporate Finance issued guidance in
October 2011 around how disclosures about cybersecurity matters should be provided in regards to each
registrant’s specific facts and circumstances. This chapter discusses the SEC’s focus on public companies’
disclosure obligations regarding cybersecurity risks and cyber incidents.
An Overview of CF Disclosure Guidance − Topic No. 2
In October 2011, prompted by recent high-profile data security
breaches in the public and private sectors, the SEC Division of
Corporate Finance issued disclosure guidance on cybersecurity
risks and cyber incidents as part of its Corporate Finance
Disclosure Guidance series (CF Guidelines). The following sections
provide an overview of specific disclosure obligations.
On February 21, 2018, in response to the increasing significance
of cybersecurity incidents, the SEC issued much-anticipated
interpretive guidance on cybersecurity disclosure. The guidance
affirms and expands upon the 2011 cybersecurity disclosure
guidance issued by the staff of the Division of Corporation
Finance. The new guidance also notably addresses the importance
of the board’s role in overseeing the management of
cybersecurity risks, the need for corporate cybersecurity policies
and procedures, considerations concerning potential insider trading prohibitions by companies investigating
potential breaches, and Regulation FD and selective disclosure prohibitions in the cybersecurity context.
Risk Factors
In determining whether the disclosure of risk factors is required, registrants are expected to evaluate their
cybersecurity risks and take into account all available relevant information, including:
• The occurrence of prior cybersecurity incidents, including their severity and frequency;
• The probability of the occurrence and potential magnitude of cybersecurity incidents;
Disclosure Obligations
Risk Factors
MD&A
Description of Business
Legal Proceedings
Financial Statement Disclosures
Diclosure Controls & Procedures
Fraud and Cybersecurity: Top Issues for the CPA
77
• The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs,
including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain
cybersecurity risks;
• The aspects of the company’s business and operations that give rise to material cybersecurity risks and
the potential costs and consequences of such risks, including industry-specific risks and third-party
supplier and service provider risks;
• The costs associated with maintaining cybersecurity protections, including, if applicable, insurance
coverage relating to cybersecurity incidents or payments to service providers;
• The potential for reputational harm;
• Existing or pending laws and regulations that may affect the requirements to which companies are subject
relating to cybersecurity and the associated costs to companies; and
• Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents
Cybersecurity risk disclosure must adequately describe the nature of the material risks and specify how each risk
affects the registrant consistent with the Regulation S-K Item 503(c). Registrants should avoid generic risk factor
disclosure. Appropriate disclosure may include the following information:
1. Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity
risks and the potential costs and consequences
2. Description of outsourced functions with material risks and how those risks are addressed
3. Description of material cybersecurity incidents experienced in the aggregate or individually as well as their
costs and consequences
4. Risks related to cybersecurity incidents that may remain undetected for an extended period
5. Description of relevant insurance coverage
A registrant may need to disclose cybersecurity incidents in the form of context. For example, if a registrant
experienced a material cyber attack in which malware was embedded in its systems and customer data was
compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack
may occur. Instead, the registrant may need to discuss the occurrence of the specific attack and its known and
potential costs and other consequences. If a breach is deemed non-material by a company, the company may still
receive a comment from the SEC asking for an explanation of why it was not considered material. Examples of
common SEC comments include:
• “Please include appropriate risk factor disclosure regarding the online nature of your business, with
particular attention to the cyber-security issues and web server maintenance.”
• “Please expand your risk factor disclosure to describe the cybersecurity risks that you face or tell us why
you believe such disclosure is unnecessary.”
• “We note your disclosure regarding [a security breach]. In future filings please disclose in this section and
in the ‘Liquidity and Capital Resources’ section”
Registrants may consider the following best practices regarding risk factors disclosure such as:
1. Disclosing any specific/material cybersecurity breaches that have occurred
2. Explaining how the company has dealt with the breaches
Fraud and Cybersecurity: Top Issues for the CPA
78
3. Listing the specific types of cybersecurity risks (e.g. viruses, intruders, operational disruption)
4. Including cybersecurity risks under their own separate and stand-alone category heading
5. Providing the specific reason(s) why cybersecurity risk could be material
6. Including the potential consequences from a cybersecurity breach
7. Indicate if the company has taken steps to handle cybersecurity breaches (e.g. insurance coverage)
Appendix A demonstrates how companies disclose the risk factors.
It is important to know that the federal securities laws do NOT require disclosure that itself would compromise a
registrant’s cybersecurity. Instead, registrants should provide sufficient information to allow investors to
understand the nature of the risks faced by the registrant, without exposing specific weaknesses.
MD&A
Registrants should address cybersecurity risks and cyber incidents in the MD&A section of their Form 10-K and
Form 10-Q if the costs or other consequences represent a material event, trend, or uncertainty that is reasonably
likely to have a material effect on the registrant’s operations, liquidity, or financial condition. For example, if
material intellectual property is stolen in a cyberattack, and the effects of the theft are reasonably likely to be
material, the registrant should describe the property that was stolen and the effect of the attack on its results of
operations, liquidity, and financial condition and whether the attack would cause reported financial information
not to be indicative of future operating results. If it is reasonably likely that that attack will lead to reduced
revenues, an increase in cybersecurity protection costs, including litigation, the registrant should discuss these
possible outcomes, including the amount and duration of the expected costs, if material.
Appendix B demonstrates how a company disclosed data breach representing a material evet.
Description of Business
A registrant should provide adequate disclosure in Item 101 of Regulation S-K if one or more cyber incidents
materially affect the registrant’s products, services, relationships with customers or suppliers, or competitive
conditions. In determining whether to include a related disclosure, registrants should consider the impact on each
of their reportable segments. For example, if a registrant has a new product in development and learns of a cyber
incident that could materially impair its future viability, the registrant should discuss the incident and the potential
impact to the extent it would be material.
Legal Proceedings
A registrant may need to disclose information regarding litigation in Item 103 of Regulation S-K if a material
pending legal proceeding, to which the registrant or any of its subsidiaries is a party, involves a cyber incident. For
example, if a significant amount of customer information is stolen, resulting in material litigation, the registrant
should disclose the name of the court in which the proceedings are pending, the date instituted, the principal
parties, a description of the factual basis alleged to underlie the litigation, and the relief sought.
Fraud and Cybersecurity: Top Issues for the CPA
79
Financial Statement Disclosures
Cybersecurity risks and cybersecurity incidents may have a broad impact on the financial statements, depending
on the nature and severity of the potential or actual incident. In general, financial statement disclosures include:
1. Costs incurred to prevent cybersecurity incidents
2. Costs incurred to mitigate damages from a cybersecurity incident
3. Losses from asserted and unasserted claims
4. Diminished future cash flows
5. Impairment of assets
This section summarizes the registrants’ obligations regarding cybersecurity incidents for financial statement
disclosure.
Prior to a Cybersecurity Incident
Registrants may incur substantial costs to prevent cybersecurity incidents. Accounting for the capitalization of
these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent
that such costs are related to internal-use software.
During and After a Cybersecurity Incident
Registrants may seek to mitigate damages from a cybersecurity incident by providing customers with incentives
to maintain the business relationship. Registrants should consider ASC 606-10, Revenue from Contracts with
Customers, to ensure appropriate recognition, measurement, and classification of these incentives.
Cybersecurity incidents may result in losses from asserted and un-asserted claims, including those related to
warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from
their remediation efforts. Registrants should refer to ASC 450-20, Loss Contingencies, to determine when to
recognize a liability if those losses are probable and reasonably estimable.
Cybersecurity incidents may also diminish future cash flows, requiring consideration of impairment of certain
assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other
long-lived assets associated with hardware or software, and inventory. Registrants may not immediately know
the impact of a cybersecurity incident and may be required to develop estimates to account for the various
financial implications. Examples of estimates that may be affected by cybersecurity incidents include estimates
of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred
revenue.
Appendix C demonstrates how a company disclosed the impact of a cybersecurity incident on financial statements.
Disclosure Controls and Procedures
Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To
the extent cybersecurity incidents pose a risk to registrant’s ability to record, process, summarize, and report
information that is required to be disclosed in Commission filings, management should also consider whether
Fraud and Cybersecurity: Top Issues for the CPA
80
there are any deficiencies in its disclosure controls and procedures that would render them ineffective. If a
cybersecurity breach occurs or new risks arise in between periodic reporting requirements, companies should
consider whether disclosing such information on a Form 8-K is appropriate. Companies should disclose this
information if the cybersecurity incident or newly presented cybersecurity risk affects the accuracy and
completeness of previous filings.
If a cybersecurity breach occurs or new risks arise in between periodic reporting requirements, companies should
consider whether disclosing such information on a Form 8-K is appropriate. Companies should disclose this
information if the cyber incident or newly presented cybersecurity risk affects the accuracy and completeness of
previous filings.
Appendix D demonstrates how a company disclosed its cybersecurity incident in between periodic reporting
requirements.
Fraud and Cybersecurity: Top Issues for the CPA
81
Review Questions - Section 3
10. Which of the following measures ensures that employees understand cybersecurity risks and know how to
respond to incidents, in accordance with the SEC Division of Investment Management Guidance Update No.
2015-02?
A. Prevention, Detection, and Response
B. Policies, Procedure, and Training
C. Adequate Infrastructure Funding
D. Risk Mitigation
11. Which of the following is NOT a key aspect of the SEC Division of Investment Management Guidance Update
No. 2015-02?
A. Prevention, Detection, and Response
B. Policies, Procedure, and Training
C. Adequate Infrastructure Funding
D. Risk Mitigation
12. Depending on the circumstances, disclosures of cyber risks and cybersecurity incidents may be required for
public companies in all of the discussions EXCEPT?
A. Risk factors
B. Description of business
C. Proceedings
D. Design of secure system configurations
13. Which of the following forms is used for disclosure of a cyber incident that materially affects the company’s
relationships with customers?
A. Form 10-K
B. Form 8-K
C. Form 10-Q
D. Regulation S-K
Fraud and Cybersecurity: Top Issues for the CPA
82
VII. Cybersecurity Risk Management Cyber risks must be identified, understood, quantified,
and planned for in the same way as any other potential
business threat or disruption, such as a natural disaster,
with a response plan, roles and responsibilities,
monitoring and scenario planning. Too many
organizations are taking an ad hoc approach to managing
their risks and vulnerabilities, and it exposes them to
greater threats. Company leaders and boards can no
longer afford to view cybersecurity as a technology
problem because the likelihood of a cyberattack is an
enterprise risk management issue.
According to the World Economic Forum Global Risk
Landscape 2018, cyberattacks were rated the 7th most
likely global risk to occur out of 50 potential risks. Key
elements of effective cybersecurity risk management are
discussed in the following sections, including threats and vulnerabilities awareness, understanding cyber risks,
implementation of an effective framework, detection of and response to cyberattacks, and establishment of cyber
risk roles and responsibilities.
Top 10 World Economic Forum Global Risk
1. Unemployment or underemployment
2. Fiscal crises
3. Failure of national governance
4. Energy price shock
5. Profound social instability
6. Failure of financial mechanism or institution
7. Cyberattacks
8. Interstate conflict
9. Terrorist attacks 10. Unmanageable inflation
Source: World Economic Forum Global Risk Landscape 2018
Cybersecurity Risk
Management
Recognize Threats &
Vulnerabilities
Understand Cyber Risks
Implement an Effective
Framework
Detect & Respond to
Cyberattacks
Define Cyber Risk Roles & Responsibili-
ties
Fraud and Cybersecurity: Top Issues for the CPA
83
Recognize Threats and Vulnerabilities
The Cyber Criminal Profile
Cyber attackers are continuously changing tactics, increasing their persistence and expanding their capabilities,
and the nature of the cyber threats has evolved from unsophisticated attacks to state-sponsored attacks. Attacks
in the form of hacktivism, corporate espionage, insider and nation-states threats, terrorism, and criminal activity
can cost an organization time, resources, and irreparable harm to its reputation. The ongoing evolution of
cybersecurity threats from script kiddies to sponsored attacks is demonstrated by the following table.
Unsophisticated attackers
(Script Kiddies)
Sophisticated attackers
(Hackers)
Corporate espionage
(Insiders)
State-sponsored attacks
(Advanced Persistent Threats),
hacktivism, identity thefts
Experimentation:
You are attacked because
you are on the internet and
have a vulnerability.
Monetization:
You are attacked because
you are on the internet and
have information of value.
Your current or former
employee seeks financial
gain from selling your
intellectual property.
- You are targeted because of
who you are, what you do, or
the value of your intellectual
property.
- Cyberattacks to promote
political ends, such as
Hacktivist. The theft of
personally identifiable
information (PII) is increasing.
Source: EY - Cyber Program Management: Identifying ways to get ahead of cybercrime, 2014
Today, organizations are exposed to ultra-sophisticated attackers who deploy increasingly targeted malware
against systems in multistage attacks. These attacks refer to Advanced Persistent Threat (APT) actors, the most
significant and challenging threats, who aim to support their own businesses by providing them with innovative
technology or a competitive edge over their competition. McAfee describes APTs as:
“More insidious and occur largely without public disclosures. They present a far greater threat to companies and
governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is
that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the
immediate financial gratification that drives much of cybercrime, another serious but more manageable threat”
APTs conduct activity largely supported, directly or indirectly, by a nation-state. APTs target carefully selected,
high-value data in every industry, from aerospace to wholesalers, education to finance. These threat actors may
further seek to understand supply chains, manufacturing processes, and programmatic business details to
replicate these processes or identify weaknesses.
The following table lists the profiles of threat actors including their motives, target, and impact.
1980s/1990s 1980s/1990s 20xx
Fraud and Cybersecurity: Top Issues for the CPA
84
Profiles of Threat Actors
Actors Motives Target Impact
Nation
States
➢ Economic, political,
and/ or military
advantage
➢ Espionage and
ideological
• Trade secrets
• Sensitive business
information
• Emerging technologies
• Critical infrastructure
− Loss of competitive
advantage
− Disruption to critical
infrastructure
Organized
Crime
➢ Immediate financial
gain
➢ Collect information
for future financial
gains
• Financial/Payment
systems
• Personally identifiable
information
• Payment card
Information
• Protected health
information
− Costly regulatory
inquiries and penalties
− Consumer and
shareholder lawsuits
− Loss of consumer
confidence
Hacktivists
➢ Influence political
and/or social
change
➢ Pressure business to
change their
practices
• Corporate secrets
• Sensitive business
information
• Information related to
key executives,
employees, customers
and business partners
− Disruption of business
activities
− Brand and reputation
− Loss of consumer
confidence
Insiders
➢ Personal advantage,
monetary gain
➢ Professional
revenge
➢ Patriotism
• Sales, deals, market
strategies
• Corporate secrets, IP,
R&D
• Business operations
• Personnel information
− Trade secret disclosure
− Operational disruption
− Brand and reputation
− National security impact
Source: PwC, Answering Your Cybersecurity Questions, 2014
To focus resources and maximize security, organizations should first identify the most likely source of attack;
internal and external. Details are discussed in the following sections.
Fraud and Cybersecurity: Top Issues for the CPA
85
Internal Threats
Internal threats to information run from the inadvertent (simple user error, loss of mobile devices) to the malicious
(internal fraud, data theft). In general, internal intruders are users with privileges or authorized access to a system
with an account on a server or with physical access to the network. The Internet Security Glossary describes “Inside
Attack” as an attack initiated by an entity inside the security perimeter. An insider threat may come from a current
or former employee, contractor, or other business partner who has or had authorized access to an organization’s
network, system, or data, and intentionally misused that access in a manner that negatively affected the
confidentiality, integrity, or availability of the organization’s information or computer systems.
Malicious Insiders
Insider threats can be difficult to defend against because the perpetrators misuse the access privileges they
obtained for legitimate business functions. Employees, contractors, advisers and those in the supply chain are
often within the security firewalls of organizations, with authority to access technology and use and distribute
data. Recent statistics reveal that privilege abuse is the leading cause of data leakage by malicious insiders.
Malicious insiders are trusted employees of an organization and have access to critical systems and data. Insiders
usually involve system administrators, end-users, executives and managers who have different objectives. For
example, system administrators abuse access privileges and smuggle exfiltrated data out on unapproved devices
while end-users often are involved in accidental data loss. They all pose the greatest threat. A Ponemon study
revealed that it takes the most amount of time, on average, to resolve attacks from malicious insiders, malicious
code and web-based attackers. Malware, viruses, and botnets on average are resolved relatively quickly. The time
it takes to resolve the consequences of the attack increases the cost of cybercrime.
Source: Ponemon Institute, 2015 Cost of Cyber Crime Study
Malicious insiders can cause financial and reputational damage through the theft of sensitive data and intellectual
property. They can also pose a destructive cyber threat if they use their privileged knowledge, or access, to
facilitate, or launch, an attack to disrupt or degrade critical services on the network. The CERT Insider Threat
Center suggests that the following employees pose the greatest insider threat risk:
2.2
2.4
5.8
12.3
19.3
21.9
27.7
47.5
54.4
0.0 10.0 20.0 30.0 40.0 50.0 60.0
BOTNETS
VIRUSES, WORMS, TROJANS
MALWARE
STOLEN DEVICES
DENIAL OF SERVICE
PHISHING & SOCIAL ENGINEERING
WEB-BASED ATTACKS
MALICIOUS CODE
MALICIOUS INSIDERS
Average Days to Resolve Cyberattacks
Fraud and Cybersecurity: Top Issues for the CPA
86
• Disgruntled employees who feel disrespected and are seeking revenge;
• Profit-seeking employees who believe that they can make more money by selling stolen intellectual
property;
• Employees moving to a competitor or starting a business who, for example, steal customer lists or
business plans to give themselves a competitive advantage, and
• Employees who believe they own the intellectual property that they helped develop. As a result, they take
the intellectual property with them when they leave the organization.
Real-World Case: South Korean Credit Bureau
The following case is extracted from IIROC, “Cybersecurity Best Practices Guide for IIROC Dealer Members”, 2016
The personal data of at least 20 million bank and credit card users in South Korea was stolen from three credit
card firms by a temporary consultant working with the personal credit ratings firm Korean Credit Bureau (KCB).
The stolen data, which was sold to phone marketing companies, included customers' names, social security
numbers, phone numbers, credit card numbers, and expiration dates. In the fallout over the theft, dozens of top
executives tendered their resignations, regulators launched investigations into security measures at the affected
firms, and the companies were held liable for full financial losses if customers fell victim to scams related to the
data theft.
Careless Employees
According to EY, careless or unaware employees are the top vulnerability perceived by organizations based on its
Global Information Security Survey results. Those insiders or employees accidentally cause cyber harm through
inadvertent clicking on a phishing email, plugging an infected USB stick into a computer, or ignoring security
procedures and downloading unsafe content from the internet. A significant number of data losses and security
breaches still occur from unintentional events (e.g. innocent mistakes, poor internal security practice), such as
laptops and storage mediums (e.g. thumb drives, flash drives, CDs, DVDs) being inadvertently lost or
compromised, wrong files being attached to emails, or emails inadvertently sent to the wrong recipients. In
addition, cases of lost or stolen laptops holding sensitive data are reported almost daily.
External Threats
External perpetrators, well-funded, persistent and sophisticated, are people who do not belong to the network
domain. Increasingly, people and processes are as much of a target as technology. Cybercriminals are motivated
to evolve as quickly as possible, and responses must be equally agile to keep pace. Public and social media websites
are the most common places where users can be deceived by hackers. An organization’s constant connectivity to
the internet exposes it to a hostile environment of rapidly evolving threats. Moreover, operating systems used on
laptops, PCs, and mobile phones have common and known vulnerabilities exploitable by attackers.
Government agencies are responsible for security-sensitive data that is growing more exposed to public access.
The existence of this information presents an opportunity for cybercriminals to use it for identity theft and fraud
purposes. And financial institutions remain a constant target for cybercriminals because the organizations rely on
online tools to help them communicate with stakeholders.
Fraud and Cybersecurity: Top Issues for the CPA
87
As discussed next, individuals, businesses, government bodies, institutions, and organizations face threats mainly
from nation-states, criminal gangs, and hacktivists.
Nation States
Nation-states, motivated by nationalism, are established and well organized to carry out the most sophisticated
threat in cyberspace. Some cyberattack campaigns may bear the hallmarks of both state and non-state actors,
making positive attribution almost impossible. For instance, a nation-state may develop and use a sophisticated
Trojan horse against another state. Later, after its own counter-Trojan defenses are in place, it may sell the Trojan
horse to cybercriminals on the black market, obfuscating the origin of the original attack.
Nation-states interests include political, economic, military, and financial targets and they usually have specific
tasks such as:
• Gaining intelligence
• Stealing industrial secrets and intellectual property
• Sabotaging critical infrastructures and utilities for political and economic ends
• Listening in on policy discussions
• Conducting propaganda
Each country has a unique political system, history, and culture, and state-sponsored attacks also have distinctive
characteristics - everything from motivation to target to the type of attack. FireEye describes the unique
characteristics of cyber attack campaigns waged by governments in Asia-Pacific, Russia/Eastern Europe, Middle
East, and the U.S.
Characteristics of Cyberattacks Campaigns Waged by Governments
China China employs brute force attacks that are often the most inexpensive way to accomplish its objectives. The attacks succeed due to the sheer volume of attacks, the prevalence, and the persistence of vulnerabilities in modern networks.
Russia/Eastern Europe
These cyberattacks are more technically advanced and highly effective at evading detection. Russia’s attacks are the most complex and advanced. There is more focus on zero-day exploits.
Middle East These hackers are dynamic, often using creativity, deception, and social engineering to trick users into compromising their own computers.
U.S. The most complex, targeted, and rigorously engineered cyberattack campaigns to date. The attacks require a high level of financial investment, technical sophistication, and legal oversight.
Source: FireEye, World War C: Understanding Nation-State Motives Beyond Today’s Advanced Cyber Attacks
Fraud and Cybersecurity: Top Issues for the CPA
88
Organized Crime
Driven by profit and personal gain, organized crime is becoming increasingly sophisticated in its use of technology
to commit fraud and steal funds and valuable information. Criminal groups have been a rapidly growing problem
with international collaboration creating a global marketplace for cybercrime tools. For example, in 2013,
JPMorgan Chase warned 465,000 holders of prepaid cash cards that their personal information may have been
accessed by a global cybercrime ring. Eventually, they stole $45 million from banks by hacking into credit card
processing firms and withdrawing money from automated teller machines in 27 countries.
According to UNODC, upwards of 80% of cybercrime acts are estimated to originate in some form of organized
activity, with cybercrime black markets established on a cycle of malware creation, computer infection, botnet
management, harvesting of personal and financial data, data sale, and ‘cashing out’ of financial information.
Online connectivity and peer-learning are central to the engagement of organized criminal groups in cyber
criminality. Carding, the trafficking of credit card, bank account and other personal information online, is one such
example. Modern carding sites have been described as full-service commercial entities and may provide services
including laundering techniques, phishing kits, malware, and spam lists.
Hacktivists
Hacktivists, whose objectives are to disrupt and embarrass an organization, usually refer to a disparate group that
contains a wide variety of ideologically oriented groups and individuals. Thus, hacktivists usually wish to attack
companies for political or ideological motives. They promote a form of civil disobedience in cyberspace by hacking
into computer systems for political or social purposes to bring attention to an issue, rather than for personal or
monetary gain. For example, in November 2013, hackers claiming links to a group called Anonymous defaced
dozens of websites belonging to Australian businesses and Philippine government agencies in response to spying
allegations.
Real-World Case: Ashley Madison
The following case is extracted from IIROC, “Cybersecurity Best Practices Guide for IIROC Dealer Members”, 2016
Canadian company Ashley Madison was targeted by hackers in July 2015. Calling themselves the Impact Team,
the hackers took issue with the company’s business model of providing a forum to facilitate marital infidelity. The
aim of the hackers was to force the company to cease its operations.
In August 2015, the hackers released some 39 million customer profiles, including user profiles, names, and email
addresses. Lawyers representing Canadian victims launched a class-action lawsuit seeking $760 million in
damages. The parent company, Avid Life Media, has indefinitely postponed Ashley Madison’s upcoming initial
public offering, where the company had hoped to raise $200 million.
Fraud and Cybersecurity: Top Issues for the CPA
89
The Cybersecurity Threats
According to the PwC Global Economic Crime Survey 2018, cybercrimes climbed to the 2nd most reported economic
crime, affecting 31% of the responding organizations. Over half of the respondents see an increased risk of cyber
threats as more and more organizations see a higher use of social networks, cloud computing and personal mobile
devices at work. Consequently, these vulnerabilities and also careless employees, outdated information security
controls, and unauthorized access, have increased an organization’s risk exposure.
The interconnectivity of people, devices and organizations in
today’s digital world opens up a new field of vulnerabilities.
Finding loopholes to enter any network is easier than ever for
cybercriminals because there are so many access points and
ways to attack. For example, traditionally closed operating
systems have increasingly been given IP addresses that can be
accessed remotely, so that cyber threats are making their way
into critical infrastructures, such as power generation and
transportation systems and other automation systems. The
growth and spread of connected digital technology not only
motivates criminals to evolve as quickly as possible but also
changes the overall risk landscape of organizations. The actual
and potential threats often come from completely unexpected
places. Each factor is discussed in the following sections.
A Network of Networks
It is anticipated that up to 50 billion devices will be connected to the internet by the year 2020; however, the
awareness of threats seems to be low, and poor user behavior is the main risk associated with mobile devices.
The use of the internet via smartphones and tablets (in combination with bring your own device (BYOD) strategies
by employers) has made an organization’s data accessible everywhere and at any time. Consequently, one
vulnerable device can lead to other vulnerable devices, and it is almost impossible to patch all the vulnerabilities
for all devices.
The BYOD concept has been a growing trend in business. It refers to the policy that allows employees to bring
personal devices including laptops, smartphones, and tablets to their workplace and to use those devices to access
the company’s applications and data. According to EY, while real business benefits can be derived from BYOD in
the workplace, it does carry the following significant risks:
• The employee may lose a personal device that contains business information.
• The employee may unintentionally install applications that are malicious in nature.
• The employee may unintentionally disclose business information, for example, by allowing family
members or friends to use a laptop containing sensitive business information.
• The BYOD implementation, itself, may be in breach of applicable laws and regulations because it may be
in violation of data privacy laws and regulations.
Risk Landscape
Changed by:
A Network of
Networks
Cloud Computing
Application Risk
Privacy & Data
Protection
Fraud and Cybersecurity: Top Issues for the CPA
90
The increased use of BYOD by employees is often unsupported by the organization or not protected within an
organization’s network security architecture. Threats introduced by mobile can be grouped into the following
three categories:
Threats Introduced by Mobile Devices
Device-based threat
Mobile devices enable end-users to perform the business-related tasks (e.g. receiving email and accessing, editing, sharing corporate content) As a result, mobile devices store a significant amount of sensitive data.
Data can be compromised in a variety of ways due to:
• Always-on connectivity which could allow unauthorized parties to access business data
• Software vulnerabilities that allow “jailbreak” or “rooting” of devices, compromising data security
• Portable form-factor making the devices susceptible to theft and misplacement
Network-based threat
The always-on model requires mobile devices to be constantly connected to the internet.
End-users might often rely on untrusted public networks enabling malicious parties to access and intercept transmitted data using:
• Rogue access points
• Wi-Fi sniffing tools
• Sophisticated Man-in-the-Middle (MitM) attacks
User-based threat
Mobile devices empower end-users. While this is great for user-choice, well-meaning end-users often indulge in risky behaviors that could compromise business data.
Examples of risky behaviors include:
• Using unapproved cloud-based apps to share and sync data
• Using unapproved productivity apps that maintain copies of corporate data
• Jailbreaking/ rooting devices to bypass security controls
• Using malicious apps from unapproved app-stores
• Exposing business data with malicious intent
Source: MobileIron, Mobile Security: Threats and Countermeasures
Cloud Computing
As more and more organizations put mission-critical data in cloud computing, with a loss of control, the threats
and attacks will increase. Cloud computing is in need of serious improvement, especially in terms of security.
Moreover, most cloud vendors currently either do not have a privacy policy or have non-transparent policies.
Many organizations are often discovering too late that their cloud provider’s standards of security may not
correspond to their own. The recent events of “CelebGate” and Amazon’s IAAS compromise are live examples of
such issues. When the vendor hosts sensitive organization data, the Institute of Internal Auditors (IIA) suggests
management should implement defined oversight programs such as:
• Active monitoring of service level agreements (SLAs)
• Information security configuration changes
• Independent cybersecurity examination engagements
• Service organization controls (SOC) reports
Fraud and Cybersecurity: Top Issues for the CPA
91
• Vulnerability assessments and penetration tests
• Escalation procedures with vendor management
• Baseline assessments performed to inspect key security controls
• Ongoing evaluations that analyze the technical architecture and controls in place to protect the
organization’s data
Application Risk
There have already been over 200 million apps downloaded and the number of apps downloaded is expected to
reach 260 million by 2022. Mobile devices are fully integrated within daily lives, and apps have been a major
catalyst, including mapping apps, social networking, and productivity tools. However, downloaded apps may
present security risks. According to the EY Global Information Security 2018 survey, the top two threats today
are phishing and malware:
1. Phishing (22%)
2. Malware (20%)
3. Cyberattacks (to disrupt) (13%)
4. Cyberattacks (to steal money) (12%)
5. Fraud (10%)
6. Cyberattacks (to steal IP) (8%)
7. Spam (6%)
8. Internal attacks (5%)
9. Natural disasters (2%)
10. Espionage (2%)
Most successful cyber breaches contain “phishing and/or malware” as starting points. Approximately 550 million
phishing emails sent out by a single campaign during the first quarter of 2018. About 22% see phishing as the
biggest threat. In addition, most employees now own their mobile devices, and organizations have been letting
their employees use their own personal mobile devices to conduct work. Many organizations are reaching out to
corporate IT to support this alternative. However, the support and adoption of BYOD devices in a corporate
environment increases security risks, including malware and app vulnerabilities.
Privacy and Data Protection
Since all smart devices hold confidential information from consumers and businesses, data privacy and data
protection have become key cyber risks. Legislation for data protection has already become much tougher in the
Malicious Apps (Malware)
•The increase in the number of apps on the device increases thelikelihood that some may contain malicious code or security holes.
App Vulnerabilities•Apps developed or deployed by the organization to enable access to
corporate data may contain security weaknesses.
Fraud and Cybersecurity: Top Issues for the CPA
92
U.S., Hong Kong, Singapore, and Australia, while the European Union is looking to agree on European data
protection rules. As a result, tougher guidelines on a country-by-country basis are expected.
Organizations increasingly focus on and allocate more resources to data infrastructure and protection because
theft of sensitive data can be crippling to a company and costly to shareholders. According to OWASP (Open
source Web Application Security Project), some top privacy risks also include web application vulnerabilities,
operator-side data leakage, insufficient data breach response, data sharing with third parties, and insecure data
transfer.
It is important to note that one of the main objectives of data protection and privacy laws is that aggregated
customer data should not allow illegal or discriminatory uses. Organizations should always justify the collection
of personal information and restrict its use to the minimum necessary for business purposes. According to
established regulations, data should be retained for as short a time as possible, and strictly used to support
business operations.
Finally, with the IoT, a large number of sensor-enabled devices are designed to collect data about the users and
their environment. This data presumably provides a benefit to the device’s owner, the device’s manufacturer, and
the supplier. However, the IoT data collection and use can turn into a privacy issue when the individuals who are
observed by IoT devices have different privacy perspectives about the scope and use of that data than those of
the data collector. As a result, privacy is often cited as one of the most significant issues in large-scale IoT
deployment. Respect for privacy rights is integral to ensuring trust in the internet.
Understand Cyber Risks
In light of the increased prevalence of cybercrime, organizations must take a proactive approach to address cyber
risks, such as performing early risk identification. According to the Protiviti Internal Audit Capabilities and Needs
2016 survey results from various departments (e.g., Internal Audit, Audit Committee, IT Audit), the most
significant levels of cybersecurity risk to organizations include brand/reputation damage, data leakage, and data
security. The following are the top 10 cybersecurity risk to organization:
Top 10 Cybersecurity Risk to Organizations
1. Brand/reputational damage 2. Data leakage (employee personal information) 3. Data security (company information) 4. Interrupted business continuity 5. Financial loss 6. Regulatory and compliance violations 7. Viruses and malware 8. Loss of employee productivity 9. Loss of intellectual property 10. Employee defamation
Source: Protiviti Internal Audit Capabilities and Needs Survey 2016
Fraud and Cybersecurity: Top Issues for the CPA
93
As businesses change quickly in today’s world, new product launches, mergers, acquisitions, market expansion,
and introductions of new technology are all on the rise. These tend to have a complicated impact on the strength
of an organization’s cybersecurity and its ability to keep pace with technological advances. For example, as
technology becomes more pervasive, changing business models and increased data (such as customers’,
employees’, and suppliers’ information) require protection from threats stemming from various sources and
motives. Deloitte Development LLC identified key cyber risk drivers, including technology expansion, evolving
business models, data growth, and motivated attackers.
Source: Deloitte Development LLC - Cybersecurity: The Role of Internal Audit, 2015
As organizations become more digitally connected, they increasingly face new exposures, including first-and third-
party damage, business interruption, and regulatory consequences.
Organizations that understand good overall risk management principles should apply the same concepts in
managing their cyber risk.
Source: EY - Global Information Security Survey 2015
Technology Expansion
• Internet, cloud, mobile, and social are mainstream platforms inherently oriented for sharing
• Employees want continuous, real-time access to their information
Evolving Business Models
• Service models have evolved -outsourcing, offshoring, contracting, and remote workforce
Data Growth
• Increased volume of customers’ personal, account, and credit card data, employee’s personal identifiable information and also company trade secrets
•Need to comply with privacy requirements across a wide array of jurisdictions
Motivated Attackers
• Hackers working for nation states
• Continuously innovating and subverting common controls
• Often beyond the reach of a country’s law enforcement
Key Risk Management Principles
1. Focus on what matters most
Must align to the unique business and risk culture
2. Measure and report
Include qualitative statements and quantitative measures
3. Comprehensive in nature
Should cover all risk types, current and forward-looking
4. Allocation of risk appetite
Allocation of appetite to business units and risk types
5. Integrate with business planning
Regulators are increasingly looking for evidence
Applied to Cyber Risk
1. Know the critical information assets
Identify critical business assets most vulnerable to attack
2. Make cyber risk more tangible
Clearly define cyber risk and underlying metrics
3. Align with existing risk frameworks
Financial, operational, regulatory, customer, reputation
4. Make cyber risk relevant to the business
Link organizational level risks to individual business units
and information assets
5. Embed risk appetite in investment decisions
Prioritize investment where critical, empower business
to make informed local decisions
Fraud and Cybersecurity: Top Issues for the CPA
94
Review Questions - Section 4
14. Which of the following threat actors would have the most interest in financial/payment systems?
A. Disgruntled insiders
B. Nation-states
C. Organized crime groups
D. Hacktivists
15. The attacks, most complex and targeted, require a high level of financial investment and legal oversight. This
type of state-sponsored threat actors are usually employed by which of the following governments?
A. Middle East
B. Europe
C. China
D. United States
16. What is the primary motivation of hacktivists?
A. Espionage
B. Identity theft
C. Embarrassment of an organization
D. Black market activities
17. Which of the following has NOT increased the overall risk landscape of organizations?
A. A Network of Networks
B. Cloud Computing
C. Privacy and Data Protection
D. User education
Fraud and Cybersecurity: Top Issues for the CPA
95
Define Cyber Risk Roles and Responsibilities
Cyber attackers are finding new and better ways to take advantage of the rapid expansion of digitization and the
increasing connectivity of businesses. Cybersecurity is more than a technology issue, and cannot remain in the IT
domain because it affects every level of a business. Therefore, it is critical to implement a multi-layered risk
defense, as suggested by Deloitte Development LLC:
Three Lines of Defense Model
In general, the chief executive officer (CEO) and Board set the tone for enhancing security and are responsible for
ensuring that the company designs and implements an effective cybersecurity program. However, cyber threats
and related mitigation are the responsibility of the entire enterprise. All members have a crucial part to play. A
wide range of individual responsibilities must be documented and detailed throughout the organization.
Detect and Respond to Cyberattacks
Detection
No organization can protect itself without understanding what it is protecting itself from. The first activity any
organization should undertake is developing an understanding of the specific cyber threats it faces. Cyber fraud
1st Line of Defense
Business & IT Functions
2nd Line of Defense
Information & Technology Risk
Management Function
3rd Line of Defense Internal
Audit
• Incorporate risk-informed decision making into day-to-
day operations and fully integrate risk management into
operational processes
• Define risk appetite and escalate risks outside of
tolerance
• Mitigate risks, as appropriate
• Establish governance and oversight
• Set risk baselines, policies, and standards
• Implement tools and processes
• Monitor and call for action, as appropriate
• Provide oversight, consultation, checks and balances,
and enterprise-level policies and standards
• Independently review program effectiveness
• Provide confirmation to the board on risk management
effectiveness
• Meet requirements of SEC disclosure obligations focused
on cybersecurity risks
Fraud and Cybersecurity: Top Issues for the CPA
96
is increasingly common and affects all sectors of the economy, from retail and financial services to health care and
education. Cyberattacks are becoming more destructive as they are increasingly public and prominent. Although
prevention, such as controlling access with firewalls, passwords, and similar measures, remains crucial, the focus
is shifting away from prevention alone to addressing how to respond to intrusions and limit the damage they
cause. Cybercriminals often display certain behaviors or characteristics that may be warning signs or red flags. It
is critical for attacks to be reported to the relevant parties so that they are able to take timely and appropriate
actions as necessary. EY lists the following indicators of potential cyber fraud activities:
Indicators of Potential Cyber Fraud Activities
• Very visible attacks without an obvious purpose: e.g., DDoS; details stolen but with no obvious use to them
• Unexpected share price movements
• New products launched by competitors that are uncannily similar to your R&D and IP and reach the market just before yours — indicating IP theft and knowledge of your growth strategy and timings
• Mergers and acquisition (M&A) activities disrupted: rival bids that show similarities and may demonstrate awareness of confidential plans; M&A targets suffering cyber incidents (e.g., their IP stolen)
• Unusual customer or joint venture behavior: remember that these may not always be genuine customers or partners since cybercriminals can join organizations to gain easier access to your systems and data
• Unusual employee behavior: managers of staff need to be more aware of changes in behavior, especially when those staff work in more sensitive areas
• Operational disruption but without a clear cause
• Oddities in the payment processing or ordering systems
• Customer or user databases showing inconsistent information
Source: EY Global Information Security Survey 2015
A proactive incident response plan starts with a breach detection process focused on domain logging and
monitoring. Most systems use numerous devices to log various types of activity. For example, firewall and
application logs keep records of who logs in, who changes data, what records they view, as well as other
information.
The FFIEC, Cybersecurity Assessment Tool 2015, identifies the following examples of key detective controls:
• Independent penetration testing of network boundary and critical Web-facing applications is performed
routinely to identify security control gaps
• Independent penetration testing is performed on Internet-facing applications or systems before they are
launched or undergo significant change
• Antivirus and anti-malware tools are updated automatically
• Firewall rules are updated routinely and are audited or verified at least quarterly
• Vulnerability scanning is conducted and analyzed before the deployment/redeployment of new/existing
devices
• Processes are in place to monitor potential insider activity that could lead to data theft or destruction
• Audit or risk management resources review the penetration testing scope and results to help determine
the need for rotating companies based on the quality of the work.
Fraud and Cybersecurity: Top Issues for the CPA
97
• E-mails and attachments are automatically scanned to detect malware and are blocked when malware is
present.
• Online customer transactions are actively monitored for anomalous behavior
• Tools to detect unauthorized data mining are used
• Security logs are reviewed regularly
• Logs provide traceability for all system access by individual users
• Thresholds have been established to determine activity within logs that would warrant management
response
• Weekly vulnerability scanning is rotated among environments to scan all environments throughout the
year.
• Penetration tests include cyberattack simulations and/or real-world tactics and techniques such as red
team testing to detect control gaps in employee behavior, security defenses, policies, and resources.
• Automated tool(s) proactively identifies high-risk behavior signaling an employee who may pose an insider
threat.
• An automated tool triggers system and/or fraud alerts when customer logins occur within a short period
of time but from physically distant IP locations.
• External transfers from customer accounts generate alerts and require review and authorization if
anomalous behavior is detected.
• A system is in place to monitor and analyze employee behavior (network use patterns, work hours, and
known devices) to alert on anomalous activities.
• An automated tool(s) is in place to detect and prevent data mining by insider threats.
• Tags on fictitious confidential data or files are used to provide advanced alerts of potential malicious
activity when the data is accessed.
• The institution is leading efforts to develop event detection systems that will correlate in real-time when
events are about to occur.
• The institution is leading the development effort to design new technologies that will detect potential
insider threats and block activity in real-time.
Moreover, the victim organization should also take immediate steps to preserve relevant existing logs. According
to the U.S. Department of Justice - Computer Crime & Intellectual Property Section Criminal Division:
Cybersecurity Unit, the types of information that the victim organization should retain include:
1. Description of all incident-related events, including dates and times;
2. Information about incident-related phone calls, emails, and other contacts
3. The identity of persons working on tasks related to the intrusion, including a description, the amount of
time spent, and the approximate hourly rate for those persons’ work
4. Identity of the systems, accounts, services, data, and networks affected by the incident and a description
of how these network components were affected
5. Information relating to the amount and type of damage inflicted by the incident, which can be important
in civil actions by the organization and in criminal cases
6. Information regarding network topology
7. The type and version of software being run on the network; and
Fraud and Cybersecurity: Top Issues for the CPA
98
8. Any peculiarities in the organization’s network architecture, such as proprietary hardware or software.
Response
After detection comes the response. How does the organization recover from an incident? How does it limit the
damage and stop any illicit activities still occurring in the network? These questions uncover critical elements of a
cybersecurity incident response plan, which also encompasses a communication plan for informing parties directly
affected, other stakeholders, such as board members, vendors, and customers, as well as the outside world. A
cybersecurity incident response plan should reflect the organization’s industry, size, and other factors such as the
overall cybersecurity framework, considering no single model fits all situations. Typically, an incident response
plan outline consists of the following fundamental steps suggested by Crowe Horwath LLP:
1. Inventory and understand the data to be protected.
2. Inventory and classify incidents.
3. Understand known threats and monitor new ones.
4. Identify the stakeholders and incident response team – corporate communications, legal, compliance,
lines of business, IT, and external forensics partners.
5. Set up a command center.
6. Develop and implement a containment and investigation strategy.
7. Develop and implement an evidence preservation strategy.
8. Develop and implement a communication plan for customers, media, regulators, and other stakeholders.
9. Conduct a post-mortem, and apply lessons learned.
According to Hewlett-Packard, Executive breach response playbook: How to successfully navigate the enterprise
through a serious data breach 2015, there are four classes of responses required for a cybersecurity incident:
Technical Response. It is designed to focus on the actions the technical staff takes to analyze and resolve an event
or incident. Technical staff includes the IT groups required to assist with remediation of the event or incident. This
phase can involve several groups or departments within the IT organization to coordinate and provide technical
actions to contain, resolve, or mitigate incidents, as well as providing the actions needed to repair and recover.
Management Response. The management response includes activities that require management intervention,
notification, interaction, escalation, or approval as part of any response. It may also include coordinating with
corporate communications as it relates to any human resources, public relations, financial accounting, audits, and
compliance issues.
Communication Response. These are activities that require some measure of communications to the corporation
and internal and external constituents. Corporate communications should always be consulted prior to any
communications being released. In many cases, management will direct the release of breach information.
Technical ResponseManagement
ResponseCommunication
ResponseLegal Response
Fraud and Cybersecurity: Top Issues for the CPA
99
Legal Response. The legal response, if required, would work with outside regulators, third parties, and other
parties. In addition, legal input would be required for any external communications, to ensure that such
communication is in accordance with company policy and supports any statutory or regulatory requirements.
Responding to cyber incidents usually consists of five stages:
Key Activities of Responding to Cyber Incidents Stage Example of Activities
Response Planning
The response plan is executed during or after an event
Communications
• Personnel know their roles and order of operations when a response is needed
• Events are reported consistent with established criteria
• Information is shared consistent with response plans
• Coordination with stakeholders occurs consistent with response plans
• Voluntary information sharing occurs with external stakeholders to achieve
broader cybersecurity situational awareness
Analysis
• Notifications from detection systems are investigated
• The impact of the incident is understood
• Forensics are performed
• Incidents are categorized consistent with the response plan
Mitigation
• Incidents are contained
• Incidents are mitigated
• Newly identified vulnerabilities are mitigated or documented as accepted risks
Improvement • Response plans incorporate lessons learned
• Response strategies are updated
Source: NIST - Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, 2014
Recover from Cyberattacks
Much of the planning and documentation for recovering from a cybersecurity event needs to be in place before
the event occurs. Therefore, it is critical to have guidance and playbooks that support asset prioritizations and
recovery objectives. The NIST defines a recovery plan as:
“Providing a method to document and maintain specific strategies and decisions regarding the approved means
for implementing and conducting business recovery processes.”
The organization must develop a playbook to recover from a data breach and follows a set of the following
activities identified by the NIST, Guide for Cybersecurity Event Recovery:
1. A description of a set of formal recovery processes to use if the organization experiences a data breach.
Fraud and Cybersecurity: Top Issues for the CPA
100
2. A list of critical people, facilities, technical components, and external services that are required to achieve
the organization’s mission(s). The playbook enumerates the data breach recovery team personnel,
including the incident response team, the IT operational team, which includes application owners,
managers, and administrators, system and network administrators, security and privacy officers, general
counsel, public relations, law enforcement organization, information sharing organization, and external
service providers as required.
3. A current set of functional and security dependency maps focused on systems that process and store
organizational information, in particular, the key assets. These maps identified in the playbook include
context to help the recovery team select the order of restoration priority.
4. Metrics and other factors used to effectively plan for restoration priority may include:
• Legal costs
• Hardware, software, and labor costs
• Amount of lost revenue due to business downtime to include loss of existing and future business
opportunities
• Instantiation of new services to restore customers’ trust
• Gaps identified in the playbook
• Internal users, external business partners, and customers satisfaction
• Service level agreements with internal business teams
• Confidence level around the quality of the backups
• Quality of the overall recovery plan and process used to develop the data breach playbook
5. A set of authorized resources and tested tools that have been used in the exercises
6. A comprehensive recovery communications plan with fully integrated internal and external
communications considerations. It includes specific elements that are included in the content to
communicate with the management team including the board, the general counsel, public relations, law
enforcement organization, the IT team, the employees, and external service providers.
7. Periodic training and exercises were defined and have occurred to validate and restore the components
identified in the dependencies maps, in particular key assets such as infrastructure components, critical
data stores, and IT security functions from known good states, to ensure timely recovery team
coordination and restoration of capabilities or services affected by a data breach event
In summary, a typical recovery plan should include the following elements:
Key Elements of a Recovery Plan
Service level agreement
Relevant service/operational/organization level agreement details – Information about
existing written commitments to provide a particular level of service (e.g. availability
percentage, maximum allowable downtime, guaranteed bandwidth provision). This may
include pre-established external engagement contract support that can assist and augment
the organization’s recovery team in the event of a major cyber event.
Authority Documented name and point of contact information for two or more management staff
members who may activate the plan
Fraud and Cybersecurity: Top Issues for the CPA
101
Recovery team membership
Point of contact information for designated members of the team who have reviewed,
exercised, and are prepared to implement the plan.
Specific recovery details and procedures
Documented system details that apply to the given information system, with diagrams where
applicable. These details may prescribe specific recovery activities that should be performed
by the recovery team, including application restoration details or methods to activate
alternate means of processing (e.g. backup servers, failover site).
Out of band communications
Ability to communicate with the critical business, IT, and IT security stakeholders, including
external parties like incident response and recovery teams, without using existing production
systems, which are frequently monitored by advanced adversaries.
Communication Plan
Any specific notification and/or escalation procedures that apply to this information system.
As an example, some systems impact users outside of the organization, and legal, public
relations, and human resources personnel may need to be engaged to manage expectations
and information disclosure about the incident and recovery progress.
Off-site storage details
Details regarding any arrangement for storing specific records or media at an offline or offsite
location. This is particularly critical given the credible threat of ransomware that encrypts data
and holds the decryption key hostage for payment.
Operational workarounds
Approved workaround procedures if the information system is not able to be restored within
the recovery time objective (RTO).
Facility recovery details
Information that is relevant to the resilience of a physical facility such as an office location or
a data center. Such details might include personnel notification processes, alternate location
information, and communications circuit details
Infrastructure, hardware, and
software
Details regarding access to the infrastructure, hardware, and software to provide intermediary
services used during the recovery process. Examples include an identity management system,
a recovery network, a messaging system, and a staging system to validate the integrity of
recovered data from backups and restore the system in order to instantiate trust in the
infrastructure.
Source: The NIST, Guide for Cybersecurity Event Recovery (NIST Special Publication 800-184)
Cyber Criminal Forum Taken Down
Members Arrested in 20 Countries
Source: www.fbi.gov Stories July 15, 2015
It was, in effect, a one-stop, high-volume shopping venue for some of the world’s most prolific cybercriminals. Called Darkode,
this underground, password-protected, online forum was a meeting place for those interested in buying, selling, and trading
malware, botnets, stolen personally identifiable information, credit card information, hacked server credentials, and other
pieces of data and software that facilitated complex cybercrimes all over the globe.
Unbeknownst to the operators of this invitation-only, English-speaking criminal forum, the FBI had infiltrated this
communication platform at the highest levels and began collecting evidence and intelligence on Darkode members.
Fraud and Cybersecurity: Top Issues for the CPA
102
Today, the Department of Justice and the FBI—with the assistance of our partners in 19 countries around the world—
announced the results of Operation Shrouded Horizon, a multi-agency investigation into the Darkode forum. Among the
results obtained were charges, arrests, and searches involving 70 Darkode members and associates around the world. There
also were U.S. indictments against 12 individuals associated with the forum, including its administrator, several U.S. search
warrants, as well as the Bureau’s seizure of Darkode’s domain and servers.
Said FBI Deputy Director Mark Giuliano, “Cybercriminals should not have a safe haven to shop for the tools of their trade, and
Operation Shrouded Horizon shows we will do all we can to disrupt their unlawful activities.”
During the investigation, the Bureau focused primarily on the Darkode members responsible for developing, distributing,
facilitating, and supporting the most egregious and complex cybercriminal schemes targeting victims and financial systems
around the world, including in the United States.
The Darkode forum, which included between 250 and 300 members, operated very carefully. Ever fearful of compromise by
law enforcement, Darkode administrators made sure prospective members were heavily vetted and that not just anyone
could join.
Similar to practices used by the Mafia, a potential candidate for forum membership had to be sponsored by an existing
member and sent a formal invitation to join. In response, the candidate had to post an online introduction—basically, a
resume—highlighting the individual’s past criminal activity, particular cyber skills, and potential contributions to the forum.
The forum’s active members then decided whether to approve applications or reject them.
Once in the forum, members—in addition to buying and selling cybercriminal products and services—used it to exchange
ideas, knowledge, and advice on any number of cyber-related fraud schemes and other illegal activities. It was almost like a
think tank for cybercriminals.
What’s the significance of this case, believed to be the largest-ever coordinated law enforcement effort directed at an online
cybercriminal forum? In addition to shutting down a major resource for cybercriminals, law enforcement infiltrated a closed
criminal forum to obtain the intelligence and evidence needed to identify and prosecute these criminals. This action paid off
with a treasure trove of information that ultimately led to the dismantlement of the forum and law enforcement actions
against dozens of its worst criminal members around the world.
The case was led by the FBI’s Pittsburgh Field Office, with assistance from our offices in Washington, San Diego, and a number
of others around the country. Yet it wouldn’t have happened without the support of Europol and other partners in 19
countries. In addition to the FBI obtaining enough evidence for search warrants and indictments in the U.S., we shared
information with our foreign partners to help them make their own cases against the Darkode perpetrators residing in their
jurisdictions.
Operation Shrouded Horizon is a prime example of why the most effective way to combat cybercrime—which operates
globally—is a law enforcement response that also transcends national borders.
Fraud and Cybersecurity: Top Issues for the CPA
103
Review Questions - Section 5
18. According to the Three Lines of Defense model, which of the following controls is part of the first line of
defense’s responsibilities?
A. Independently reviewing cybersecurity program effectiveness
B. Defining risk appetite and escalating risks outside of tolerance
C. Establishing governance and oversight
D. Meeting compliance requirements related to cybersecurity risks
19. According to the Three Lines of Defense model, which of the following controls usually serves as the third line
of defense providing independent assurance?
A. Providing confirmation to the board on risk management effectiveness
B. Classifying data and designing least-privilege access roles
C. Implementing vulnerability management with internal and external scans
D. Deploying intrusion detection systems and conduct penetration testing
20. Which of the following documents provides specific notification and/or escalation procedures that apply to
the particular information system?
A. Service level agreement
B. Operational workarounds
C. Specific recovery details and procedures
D. Communication plan
Fraud and Cybersecurity: Top Issues for the CPA
104
VIII. Changes to Internal Audit
Maximize the Internal Audit Values
Board members and management rely greatly on their internal audit functions to provide assurance and
compliance-related activities. Amid ongoing business transformation, stakeholders increasingly seek more input
from their internal audit groups. This includes not only the risks tied to long-term strategy but the strength of
cybersecurity measures and the risks associated with digital transformation and mobile technology.
According to Protiviti’s Internal Audit Capabilities and Needs Survey 2019 there are substantial year-over-year
increases in the number of organizations that now include cybersecurity risks in their annual audit plans. Nearly
three out of four organizations are evaluating cybersecurity risk as a key part of the annual audit plan. This result
indicates higher levels of interest and concerns among organizations about the cyber threats they now encounter
daily. In addition, many organizations are likely being influenced by their external auditors who place increased
scrutiny on management’s cybersecurity program. It is driven by the current cyber threats environment along
with SEC disclosure obligations. The details of disclosure obligations relating to cybersecurity risks and cyber
incidents are discussed in the “SEC Cybersecurity Disclosure Obligations” section.
An internal audit function provides a holistic approach to identifying where an organization may be vulnerable,
from testing BYOD (bring your own devices) policies to reviewing third-party contracts for compliance with
security protocols. Internal audits can also provide assurance for the effectiveness of IT governance. As
technology issues dominate the priority list for internal auditors, internal audit continues to incorporate data
analytics and other technology in its work. According to the IIA, the top reasons for auditing cybersecurity are that
cybersecurity was rightfully rated a high risk, demonstrating that internal audit leaders have placed the right
emphasis on the ever-increasing importance of cybersecurity driven by:
• Minimizing costly consequences of data breaches (e.g. legal fines, remediation efforts, coverage of
customer losses, and potential loss of business)
• Avoiding reputation damage to the organization, especially the loss of customer data
• Averting non-compliance with regulatory requirements (e.g. General Data Protection Regulation)
• Preventing the loss of intellectual property and other proprietary information
According to Protiviti Internal Audit Capabilities and Needs 2019 survey, cybersecurity risk/threat and enterprise
risk management are at the top of the priority list. As Chief Audit Executives (CAEs) recognize the importance of
providing clarity around IT risks, they understand the need for internal audit to leverage this information as part
of its auditing activities for the organization. The following are the items on CAEs’ priority list:
1. Cybersecurity risk/threat
2. Enterprise risk management
3. Fraud risk management
4. Vendor/third-party risk management
5. COSO Internal Control − Integrated Framework
Fraud and Cybersecurity: Top Issues for the CPA
105
6. Revenue Recognition Standard (ASU 2014-09)
7. AICPA’s Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program
8. Lease Accounting Standard (ASU 2016-02)
9. Evaluating SOC reports
10. Cloud computing
An evolving internal audit provides a holistic approach to identifying where an organization may be vulnerable
from testing BYOD policies to reviewing third-party contracts for compliance with security protocols. Based on
the IIA’s global survey results, internal audit departments that audit cybersecurity are starting to provide a wide
range of valuable services to their organizations. The most frequent services include:
• Assessing controls on addressing internet-connected systems process, store, and/or transport data
• Reviewing the business continuity plan
• Evaluating the cybersecurity risk assessment process
• Assessing cybersecurity prevention procedures
• Evaluating the incident response plan
• Reviewing the crisis management plan
• Providing guidance to cybersecurity plans and performance
When properly resourced and supported, internal audit functions will develop the skills and perspective needed
to provide review and assurance services in cybersecurity. There are six crucial key areas of cyber preparedness.
Here is how internal audit can contribute to each one:
How Internal Audit Can Help with Cyber Preparedness Scope Objective Areas Covered
Governance & Processes
Identify gaps in the policies and procedures implemented in the organization pertaining to information security and IT infrastructure as well as the associated risks
• Review of cybersecurity policies, procedures, guidelines and strategies
• Testing of security operations effectiveness
• Security operations such as log analysis, event monitoring, antivirus management
• End-user security awareness and training
Network Architecture &
Security Review & Behavioral
Analysis
Evaluate whether the security architecture supports the organization’s thresholds for risk, while still supporting key business objectives
• Review of security architecture and devices
• Network topology and zoning
• Log-in procedures and authentication requirements
• Behavioral analysis of the existing network infrastructure
• Assessment of vulnerabilities pertaining to protocol
Fraud and Cybersecurity: Top Issues for the CPA
106
Proactive Advanced Persistent
Threat Review
Mitigate the risk of information leakage and eavesdropping and foresee the expected attacks and threats that the network might be subject to
• Root cause analysis
• Deep packet inspection
• Malware identification
• Code-based malware analysis
• Behavioral analysis
Baseline Security Review
Identify security risks in the network
• Redundancy testing for security-related network components
• Vulnerability analytics
• Conduct of penetration test of the network and servers from internal and external networks
• Review of security patch upgrades on all end-user and server systems
• Review of licenses and inventory of all vendor-specific applications
• Review of baseline configuration of all OS and DB deployed
Cyberattack Identification &
Response
Evaluate procedures and processes enabling discovery and reporting of cyberattack incidents
• Response team
• Reporting
• Investigation
• Recovery and follow-up
• Law enforcement
Vulnerability Identification &
Mitigation
Help discover the vulnerability exploited by cybercriminals and the associated application(s) so that the appropriate fix can be applied to the infected part and stringent steps can be taken to strengthen the capability to combat such attacks
• Identification of exploited vulnerability using analysis of captured malware
• Identification of exploited applications
• Deployment of security fixes, patches, and updates of the exploited vulnerability
• Antivirus signature preparation against the captured malware
Source: EY - Cybersecurity and Internal Audit, 2014
In addition to protection and detection, internal audit plays a central role in helping the audit committee oversee
cybersecurity. For example, the regular assessments conducted by internal audits play an important part in
providing the audit committee with a comprehensive appraisal of the organization’s strengths and weaknesses.
CAEs are in a unique position to educate board and audit committee members about an organization’s diverse
efforts to battle cyber threats.
Fraud and Cybersecurity: Top Issues for the CPA
107
Identify IIA Standards Related to Cybersecurity
The IIA identifies the following selections from the IIA’s International Standards for the Professional Practice of
Internal Auditing (Standards) that are relevant to cybersecurity.
Standard 1210 – Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual
responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.
1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and
controls and available technology-based audit techniques to perform their assigned work. However, not
all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility
is information technology auditing.
Standard 2050 – Coordination
The chief audit executive should share information and coordinate activities with other internal and external
providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.
Standard 2110 – Governance
The internal audit activity must assess and make appropriate recommendations for improving the governance
process in its accomplishment of the following objectives:
• Promoting appropriate ethics and values within the organization;
• Ensuring effective organizational performance management and accountability;
• Communicating risk and control information to appropriate areas of the organization; and
• Coordinating the activities of and communicating information among the board, external and internal
auditors, and management.
2110.A2 – The internal audit activity must assess whether the information technology governance of the
organization supports the organization’s strategies and objectives.
Standard 2120 – Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management
processes.
Fraud and Cybersecurity: Top Issues for the CPA
108
Cyber Criminal Charged In Scheme to Steal More Than $1.5 Million from A U.S. Financial
Institution
Defendant Allegedly Conducted Unauthorized Intrusion into a Government Website
www.justice.gov Press Release Oct 27, 2016
Yesterday, a complaint was unsealed charging Dwayne C. Hans, a United States citizen, with wire fraud, computer
fraud, and money laundering. According to the complaint, between April 2016 and July 2016, the defendant
masterminded a series of fraudulent activities against a U.S. financial institution in which he masqueraded as an
authorized representative of that institution. Using this ruse, he transferred funds from the financial institution’s
corporate bank accounts for his own use. The defendant also accessed a website run by the U.S. General Services
Administration without authorization and then redirected money intended for the financial institution to his own
bank account.
The defendant’s initial appearance was held yesterday before United States District Judge Thomas O. Rice at the
U.S. Courthouse in Spokane, Washington. The court scheduled a detention hearing for Monday, October 31, to
determine whether the defendant will be held in custody pending his removal to the Eastern District of New York
for further proceedings.
The charges were announced by Robert L. Capers, United States Attorney for the Eastern District of New York,
and William F. Sweeney, Jr., Assistant Director in Charge, Federal Bureau of Investigation, New York Field Office
(FBI).
As alleged in the complaint, the defendant stole $134,000 from the financial institution and attempted to steal
approximately $1.5 million more. Posing as someone authorized to conduct financial transactions for the financial
institution, the defendant misappropriated money from corporate bank accounts to buy shares of stock in publicly
traded companies, invest in a real estate property in Brooklyn, New York, and benefit his family members. He also
conducted an unauthorized intrusion into the website SAM.gov, which stores information about companies that
provide services to the federal government. During this unauthorized website intrusion, the defendant changed
the information in entries pertaining to the financial institution, including by replacing the bank account
information for the financial institution with the defendant’s personal bank account information. As a result, the
Pension Benefit Guarantee Corporation sent more than $1.5 million to the defendant instead of the financial
institution. These fraudulent wire transfers were reversed once they were detected.
The defendant was arrested in Richland, Washington, on October 26, 2016, pursuant to a criminal complaint
issued in the Eastern District of New York.
“Cybercriminals scour the internet for information they can use to steal with impunity,” stated United States
Attorney Capers. “They threaten to undermine our confidence in the internet and in the cyber world, on which
we rely each and every day. The arrest announced today sends all would-be cybercriminals a message – we will
find you, and we will bring you to justice.”
Fraud and Cybersecurity: Top Issues for the CPA
109
“Criminals who exploit the internet to commit crimes think they can hide behind the virtual veil of a computer
screen. Yet just as today’s charges remind us that everyone is at risk of becoming a victim of cybercrime, so too
should the public be reminded that the FBI will continue to be a major force in confronting those who think they
can evade the law,” stated FBI Assistant Director in Charge Sweeney.
The charges in the complaint are allegations, and the defendant is presumed innocent unless and until proven
guilty.
Going Dark (from the FBI)
Source: www.fbi.gov Operational Technology
Law enforcement at all levels has the authority to intercept and access communications and information pursuant
to court orders, but it often lacks the technical ability to carry out these orders because of a fundamental shift in
communication services and technologies. This scenario is often called the “Going Dark” problem.
Law enforcement faces two distinct “Going Dark” challenges. The first concerns real-time court-ordered
interception of data in motion, such as phone calls, e-mail, text messages, and chat sessions. The second challenge
concerns “data at rest”, or court-ordered access to data stored on devices, like e-mail, text messages, photos, and
videos. Both real-time communications and stored data are increasingly difficult for law enforcement to obtain
with a court order or warrant. This is eroding law enforcement’s ability to quickly obtain valuable information that
may be used to identify and save victims, reveal evidence to convict perpetrators, or exonerate the innocent.
It's important to note that the FBI supports strong encryption systems. We also know first-hand the damage that
can be caused by vulnerable and insecure systems. As such, the Department of Justice, the FBI, and other law
enforcement agencies are on the front lines of the fight against cybercrime. The government uses strong
encryption to secure its own electronic information and encourages the private sector and members of the public
to do the same.
However, the challenges faced by law enforcement to lawfully and quickly obtain valuable information are
worsening. The Communications Assistance for Law Enforcement Act (CALEA) was enacted in 1994 and applies
only to traditional telecommunications carriers, providers of interconnected voice over internet protocol (VoIP)
services, and providers of broadband access services. Currently, thousands of companies provide some form of
communication service, and most are not required by CALEA to develop lawful intercept capabilities for law
enforcement. As a result, many of today’s communication services are developed and deployed without
consideration of law enforcement’s lawful intercept and evidence collection needs.
When changes in technology hinder law enforcement’s ability to exercise investigative tools and follow critical
leads, we may not be able to root out the child predators hiding in the shadows of the Internet or find and arrest
violent criminals targeting our neighborhoods. We may not be able to identify and stop terrorists who are using
social media to recruit, plan, and execute an attack in our country. We may not be able to recover critical
Fraud and Cybersecurity: Top Issues for the CPA
110
information from a device that belongs to a victim who cannot provide us with the password, especially when
time is of the essence. These are not just theoretical concerns.
We continue to identify individuals who seek to join the ranks of foreign fighters traveling in support of the Islamic
State of Iraq and the Levant, commonly known as ISIL, and also homegrown violent extremists who may aspire to
attack the United States from within. These threats remain among the highest priorities for the FBI and the United
States government as a whole.
Of course, encryption is not the only technology terrorists and criminals use to further their ends. Terrorist groups,
such as ISIL, use the Internet to great effect. With the widespread horizontal distribution of social media, terrorists
can spot, assess, recruit, and radicalize vulnerable individuals of all ages in the United States either to travel or to
conduct a homeland attack. As a result, foreign terrorist organizations now have direct access to the United States
like never before. Some of these conversations occur in publicly accessed social networking sites, but others take
place via private messaging platforms. These encrypted direct messaging platforms are tremendously problematic
when used by terrorist plotters.
Of the Going Dark problem, Director James Comey has said, “Armed with lawful authority, we increasingly find
ourselves simply unable to do that which the courts have authorized us to do, and that is to collect information
being transmitted by terrorists, by criminals, by pedophiles, by bad people of all sorts.” As for the perceived
conflict of interest between keeping people safe and protecting their privacy, “it isn’t a question of conflict,”
according to Comey. “We must care deeply about protecting liberty through due process of law, while also
safeguarding the citizens we serve—in every investigation”, he says.
To help address the challenges posed by advancing communications services and technologies, the Department
of Justice’s National Domestic Communications Assistance Center (NDCAC) leverages and shares the law
enforcement community’s collective technical knowledge, solutions, and resources. NDCAC also works on behalf
of federal, state, local, and tribal law enforcement agencies to strengthen law enforcement’s relationships with
the communications industry.
Fraud and Cybersecurity: Top Issues for the CPA
111
Review Questions - Section 6
21. Which of the following audits helps an organization identify gaps in the policies and procedures implemented
in the organization pertaining to IT infrastructure?
A. Governance & Processes Review
B. Cyberattack Identification & Response Review
C. Baseline Security Review
D. Proactive Advanced Persistent Threat Review
22. How can Internal Audit contribute to an organization’s cybersecurity preparedness?
A. Integrate risk management into operational processes
B. Monitor decisions made by regulators in response to cyber incidents
C. Implement the user security awareness program
D. Review security architecture and devices
Fraud and Cybersecurity: Top Issues for the CPA
112
Appendix A: Disclosing Risk Factors
Example 1: Comcast Corporation 2015 Annual Report
Risk Factors
We rely on network and information systems and other technologies, as well as key properties, and a
disruption, cyberattack, failure or destruction of such networks, systems, technologies or properties may
disrupt our businesses.
Network and information systems and other technologies, including those related to our network management,
customer service operations and programming delivery, are critical to our business activities. Network and
information systems-related events, including those caused by us or by third parties, such as computer hackings,
cyberattacks, computer viruses, worms or other destructive or disruptive software, process break- downs, denial
of service attacks, malicious social engineering or other malicious activities, or any combination of the foregoing,
or power outages, natural disasters, terrorist attacks or other similar events, could result in a degradation or
disruption of our services, excessive call volume to call centers or damage to our equipment, data, and properties.
These events also could result in large expenditures to repair or replace the damaged properties, networks or
information systems or to protect them from similar events in the future, and any such events could have an
adverse effect on our results of operations.
In addition, we may obtain certain confidential, proprietary and personal information about our customers,
personnel and vendors, and may provide this information to third parties, in connection with our business. While
we obtain assurances that these third parties will protect this information, there is a risk that this information may
be compromised. Any security breaches, such as misappropriation, misuse, leakage, falsification or accidental
release or loss of information maintained in our information technology systems, including customer, personnel
and vendor data, could damage our reputation and require us to expend significant capital and other resources
to remedy any such security breach, and could cause regulators to impose fines or other remedies for failure to
comply with relevant customer privacy rules.
The risk of these systems-related events and security breaches occurring continues to intensify in many lines of
business, and our lines of business may be at a disproportionately heightened risk of these events occur- ring, due
to the nature of our businesses and the fact that we maintain certain information necessary to conduct our
business in digital form stored on cloud servers. In the ordinary course of our business, there are frequent
attempts to cause such systems-related events and security breaches, and we have experienced a few minor
systems-related events that, to date, have not resulted in any significant degradation or disruption to our network
or information systems or our services or operations. While we develop and maintain systems, and operate a
comprehensive security program, seeking to prevent systems-related events and security breaches from
occurring, the development, maintenance and operation of these systems and programs is costly and requires
ongoing monitoring and updating as technologies change and efforts to overcome security measures become
more sophisticated. Despite efforts to prevent these events and security breaches, there can be no assurance that
they will not occur in the future or will not have an adverse effect on our businesses. Moreover, the amount and
scope of insurance we maintain against losses resulting from any such events or security breaches likely would
Fraud and Cybersecurity: Top Issues for the CPA
113
not be sufficient to cover our losses or otherwise adequately compensate us for any disruptions to our business
that may result, and the occurrence of any such events or security breaches could have an adverse effect on our
business.
Example 2: Hertz Global Holdings 2014 Annual Report
Risk Factors
The misuse or theft of information we possess, including as a result of cybersecurity breaches, could harm our
brand, reputation or competitive position and give rise to material liabilities.
We regularly possess, store and handle non-public information about millions of individuals and businesses,
including both credit and debit card information and other sensitive and confidential personal information. In
addition, our customers regularly transmit confidential information to us via the internet and through other
electronic means. Despite the security measures we currently have in place, our facilities and systems and those
of our third-party service providers may contain defects in design or manufacture or other problems that could
unexpectedly compromise information security. Unauthorized parties may also attempt to gain access to our
systems or facilities, or those of third parties with whom we do business, through fraud, trickery, or other forms
of deception of our employees or contractors. Many of the techniques used to obtain unauthorized access,
including viruses, worms, and other malicious software programs, are difficult to anticipate until launched against
a target and we may be unable to implement adequate preventative measures. Our failure to maintain the security
of that data, whether as the result of our own error or the malfeasance or errors of others, could harm our
reputation, interrupt our operations, result in governmental investigations and give rise to a host of civil or
criminal liabilities. Any such failure could lead to lower revenues, increased remediation, prevention, and other
costs and other material adverse effects on our results of operations.
Fraud and Cybersecurity: Top Issues for the CPA
114
Appendix B: Data Breach Disclosure
Representing a Material Event − Target Corporation 2015 Quarterly Report
For the quarterly period ended August 1, 2015
Item 2. Management’s Discussion and Analysis of Financial Condition and Results of Operations
Other Performance Factors
Consolidated Selling, General and Administrative Expenses
In addition to segment selling, general and administrative expenses, we recorded certain other expenses. For the
three and six months ended August 1, 2015, these expenses included $11 million and $114 million, respectively,
of restructuring costs and $9 million and $12 million, respectively, of Data Breach- related costs. For the three and
six months ended August 2, 2014, these expenses included $111 million and $129 million, respectively, of Data
Breach- related costs (net of expected insurance proceeds), $16 million of impairments, and $13 million of costs
related to plans to convert existing co-branded REDcards to MasterCard co-branded chip-and-PIN cards in 2015
to support the accelerated transition to chip-and-PIN-enabled REDcards.
Fraud and Cybersecurity: Top Issues for the CPA
115
Appendix C: Financial Statement Disclosure Target Corporation 2015 Quarterly Report
For the quarterly period ended August 1, 2015
Notes to Consolidated Financial Statements (unaudited)
Data Breach
In the fourth quarter of 2013, we experienced a data breach in which an intruder stole certain payment card and
other guest information from our network (the Data Breach). Based on our investigation, we believe that the
intruder installed malware on our point-of-sale system in our U.S. stores and stole payment card data from up to
approximately 40 million credit and debit card accounts of guests who shopped at our U.S. stores between
November 27 and December 17, 2013. In addition, the intruder stole certain guest information, including names,
mailing addresses, phone numbers or email addresses, for up to 70 million individuals.
Data Breach Related Accruals
Each of the four major payment card networks has made a written claim against us regarding the Data Breach,
either directly or through our acquiring banks. In August 2015, we entered into a settlement agreement with Visa
under which we will pay up to $67 million to eligible Visa card issuers worldwide that issued cards that Visa claimed
to have been affected by the Data Breach. Our previously recorded accrual for estimated probable losses related
to Visa is consistent with the settlement. We expect to dispute the remaining unsettled claims regarding the Data
Breach that have been or may be made against us by the payment card networks. With respect to the three major
payment card networks other than Visa, we think it is probable that our disputes would lead to settlement
negotiations. We believe such negotiations would affect a combined settlement of the payment card networks'
counterfeit fraud loss allegations and their non-ordinary course operating expense allegations.
In addition, more than 100 actions were filed in courts in many states on behalf of guests, payment card-issuing
banks, and shareholders, seeking damages or other related relief allegedly arising out of the Data Breach. The
federal court actions (the MDL Actions) have been consolidated in the U.S. District Court for the District of
Minnesota (MDL Court) pursuant to the rules governing multidistrict litigation and one remaining state court
action has been stayed. In March 2015, Target entered into a Settlement Agreement that, upon approval of the
MDL Court, will resolve and dismiss the claims asserted in the MDL Actions on behalf of a class of guests whose
information was compromised in the Data Breach. Pursuant to the Settlement Agreement, Target has agreed to
pay $10 million to class member guests, certain administrative costs associated with the settlement, and
attorneys’ fees and expenses to class counsel as the Court may award. The claims asserted by payment card issuing
banks and shareholders in the MDL Actions remain pending. One action was filed in Canada relating to the Data
Breach. That action was dismissed but is being appealed. State and federal agencies, including State Attorneys
General, and the Federal Trade Commission are investigating events related to the Data Breach, including how it
occurred, its consequences and our responses. The SEC's Enforcement Division concluded its investigation during
the second quarter of 2015 and does not intend to recommend an enforcement action against us.
Fraud and Cybersecurity: Top Issues for the CPA
116
Our accrual for estimated probable losses for what we believe to be the vast majority of actual and potential Data
Breach related claims is based on the expectation of reaching negotiated settlements, and not on any
determination that it is probable we would be found liable for the losses we have accrued were these claims to
be litigated. Given the varying stages of claims and related proceedings, and the inherent uncertainty surrounding
them, our estimates involve significant judgment and are based on currently available information, historical
precedents and an assessment of the validity of certain claims. Our estimates may change as new information
becomes available, and although we do not believe it is probable, it is reasonably possible that we may incur a
material loss in excess of the amount accrued. We are not able to estimate the amount of such reasonably possible
excess loss exposure at this time because many of the matters are in the early stages, alleged damages have not
been specified, and there are significant factual and legal issues to be resolved.
Expenses Incurred and Amounts Accrued
We recorded $9 million and $12 million of pretax Data Breach-related expenses during the three and six months
ended August 1, 2015, respectively, primarily for legal and other professional services. We recorded $148 million
and $175 million of pretax Data Breach-related expenses during the three and six months ended August 2, 2014,
respectively, partially offset by expected insurance recoveries of $38 million and $46 million, respectively. Along
with legal and other professional services, these expenses included an increase to the accrual for estimated
probable losses for what we believe to be the vast majority of actual and potential breach-related claims, including
claims by the payment card networks. These expenses were included in our Consolidated Statements of
Operations as SG&A, but were not part of our segment results. Since the Data Breach, we have incurred $264
million of cumulative expenses, partially offset by expected insurance recoveries of $90 million, for net cumulative
expenses of $174 million.
Insurance Coverage
To limit our exposure to losses relating to Data Breach and other claims, we maintained $100 million of network-
security insurance coverage during the period that the Data Breach occurred, above a $10 million deductible and
with a $50 million sublimit for settlements with the payment card networks. This coverage, and certain other
customary business-insurance coverage, has reduced our exposure related to the Data Breach. We will pursue
recoveries to the maximum extent available under the policies. Since the Data Breach, we have received $35
million from our network-security insurance carriers of the $90 million accrued.
Data Breach Balance Sheet Rollforward Insurance
(millions) Liabilities Receivable
Balance at February 1, 2014 61$ 44$
Expenses incurred/insurance receivable recorded (a) 175 46
Payments made/received (54) (20)
Balance at August 2, 2014 182$ 70$
Balance at January 31, 2015 171$ 60$
Expenses incurred/insurance receivable recorded (a) 12 -
Payments made/received (15) (5)
Balance at August 2, 2015 168$ 55$
(a) Includes expenditures and accruals for Data Breach-related costs and expected insurance
recoveries as discussed below.
Fraud and Cybersecurity: Top Issues for the CPA
117
Appendix D: Forward Looking Statements
Disclosure Concho Resources Inc. 8-K Filing
September 13, 2017 Form 8-K
Forward-Looking Statements and Cautionary Statements
Forward-looking statements are not guarantees of performance. Although the Company believes the expectations
reflected in its forward-looking statements are reasonable and are based on reasonable assumptions, no assurance
can be given that these assumptions are accurate or that any of these expectations will be achieved (in full or at
all) or will prove to have been correct. Moreover, such statements are subject to a number of assumptions, risks,
and uncertainties, many of which are beyond the control of the Company, which may cause actual results to differ
materially from those implied or expressed by the forward-looking statements. These risks include, without
limitation, the risk factors discussed or referenced in the Company’s most recent Annual Report on Form 10-K and
in the Company’s Quarterly Report on Form 10-Q for the quarter ended March 31, 2017……………; risks and liabilities
associated with acquired properties or businesses; uncertainties about the Company’s ability to successfully
execute its business and financial plans and strategies; the adequacy of the Company’s capital resources and
liquidity including, but not limited to, access to additional borrowing capacity under the Company’s credit facility;
the impact of potential changes in the Company’s credit ratings; cybersecurity risks, such as those involving
unauthorized access, malicious software, data privacy breaches by employees or others with authorized access,
cyber or phishing-attacks, ransomware and other security issues……………..
Fraud and Cybersecurity: Top Issues for the CPA
118
Glossary Botnets Networks of compromised computers, controlled by remote attackers in order to
perform such illicit tasks as sending spam or attacking other computers.
Bring Your Own Device Bring Your Own Device (BYOD) is the practice of allowing employees of an
organization to use their own computers, smartphones, or other devices for work
purposes.
Business Email Compromise A scam carried out by compromising legitimate business email accounts through
social engineering or computer intrusion techniques to conduct unauthorized
transfers of funds.
Critical Infrastructure Systems and assets, whether physical or virtual, so vital to the United States that
the incapacity or destruction of such systems and assets would have a debilitating
impact on cybersecurity, national economic security, national public health or
safety, or any combination of those matters.
Cyberattack Any type of offensive maneuver employed by individuals or whole organizations
that targets computer information systems, infrastructures, computer networks,
and/or personal computer devices by various means of malicious acts usually
originating from an anonymous source that either steals, alters, or destroys a
specified target by hacking into a susceptible system.
Cybercrime Involves any criminal act dealing with computers and networks, and traditional
crimes conducted through the internet, such as hate crimes, telemarketing and
internet fraud, and identity theft.
Cyber Forensics A branch of digital forensic science pertaining to evidence found in computers
and digital storage media in order to provide a conclusive description of
cybercrime.
Cybersecurity The process of protecting information by preventing, detecting, and responding
to attacks.
Cyberspace The interdependent network of information technology infrastructures,
including the Internet, telecommunications networks, computer systems, and
embedded processors and controllers in critical industries. Common usage of
the term also refers to the virtual environment of information and interactions
between people.
Fraud and Cybersecurity: Top Issues for the CPA
119
Cybersecurity Event A cybersecurity change that may have an impact on organizational operations
(including mission, capabilities, or reputation).
Cyber Threat The possibility of a malicious attempt to damage or disrupt a computer network
or system.
Industry 4.0 The current trend of automation and data exchange in manufacturing
technologies, including cyber-physical systems, the Internet of Things, and cloud
computing.
Internet of Things (IoT) The network of physical objects that contains embedded technologies to
communicate and sense or interact with their internal states or the external
environment.
Malware Using malicious software, criminals gain access to computer systems and gather
sensitive personal information such as Social Security numbers, account
numbers, passwords, and more.
Phishing The criminals attempt to acquire sensitive personal information via email.
Ransomware A scam frequently delivered through spear-phishing emails to end-users,
resulting in the rapid encryption of sensitive files on a corporate network. When
the victim organization determines they are no longer able to access their data,
the cyber actor demands the payment of a ransom.
Risk A measure of the extent to which an entity is threatened by a potential
circumstance or event, and typically a function of (1) the adverse impacts that
would arise if the circumstance or event occurs; and (2) the likelihood of
occurrence.
Risk Management The process of identifying, assessing, and responding to risk.
Social Engineering Via social media and other electronic media, criminals gain the trust of victims
over time, manipulating them into divulging confidential information.
Fraud and Cybersecurity: Top Issues for the CPA
120
Index
A
Advanced Persistent Threat, 83
Application Risk, 91
B
Botnets, 24
Business Email Compromise, 16
C
Critical Security Controls, 3, 38, 64
Cyber Fraud, 12
Cyber Threat, 13
Cyberattack, 12
Cybercrime, 12
Cyber-espionage, 42
Cybersecurity, 13
Cybersecurity Examination Initiative, 69, 70, 72, 73
F
Financial Statement Disclosures, 79
FISMA, 52
Form 10-K, 78, 81, 126, 127
Form 10-Q, 78, 81, 126, 127
Form 8-K, 80, 81, 126, 127
H
Hacktivists, 88
Fraud and Cybersecurity: Top Issues for the CPA
121
I
IM Guidance Update No. 2015-12, 74
Information and Communications Technologies, 65
Internet of Things, 35
ISO/IEC 27000, 38, 62
M
Malware, 92
N
Nation states, 87
NIST Framework, 2, 3, 38, 39, 40, 57, 67, 124, 125
P
Payment Card Industry Data Security Council Standard, 38, 67, 124
Payment card skimmers, 42
Phishing, 119
Point-of-Sale Intrusions, 41
R
Ransomware, 64
Regulation S-K, 77, 78, 81, 127
S
SEC Disclosure Obligations, 76
W
Wire transfer, 16
Fraud and Cybersecurity: Top Issues for the CPA
122
Solutions to Review Questions
Section 1
1. An employee made a false claim for reimbursement of inflated business expenses. He believes that his behavior was harmless because the financial loss to the agency was immaterial. Which of the fraud triangle elements best explains his action?
A. Incorrect. Opportunity is the ability to commit fraud or to conceal it. Examples of opportunities include
weak internal control, poor supervision, and lack of training. None of these situations is identified in this
case.
B. Incorrect. Capability is not an element in the fraud triangle. It is an element in the fraud diamond.
C. Correct. Rationalization is the ability for a person to justify a fraud which involves a person reconciling
his/her behavior, such as stealing, with some common excuses. In this case, the employee justified
stealing by using the excuse that the financial loss was minimal to the agency so that his action was
harmless.
D. Incorrect. Pressure indicates a need that an individual attempts to satisfy by committing fraud, such as
living beyond one’s means, high personal debt, and peer pressure. None of these factors are identified in
this case.
2. An individual steals online credit and financial information and uses them in a criminal manner. What term
describes this behavior?
A. Incorrect. Financial statement fraud is committed by an employee who intentionally causes a
misstatement or omission of material information in the entity’s financial reports.
B. Incorrect. Business email compromise (BEC) is defined as a scam targeting businesses and carried out by
compromising legitimate business email accounts through social engineering or computer intrusion
techniques to conduct unauthorized transfers of funds.
C. Correct. Cyber fraud is defined as credit and financial information stolen online by a hacker and used
in a criminal manner.
D. Incorrect. Email account compromise (EAC) is a sister scam to BEC. EAC differs from BEC in that it targets
individuals or individual professionals instead of businesses.
3. What type of cyber fraud sends a victim an enticement in the hopes that the victim will provide confidential
information?
A. Incorrect. Ransomware involves encrypting a victim’s computer and demanding payment for the
decryption key.
B. Incorrect. Hacking involves breaking into a victim’s computer in order to get sensitive information.
Fraud and Cybersecurity: Top Issues for the CPA
123
C. Correct. Phishing will use contests or legitimate-looking emails to get sensitive or confidential
information. For instance, the email could appear to be from a victim’s financial institution, health
provider or even the IRS.
D. Incorrect. Spam is the delivery of high volumes of unwanted email solicitations, frequently with virus-
infected links.
4. What is the most effective technique to reduce the risk of being a business email compromise victim?
A. Incorrect. Although requiring two-factor authentication for all remote access sessions can effectively
reduce the risk of unauthorized access, such control does not directly address the risk of being a business
email compromise victim.
B. Incorrect. An organization should regularly scan systems within the environment to ensure that
vulnerabilities are identified, categorized (e.g., critical, major, moderate) and addressed. However,
vulnerability assessment does not necessarily reduce the risk of being a business email compromise
victim.
C. Incorrect. Maintaining backup operations, developing an emergency response, and establishing post-
disaster recovery are all critical elements of the contingency planning process. However, these procedures
do not reduce the risk of being a business email compromise victim.
D. Correct. While detecting fraud once it occurs is essential to any company, it is obviously best to prevent
it before it happens. Promoting employee security awareness behavior, preventive control is
considered the most effective way to reduce the risk of being a fraud victim.
5. Which of the following offenses involves criminals taking out loans or credit cards using a victim’s information?
A. Incorrect. Payment card skimmers refer to incidents in which a skimming device was physically implanted
on an asset that reads magnetic stripe data from a payment card (e.g. ATMs, gas pumps, POS terminals,
etc.).
B. Incorrect. Exploits are pieces of code designed to take advantage of software vulnerabilities to deliver a
payload (malware) that otherwise would be prevented by system restrictions.
C. Correct. Financial identity theft is related to ID thieves taking out loans or credit cards using a victim’s
information. The victim often receives a lender’s letter stating that he/she has not repaid a loan that
he/she did not take.
D. Incorrect. Business email compromise involves taking over an email account or spoofing an email address
in order to initiate theft via unauthorized ACH or wire transfers.
Fraud and Cybersecurity: Top Issues for the CPA
124
6. Hundreds of thousands of computers are part of some network being used for performing malicious actions,
such as sending spam and launching Denial of Service attacks. Which of the following terms describes this
type of threat?
A. Incorrect. Payment card skimmers refer to all incidents in which a skimming device was physically
implanted (tampering) on an asset that reads magnetic stripe data from a payment card (e.g. ATMs, gas
pumps, POS terminals, etc.).
B. Incorrect. Point-of-Sale Intrusions (POS) are remote attacks against the environments where card-present
retail transactions are conducted. POS terminals and POS controllers are the targeted assets.
C. Incorrect. A zero-day attack is a threat aimed at exploiting a software application vulnerability before the
application vendor becomes aware of it and before the vulnerability becomes widely known to the
internet security community.
D. Correct. Zombie computer networks, also known as botnets, have for several years been the most
important infrastructural component in the world of cybercrime actors. Their role in the world of
cybercrime is central, within a model where the purchase and sale of services, information theft or
campaigns spreading ransomware are facilitated by botnets. In other words, they are used to launch
automated attacks such as DDoS to business and government websites and networks.
Section 2
7. Which of the following standards is primarily used by organizations that handle branded credit cards, such as
Visa, MasterCard, and American Express?
A. Incorrect. NIST Framework was developed in response to Executive Order 13636, which outlines
responsibilities for Federal Departments and Agencies to aid in Improving Critical Infrastructure
Cybersecurity.
B. Incorrect. The Standard of Good Practice, published by the Information Security Forum, is a business-
focused, practical and comprehensive guide to identifying and managing information security risks in
organizations and their supply chains.
C. Correct. Payment Card Industry Data Security Council Standard is the global data security standard
adopted by payment card brands, such as Visa, MasterCard, and American Express that process, store
or transmit cardholder data.
D. Incorrect. ISO/IEC 27001:2013 focuses on information security management systems to help
organizations protect information such as financial data, intellectual property or sensitive customer
information.
Fraud and Cybersecurity: Top Issues for the CPA
125
8. All of the following are TRUE related to security framework adoption EXCEPT:
A. Incorrect. According to Dimensional Research, adoption of frameworks is the norm that banking and
financing (88%), information technology (87%), government (86%), and manufacturing (83%) all have
security framework adoption rates above 80%. Education and healthcare are only slightly behind at 77%
and 61% respectively.
B. Correct. Security teams are searching for guidance, and in many cases, they are getting it from multiple
places. Close to half of organizations (44%) report that they are using multiple frameworks in their
security program, including 15% that are using three or more based on the survey from Dimensional
Research.
C. Incorrect. According to Dimensional Research, the most common reason for adopting the NIST
Framework was best practice (70%). This reason for adopting the NIST Framework was far ahead of any
requirement by a business partner (29%), federal contract (28%), or other organizations (20%).
D. Incorrect. There are many organizations that are planning to adopt additional frameworks in the coming
year with NIST Framework heading the list (14%), followed by CIS (12%) and ISO (9%).
9. Which of the following is NOT one of the top 5 CIS Critical Security Controls?
A. Incorrect. The number 1 priority of the Critical Security Controls is to inventory all authorized and
unauthorized devices.
B. Incorrect. Creating an inventory of all authorized AND unauthorized software is the number 2 priority.
C. Incorrect. The 3rd prioritized control is to create secure configurations for hardware and software on
mobile devices, laptops, workstations, and servers.
D. Correct. Although email and web browser protections are very important, they are number 7 on the
priority list for controls.
Section 3
10. Which of the following measures ensures that employees understand cybersecurity risks and know how to
respond to incidents, in accordance with the SEC Division of Investment Management Guidance Update No.
2015-02?
A. Incorrect. Funds and advisers should create a strategy to help prevent, detect and respond to
cybersecurity risks. Such a strategy often addresses the matters of controlling access, data encryption,
protection against the loss of sensitive data, data backup and retrieval, and the development of an
incident response plan.
B. Correct. To ensure that employees understand cybersecurity risks and know how to respond to
incidents, firms should implement policies and procedures, and conduct regular training. Firms should
also consider how to educate investors and clients about how to reduce their exposure to cybersecurity
threats concerning their accounts.
Fraud and Cybersecurity: Top Issues for the CPA
126
C. Incorrect. Funding was not addressed in the latest guidance update, and it will be up to the firm to
determine how best to fund the other implementation.
D. Incorrect. An effective assessment will help the firm identify potential cybersecurity threats and
vulnerabilities to better prioritize and mitigate risk.
11. Which of the following is NOT a key aspect of the SEC Division of Investment Management Guidance Update No. 2015-02?
A. Incorrect. Funds and advisers should create a strategy to help prevent, detect and respond to cybersecurity risks.
B. Incorrect. Proper education and policies are critical to the firm, the investors, and their clients.
C. Correct. Funding was not addressed in the latest guidance update, and it will be up to the firm to
determine how best to fund the other implementation.
D. Incorrect. An effective assessment will help identify potential cybersecurity threats and vulnerabilities to
better prioritize and mitigate risk.
12. Depending on the circumstances, disclosures of cyber risks and cybersecurity incidents may be required for
public companies in all of the discussions EXCEPT?
A. Incorrect. In determining whether risk factor disclosure is required, a public company is expected to
evaluate its cybersecurity risks and take into account all available relevant information, such as 1) Prior
cybersecurity incidents and the severity and frequency of those incidents 2) Probability of cybersecurity
incidents occurring 3) Quantitative and qualitative magnitude of the risks 4) Potential costs and other
consequences resulting from misappropriation of assets or sensitive information, corruption of data or
operational disruption.
B. Incorrect. A public company should provide disclosure in Item 101 of Regulation S-K if one or more
cybersecurity incidents materially affect the registrant’s products, services, relationships with customers
or suppliers, or competitive conditions. In determining whether to include disclosure, registrants should
consider the impact on each of their reportable segments.
C. Incorrect. A public company may need to disclose information regarding the litigation in Item 103 of
Regulation S-K if a material pending legal proceeding to which the registrant or any of its subsidiaries is a
party involves a cybersecurity incident.
D. Correct. The main purpose of designing a secure system configuration is to protect sensitive
information. Secure configurations should remain confidential as such disclosure may reveal
vulnerabilities in a server architecture or malware detection program that could be exploited by
cybercriminals.
Fraud and Cybersecurity: Top Issues for the CPA
127
13. Which of the following forms is used for disclosure of a cyber incident that materially affects the company’s relationships with customers?
A. Incorrect. Registrants should address cybersecurity risks and cyber incidents in the MD&A section of their
Form 10-K and Form 10-Q if the costs or other consequences represent a material event, trend, or
uncertainty that is reasonably likely to have a material effect on the registrant’s operations, liquidity, or
financial condition.
B. Incorrect. If a cybersecurity breach occurs or new risks arise in between periodic reporting requirements,
companies should consider whether disclosing such information on a Form 8-K is appropriate.
C. Incorrect. Registrants should address cybersecurity risks and cyber incidents in the MD&A section of their
Form 10-K and Form 10-Q if the costs or other consequences represent a material event, trend, or
uncertainty that is reasonably likely to have a material effect on the registrant’s operations, liquidity, or
financial condition.
D. Correct. A registrant should provide disclosure in Item 101 of Regulation S-K if one or more cyber
incidents materially affect the registrant’s products, services, relationships with customers or suppliers,
or competitive conditions.
Section 4
14. Which of the following threat actors would have the most interest in financial/payment systems?
A. Incorrect. Disgruntled insiders usually use their privileged knowledge, or access, to facilitate, or launch,
an attack to disrupt or degrade critical services on the network of their organizations. They often target
market strategies, corporate secrets, R&D, business operations, and personnel information.
B. Incorrect. Nation-states are the most capable actors in the cyber domain. Their interests include political,
economic, military, and financial targets and they will usually target trade secrets, sensitive business
information, emerging technologies, and critical infrastructure.
C. Correct. Driven by profit and personal gain, organized crime is becoming increasingly sophisticated in
its use of technology to commit fraud, steal funds and valuable information focused on
financial/payment systems, personal identification information, payment card information, and
protected health information.
D. Incorrect. Hacktivists, whose objectives may disrupt and embarrass an organization, usually refer to a
disparate group that contains a wide variety of ideologically oriented groups and individuals. In general,
hacktivists wish to attack companies for political or ideological motives. They promote a form of civil
disobedience in cyberspace targeting corporate secrets, sensitive business information, and information
related to key executives, employees, customers, and business partners.
15. The attacks, most complex and targeted, require a high level of financial investment and legal oversight. This
type of state-sponsored threat actors are usually employed by which of the following governments?
A. Incorrect. Middle East hackers are dynamic, often using creativity, deception, and social engineering to
trick users into compromising their own computers. In other words, Middle East attacks may be calculated
Fraud and Cybersecurity: Top Issues for the CPA
128
less in the technology, and more in the clever ways in which malware is delivered and installed on a target
network. They do not necessarily require a high level of financial investment and legal oversight.
B. Incorrect. FireEye indicated that no prominent examples have been discovered of the European Union
(EU) or the North Atlantic Treaty Organization (NATO) conducting their own offensive cyberattacks. On
the contrary, many examples reveal European networks getting hacked from other parts of the world,
particularly China and Russia.
C. Incorrect. Since China is home to 1.35 billion people or more than four times the population of the United
States, China often has the ability to overwhelm cyber defenses with quantity over quality. According to
FireEye researchers, Chinese malware is not the most advanced or creative. China employs brute force
attacks that are often the most inexpensive way to accomplish its objectives. The attacks succeed due to
the sheer volume of attacks, the prevalence, and persistence of vulnerabilities in modern networks.
D. Correct. The United States has conducted the most complex, targeted, and rigorously engineered
cyberattack campaigns to date. The attacks often require a high level of financial investment, technical
sophistication, and legal oversight.
16. What is the primary motivation of hacktivists?
A. Incorrect. The nation-states, motivated by nationalism, are established and well organized to carry out
the most sophisticated threat in cyberspace motivated by espionage and/or ideological. For example, they
usually focus on credentials, internal organizational data, trade secrets, and system information.
B. Incorrect. Driven by profit and personal gain, organized crime groups usually steal credit card numbers,
bank information, and social media and email account information to sell them on the black market.
C. Correct. Hacktivists, whose objectives may disrupt and embarrass an organization, usually refer to a
disparate group that contains a wide variety of ideologically oriented groups and individuals. Thus,
hacktivists wish to attack companies for political or ideological motives.
D. Incorrect. Hacktivists are individuals or groups who perform cyberattacks on targets for political-
ideological reasons. Black market activities are usually the focus of organized crime groups motivated by
financial gain.
17. Which of the following has NOT increased the overall risk landscape of organizations?
A. Incorrect. A Network of networks is one of the factors that change the overall risk landscape of
organizations. Research predicts that 30 billion devices will be connected to the internet by the year 2020.
B. Incorrect. As more and more organizations put mission-critical data in the cloud and with third parties,
with the loss of control and unexpected connectivity, the threats and attacks increase. Therefore, cloud
computing is one of the factors that change the overall risk landscape of organizations.
C. Incorrect. Privacy and data protection are factors that change the overall risk landscape of organizations.
Smart devices hold information from confidential consumer, operational and financial data, and therefore
data privacy and protection become key cyber risks.
Fraud and Cybersecurity: Top Issues for the CPA
129
D. Correct. User education is one of the most cost-effective ways for organizations to help drive down the
risk of cyber fraud.
Section 5
18. According to the Three Lines of Defense model, which of the following controls is part of the first line of
defense’s responsibilities?
A. Incorrect. Internal audit acts as the third line of defense by conducting an independent review of a
cybersecurity program and providing confirmation to the board on risk management effectiveness.
B. Correct. IT management who incorporates risk-informed decision making into daily operation such as
defining risk appetite and mitigating risks serves as the first line defense of data privacy and security.
C. Incorrect. Information and technology risk management who establishes governance and oversight
serves as the second line of defense by setting risk baseline, policies, and standards.
D. Incorrect. Internal audit who helps management to meet compliance requirements related to
cybersecurity risks is the third line of defense of data privacy and security.
19. According to the Three Lines of Defense model, which of the following controls usually serves as the third line
of defense providing independent assurance?
A. Correct. As the third line of defense, the internal audit activity provides senior management and the
board with independent and objective assurance on governance, risk management, and controls.
B. Incorrect. The second line of defense, often comprised of IT risk management and IT compliance functions.
Therefore, classifying data and design least-privilege access roles is considered as the second line of
defense activity.
C. Incorrect. The first line of defense consists of the operational managers that own and manage risks and
controls. Thus, implementing vulnerability management with internal and external scans is one of the
common first lines of defense activities.
D. Incorrect. Deploying intrusion detection systems and conducting penetration testing are examples of the
first line of defense activities.
20. Which of the following documents provides specific notification and/or escalation procedures that apply to
the particular information system?
A. Incorrect. Service level agreement provides Information about existing written commitments to provide
a particular level of service. This may include pre-established external engagement contract support that
can assist and augment the organization’s recovery team in the event of a major cyber event.
B. Incorrect. Operational workarounds refer to approved workaround procedures if the information system
is not able to be restored within the recovery time objective (RTO).
Fraud and Cybersecurity: Top Issues for the CPA
130
C. Incorrect. Specific recovery details and procedures provide specific recovery activities to be performed by
the recovery team, including application restoration details or methods to activate alternate means of
processing (e.g. backup servers, failover site).
D. Correct. The communication plan provides specific notification and/or escalation procedures that apply
to a particular information system. As an example, some systems impact users outside of the
organization, and legal, public relations, and human resources personnel may need to be engaged to
manage expectations and information disclosure about the incident and recovery progress.
Section 6
21. Which of the following audits helps an organization identify gaps in the policies and procedures implemented
in the organization pertaining to IT infrastructure?
A. Correct. The objective of governance & processes review is to identify gaps in the policies and
procedures implemented in the organization pertaining to IT infrastructure. During the review, internal
auditors may review the cybersecurity policies, procedures, and strategies. They may also test operating
effectiveness in accordance with the policies and procedures established.
B. Incorrect. The objective of the cyberattack identification & response review is to evaluate procedures and
processes that enable the discovery and reporting of cyberattack incidents.
C. Incorrect. A baseline security review identifies security risks in the network.
D. Incorrect. The objective of a proactive advanced persistent threat review is to mitigate the risk of
information leakage and eavesdropping and foresee the expected attacks and threats that the network
might be subject to.
22. How can Internal Audit contribute to an organization’s cybersecurity preparedness?
A. Incorrect. Business and IT functions incorporate risk-informed decision making into daily operations,
integrate risk management into operational processes.
B. Incorrect. Legal is normally responsible for monitoring decisions made by regulators in response to cyber
incidents.
C. Incorrect. Executive-level management is responsible to implement user security awareness programs.
D. Correct. Internal Audit performs independent reviews of cybersecurity program effectiveness by
evaluating whether the security architecture supports the organization’s thresholds for risk, while still
supporting key business objectives.
Top Related