The American Institute of CPAs (AICPA), has released a risk management reporting framework that is intended to “establish a common, underlying language for Cybersecurity risk management reporting—almost akin to US GAAP or IFRS for financial reporting.”
According to AICPA, the framework may be used by both management and CPAs to “enhance cybersecurity risk management reporting of an organization’s cybersecurity efforts.”
This sounds like a good idea, but the guidance has its own inherent risks for companies–which are not mentioned in the fact sheet. The biggest risk is the discoverability of the risk management report(s) and their use in litigation against the company.
Any time a CPA firm, auditing firm or other vendor is engaged to conduct any cybersecurity review, the vendor does its best to uncover every single thing that may be lacking. The reports are not written with litigation or enforcement actions in mind, and often paint the company in a very negative way. Producing these reports in litigation or enforcement actions is extremely painful for outside counsel, like me.
CPA firms, auditing firms and other vendors, as well as their clients, may wish to evaluate whether counsel should be involved in the company’s cybersecurity risk management process in order to preserve the work product under the attorney client privilege or work product doctrine. They may also wish to document the process and write the reports considering the potential that it may be reviewed by plaintiffs’ lawyers or regulators. A set of trained litigator’s eyes on the conclusions is very helpful. Having counsel quarterback the risk management process is a risk management tool in and of itself–the management of litigation risks.