ICAS

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
    2. ICAS Strategy 2030
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Career support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
    5. Learning redefined
  6. Find a CA
  7. ICAS events
    1. CA Summit
    2. Digital practice conference 2023
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD - Everything you need to know
    2. CPD courses and qualifications
    3. CPD news and updates
    4. CPD support and advice
    5. Career support
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Cyber risk management: Six reasons why you need independent assurance

  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Lindsay Hill, CEO, Mitigo Cybersecurity

17 May 2023

Cyber breaches are not acts of God. They are preventable provided you have taken the right steps to protect your business from attack. The central theme of this article is that the only way to prove to yourself and your senior leadership team that you have put the right defences in place, is to obtain independent assurance.

What is assurance?

Assurance is the process by which you engage an independent expert to provide a professional opinion on a subject – in this case your cybersecurity measures, because information that is business critical needs to be reliable.

There are two key aspects.

  • Independence: The more independent the review, the more confidence you can have in it. Having your IT providers mark their own homework is simply a non-starter in terms of good risk management.
  • Expertise: Cybersecurity is complex and ever-changing. Whoever you instruct must be a cybersecurity specialist (not an IT generalist), who understands your business structure and the market in which you operate, be acutely aware of the current methods of attack, as well as your legal and regulatory obligations.

It is important to be clear that we are not talking here about certifications such as CE and CE+. They cover no more than 5 of what the ICO describe as “basic” technical requirements and do not provide proper security, nor do they satisfy legal obligations for the security of personal data.

What does it look like?

Your assurance should be in writing and intelligible to those who are not experts in cyber risk management, including those responsible at board level for managing the big risks in your business. The work should be carried out carefully using a high quality, reliable process, designed for your sector. Doing some defined scope penetration testing is not sufficient.

The assurance should provide you with a proper cyber risk assessment, clear visibility on your cyber vulnerabilities and risks, and specify the means to control them. This includes all necessary measures as regards technology configurations, people competence, and policies and governance. It should also address the process for regularly reviewing and testing the effectiveness of these measures.

Why do you need it?

Peace of mind that you are protected

The process will identify gaps and allow you to close them – and enable you to build trust in your regime for controlling cyber risks.

Keep your proprietary and customer data safe and become operationally resilient to attack

The disastrous consequences of a ransomware or other cyber breach are well known.

Satisfy your legal and regulatory obligations

Cyber risk assessments, technology configurations, governance, staff training, ongoing reviews (all of which need to be documented) are just some of your legal obligations under UK GDPR which the ICO would look at in the event of a breach. Any regulatory obligations as regards confidentiality, governance, managing material risks, operational resilience etc. add another layer. And bear in mind that the ICO has made it clear that it will have regard to “relevant industry standards of good practice” such as the ISO 27001 series; the National Institutes of Standards and Technology; the various guidance from the ICO itself, from the National Cyber Security Centre and from any sector regulator.

Better management decisions

Spending ever more money on technology is rarely the way to get protection. We see lots of businesses being given poor advice and wasting money after being persuaded to buy technology solutions which they do not actually need, which are incorrectly configured, and which do not give them the protection they expected.

Shows your customers and other parties that you have cyber risks under control

Clients, colleagues, investors and other third parties are increasingly aware of the risks of cyberattacks and the serious damage they can inflict on their own affairs or businesses. Your security matters to them.

Insurance

Evidence of good assurance in this area will help characterise your business as well managed and a better risk in the eyes of professional indemnity (and cyber) underwriters.

Questions to ask before you appoint someone to undertake your assurance

  • Are they genuinely independent from your IT providers?
  • Are they cybersecurity specialists with a high quality process for assessing and testing for cybersecurity risks?
  • Do they operate within your sector and are they up to date with the latest methods of attack?
  • Do they know your legal and regulatory obligations and related guidance?
  • Do they also sell any security technology which could give them a conflicting financial interest in their recommendations?

Conclusion

A serious cyber breach is hard to recover from and can result in irreparable business damage. With the stakes this high, surely it is time to stop hoping you are secure and start proving you are secure?

View more information on the ICAS cyber hub


About Mitigo:

We have partnered with Mitigo to offer cybersecurity risk management services with exclusive discounts for our Evolve members.

Find out more about Mitigo’s cybersecurity services.

For more information contact them on 0131 564 3131 or email icas@mitigogroup.com

The cybercriminal ecosystem: Evolution and extortion

By Lindsay Hill, CEO, Mitigo Cybersecurity

2 February 2023

Cyber and data security – 5 legal obligations you should not ignore

By Lindsay Hill, Chief Executive Officer at Mitigo Cybersecurity

2 April 2022

2023-05-xero 2023-05-xero

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: