the title is the Top 18 Controls, the CIS controls are really grouped into 18 different control families. Each control family includes a series of safeguards with understandable definitions and control suggestions. The CIS controls are industry-agnostic, so don’t expect to find financial institution-specific controls. The controls provided, however, are sound and will provide financial institutions with a valuable roadmap to improve their cybersecurity posture. 5. AICPA SOC for Cybersecurity: You have probably seen SOC 1 and SOC 2 reports as part of your vendor management and due diligence process. A lesser‑known but equally valuable report is the SOC for Cybersecurity Examination, which offers an attestation report and opinion from an independent CPA firm on the cybersecurity risk management program of any entity, not just third-party service providers. It evaluates management’s description of its cybersecurity risk management program and the operating effectiveness of controls supporting its cybersecurity objectives. Often, the cybersecurity controls are defined using the AICPA’s Trust Services Criteria for security, availability and confidentiality, similar to a SOC 2 report. A unique characteristic of the SOC for Cybersecurity report is its designation as a general use report, which means distribution of the report is not limited and can, therefore, be shared with shareholders, customers, prospective customers, vendors and any other stakeholder. With the CAT’s removal on the horizon, financial institutions should begin planning their transition to an alternative framework. For more detailed guidance on preparing for the CAT phase-out, watch a previously recorded webinar presented by YHB’s Risk Advisory Services expert, Bryan Newlin, CPA, CISA, on YHB’s Engagement Hub by scanning the QR code. https://gateway.on24.com/wcc/eh/4362613/lp/4782607/ preparing-for-the-ffiec-cat-phase-out-exploring-newcybersecurity-assessment-options-for-financial-institutions Bryan began his career with YHB in 2005 and has been a key leader in YHB’s respected Risk Advisory Services practice since 2007. Focusing attention on two of the most well-known technology internal control frameworks — the AICPA’s Trust Services Categories and ISACA’s COBIT® framework — Bryan works across industries to help clients identify and mitigate information and technology risk. 17 WEST VIRGINIA BANKER
RkJQdWJsaXNoZXIy MTg3NDExNQ==