首页
学习
活动
专区
工具
TVP
发布

内控标准制定机构COSO将发布新的网络安全和合规风险指引

Capital One Financial recently suffered a major data breach. Capital One Financial最近遭遇重大数据泄露。PHOTO: MARK ABRAMSON/BLOOMBERG NEWS

A key standard-setter on internal controls is preparing to publish a set of guidelines for companies on how to manage cybersecurity and other enterprise risks.

一家重要的内控标准制定机构正准备发布一套指导方针,指导企业如何管理网络安全和其他企业风险。

The new guidance from the Committee of Sponsoring Organizations of the Treadway Commission is expected to address how companies can apply the principles of enterprise risk management, or ERM, to protect against cyberattacks; how to better craft risk-appetite statements; and how to better manage risk and compliance across an enterprise.

Treadway Commission旗下的Committee of Sponsoring Organizations(COSO)的新指南预计将阐述企业如何运用企业风险管理原则来防范网络攻击;如何更好地编制风险偏好声明;以及如何更好地管理整个企业的风险和合规性。

COSO develops frameworks that many companies use to manage financial and nonfinancial risks. Its chairman, Paul Sobel, said in an interview thatthe guidance will be rolled out later this year or early next.He also shared some details on what to expect.

COSO开发了许多用来管理金融和非金融风险的框架。该公司董事长Paul Sobel在接受采访时说,该指导意见将于今年晚些时候或明年初推出。他还透露了一些展望细节。

On Cybersecurity:Hackers have become more advanced in their attempts to break through companies' defenses, said Mr. Sobel, who is also chief risk officer at pulp-and-paper company Georgia-Pacific LLC. “We continue to have very visible data breaches,” Mr. Sobel said. He said the coming guidance will be tailored to the needs of cybersecurity professionals.

关于网络安全:Sobel说,黑客在试图突破公司的网络安全防备时运用的手法更加先进。公司仍有很显而易见的数据泄露。他说,即将出台的指导意见将专门针对网络安全专业人士的需求。Sobel是纸浆和造纸公司Georgia-Pacific LLC.的首席风险官。

In a recent example of a major data breach, a hacker accessed the personal information of more than 100 million customers and applicants at Capital One Financial Corp. , the fifth-largest U.S. credit-card issuer.

在最近的一起重大数据 露事件中,一名黑客获取了美国第五大信用卡发行商Capital One Financial Corp. (COF) 1亿多名客户和申请人的个人信息。

Mr. Sobel said that the forthcoming COSO guidance has been under discussion for nearly a year and isn’t being crafted in response to the incident at Capital One.It is intended to help companies provide more detailed instructions on how to apply the 20 principles of COSO’s risk-management framework—which include board-level oversight of risk management—to information security.

Sobel说,即将公布的COSO指导意见已经讨论了近一年,并不是针对Capital One事件而制定的。该指导意见旨在帮助公司提供关于如何将COSO风险管理框架的20条原则(包括董事会层面的风险管理监督)应用于信息安全的更详细说明。

On Risk Appetite:Companies’ adoption of risk-appetite statements is another subject that COSO plans to address in the guidelines, Mr. Sobel said.

关于风险偏好:Sobel称,公司采用风险偏好声明是COSO计划在指导意见中提到的另一个议题。

Risk-appetite statements take different forms across industries. In financial services, the statements are typically more quantitative and formally agreed upon by directors. In other industries, risk-appetite statements are less formal and serve as a discussion guide for directors.

不同行业的风险偏好声明形式不同。在金融服务行业,这些声明通常是更加量化的,并且由董事正式商定的。在其他行业,风险偏好声明不那么正式,可以作为董事们讨论的指南。

Currently, the statements focus primarily on how companies can protect themselves against downsides.The forthcoming guidance, however, will encourage directors to emphasize how companies can create value for their companies by properly managing risks.

目前,这些声明的重点是企业可以如何保护自己免遭不利影响。不过,上述即将出炉的指导意见将鼓励董事强调企业可以如何通过妥善管理风险为公司创造价值。

“It gets to the crux of how boards and the C-Suite think,” Mr. Sobel said. He added that risk-appetite statements, as they are currently drafted, primarily resonate with risk executives.

Sobel说∶“关键在于董事会以及首席级别高管的思考方式。”他还表示,当前正起草的风险偏好声明主要引起的是企业风险管理高管的重视。

On Compliance:COSO also plans to publishguidance for companies on how to manage compliance programs.Mr. Sobel said the guidance is being drafted in partnership with the Society of Corporate Compliance and Ethics, a Minneapolis-based professional association.

在合规方面∶COSO还打算发布关于企业如何管理合规计划的指导意见。Sobel表示,COSO正与总部位于明尼阿波利斯的专业协会企业合规与道德协会(Society of Corporate Compliance and Ethics)合作编制该指导意见。

The goal is to help companies be “effective and efficient” in their approach to compliance, and to make sure they don’t overspend, Mr. Sobel said. “Companies may overmanage those risks sometimes,” he said.

Sobel称,其宗旨是帮助企业“有效和高效”地实施合规计划,并确保企业不至于在这方面花费过多资金。他表示∶“企业有时可能会过度管理这些风险。”

On the Practical Application of ERM:COSO also expects to publishguidance for board directors on managing strategic risks—the kind that arise when companies expand, launch new products or change pricing models. The new guidance will provide board members and executives with examples of questions to ask and steps to take to prevent the loss of shareholder value.

关于ERM原则的实际应用∶COSO还打算发布关于董事如何进行战略风险管理的指导意见。战略风险是指企业在进行扩张、推出新产品或改变定价模式时面临的风险。这一新指导意见将向董事会成员和高管提供实例,说明应该通过提出哪些问题、采取何种举措来防止股东价值受损。

Kristin Broughton

Aug. 10, 2019 6:43 pm ET

(本文版权归道琼斯公司所有,未经许可不得翻译或转载。)

  • 发表于:
  • 原文链接https://kuaibao.qq.com/s/20190812A006SW00?refer=cp_1026
  • 腾讯「腾讯云开发者社区」是腾讯内容开放平台帐号(企鹅号)传播渠道之一,根据《腾讯内容开放平台服务协议》转载发布内容。
  • 如有侵权,请联系 cloudcommunity@tencent.com 删除。

扫码

添加站长 进交流群

领取专属 10元无门槛券

私享最新 技术干货

扫码加入开发者社群
领券