

Capital One Financial recently suffered a major data breach. Capital One Financial最近遭遇重大数据泄露。PHOTO: MARK ABRAMSON/BLOOMBERG NEWS

A key standard-setter on internal controls is preparing to publish a set of guidelines for companies on how to manage cybersecurity and other enterprise risks.


The new guidance from the Committee of Sponsoring Organizations of the Treadway Commission is expected to address how companies can apply the principles of enterprise risk management, or ERM, to protect against cyberattacks; how to better craft risk-appetite statements; and how to better manage risk and compliance across an enterprise.

Treadway Commission旗下的Committee of Sponsoring Organizations(COSO)的新指南预计将阐述企业如何运用企业风险管理原则来防范网络攻击;如何更好地编制风险偏好声明;以及如何更好地管理整个企业的风险和合规性。

COSO develops frameworks that many companies use to manage financial and nonfinancial risks. Its chairman, Paul Sobel, said in an interview thatthe guidance will be rolled out later this year or early next.He also shared some details on what to expect.

COSO开发了许多用来管理金融和非金融风险的框架。该公司董事长Paul Sobel在接受采访时说,该指导意见将于今年晚些时候或明年初推出。他还透露了一些展望细节。

On Cybersecurity:Hackers have become more advanced in their attempts to break through companies' defenses, said Mr. Sobel, who is also chief risk officer at pulp-and-paper company Georgia-Pacific LLC. “We continue to have very visible data breaches,” Mr. Sobel said. He said the coming guidance will be tailored to the needs of cybersecurity professionals.

关于网络安全:Sobel说,黑客在试图突破公司的网络安全防备时运用的手法更加先进。公司仍有很显而易见的数据泄露。他说,即将出台的指导意见将专门针对网络安全专业人士的需求。Sobel是纸浆和造纸公司Georgia-Pacific LLC.的首席风险官。

In a recent example of a major data breach, a hacker accessed the personal information of more than 100 million customers and applicants at Capital One Financial Corp. , the fifth-largest U.S. credit-card issuer.

在最近的一起重大数据 露事件中,一名黑客获取了美国第五大信用卡发行商Capital One Financial Corp. (COF) 1亿多名客户和申请人的个人信息。

Mr. Sobel said that the forthcoming COSO guidance has been under discussion for nearly a year and isn’t being crafted in response to the incident at Capital One.It is intended to help companies provide more detailed instructions on how to apply the 20 principles of COSO’s risk-management framework—which include board-level oversight of risk management—to information security.

Sobel说,即将公布的COSO指导意见已经讨论了近一年,并不是针对Capital One事件而制定的。该指导意见旨在帮助公司提供关于如何将COSO风险管理框架的20条原则(包括董事会层面的风险管理监督)应用于信息安全的更详细说明。

On Risk Appetite:Companies’ adoption of risk-appetite statements is another subject that COSO plans to address in the guidelines, Mr. Sobel said.


Risk-appetite statements take different forms across industries. In financial services, the statements are typically more quantitative and formally agreed upon by directors. In other industries, risk-appetite statements are less formal and serve as a discussion guide for directors.


Currently, the statements focus primarily on how companies can protect themselves against downsides.The forthcoming guidance, however, will encourage directors to emphasize how companies can create value for their companies by properly managing risks.


“It gets to the crux of how boards and the C-Suite think,” Mr. Sobel said. He added that risk-appetite statements, as they are currently drafted, primarily resonate with risk executives.


On Compliance:COSO also plans to publishguidance for companies on how to manage compliance programs.Mr. Sobel said the guidance is being drafted in partnership with the Society of Corporate Compliance and Ethics, a Minneapolis-based professional association.

在合规方面∶COSO还打算发布关于企业如何管理合规计划的指导意见。Sobel表示,COSO正与总部位于明尼阿波利斯的专业协会企业合规与道德协会(Society of Corporate Compliance and Ethics)合作编制该指导意见。

The goal is to help companies be “effective and efficient” in their approach to compliance, and to make sure they don’t overspend, Mr. Sobel said. “Companies may overmanage those risks sometimes,” he said.


On the Practical Application of ERM:COSO also expects to publishguidance for board directors on managing strategic risks—the kind that arise when companies expand, launch new products or change pricing models. The new guidance will provide board members and executives with examples of questions to ask and steps to take to prevent the loss of shareholder value.


Kristin Broughton

Aug. 10, 2019 6:43 pm ET


