New guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides recommendations on how organizations can contend with the evolving threats to cyber security. The 32-page report, developed by COSO in collaboration with Deloitte Risk & Financial Advisory and titled “Managing Cyber Risk in a Digital Age,” is available on the COSO website at this link.

The guidance, written to boards of directors, audit committee members, executive management, and cyber practitioners, addresses how companies can apply COSO’s Enterprise Risk Management–Integrating with Strategy and Performance (ERM Framework), one of the world’s most widely recognized and applied risk management frameworks, to protect against cyberattacks. It offers insight into how organizations can leverage the five components and 20 principles of the ERM Framework to identify and manage cyber risks. 

IMA is one of five founding members of COSO, which was formed in 1985 as a voluntary private-sector organization dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence. Other founding members are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and The Institute of Internal Auditors (IIA). Currently, IMA President and CEO Jeff Thomson, CMA, CSCA, CAE, serves as IMA’s representative on the COSO board and as the board’s lead director.

Noted Thomson, “As the business world grows increasingly connected and digital, cyber threats and attacks continue to grow in number and complexity. That’s why it’s imperative that C-suite leaders and board members play an active role in guiding their company’s cybersecurity strategy. This guidance provides critical recommendations that can help organizational leaders evolve their understanding of cyber risks, enabling them to make critical business decisions with these risks in mind.”

The guidance notes that the fast-evolving cyber threat landscape makes it imperative for boards of directors to increase their cyber competencies so that they may effectively evaluate how well these risks are being addressed. For nearly half of responding organizations (49%), cybersecurity is on the board’s 
agenda, at least quarterly, according to a Deloitte 2019 Future of Cyber Survey. That survey concluded that it is crucial that boards develop cyber security expertise themselves or identify advisers with relevant skills. 

“As cyber threats increase in number, complexity, and destructiveness, organizations face a greater risk in achieving their strategic objectives,” said Paul Sobel, COSO Chair. “COSO’s ERM Framework provides a foundation upon which a cybersecurity program can be built, integrating cyber risk management concepts with elements of strategy, business objectives, and performance, which can result in increased business value.” 

“Managing Cyber Risk in a Digital Age” was authored by Deloitte & Touche LLP’s Mary E. Galligan, managing director; Sandy Herrygers, partner and global assurance leader; and Kelly Rau, managing director. 

For more information about COSO, visit