In 2017, AICPA developed a SOC 2 cybersecurity reporting framework that organizations can use to demonstrate to key stakeholders the extent and effectiveness of an entity’s cybersecurity risk management program. Management formulation of objectives is critical to cybersecurity risk management programs. Management establishes cybersecurity objectives that address cybersecurity risks that could affect the achievement of the entity’s overall business objectives (including compliance, reporting, and operational objectives). They may vary depending on the environment in which the entity operates, the entity’s mission and vision, the overall business objectives established by management, risk appetite, and other factors.