When most people think of the Sarbanes-Oxley (SOX) Act, they think of protecting investors from fraudulent financial reporting with accounting and finance controls. With the increasing role of technology today, the risks to financial reporting posed by cybersecurity threats are greater than ever. According to the latest FBI Internet Crime Report for 2020, $4.2B in losses were reported in 2020 (up from $1.4B in 2017). The latest Gartner Hot Spots report lists cyber vulnerabilities as one of the most critical risk areas for auditors to address.
Regulators will continue to emphasize protections against these trends and the impacts they can have on investors. Auditors need to understand the emerging requirements at a fundamental level to best position their companies for success. In this article, you will learn four steps for incorporating cybersecurity requirements into your SOX program for protecting your company from cybersecurity risks.
What Is SOX Cybersecurity Compliance?
SOX cybersecurity compliance generally refers to a public company implementing strong internal control processes over the IT infrastructure and applications that house the financial information that flows into its financial reports in order to enable them to make timely disclosures to the public if a breach were to occur.
The discussion in recent years regarding SOX and cybersecurity was sparked by Commission-level guidance from the SEC in 2018. While the underlying legislation dates back to 2011, the new guidance clarified two key points:
- “First, this release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities laws.”
- “Second, we also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents”
The guidance further added that these efforts should be undertaken from the highest levels of the organization (officers and directors).
This presented a new challenge for organizations. SOX compliance as it related to information technology — much less cybersecurity — has traditionally not included the types of controls that are referenced in this guidance. This shift will not just require the IT auditors to expand beyond their typical areas of scope, but also require collaboration with the financial audit teams to more fundamentally understand risk, and specifically cybersecurity risk at their respective companies. This effort is an area that many companies are still working to fully mature and address.
Incorporating SOX Cybersecurity Requirements
Average companies will understand that the regulatory requirements will only continue to expand in the area of cybersecurity. However, forward-looking companies will understand that the arena of demonstrating compliance and risk management activities publicly is another venue in which they compete. Companies that view SOX and similar programs as opportunities to demonstrate their ability to be nimble in the face of new requirements and put their investors at ease with their risk management approach will be the most attractive investments. One approach to incorporating SOX cybersecurity requirements is to follow these four steps:
1. Perform a Cyber SOX Risk Assessment
This step will vary widely in complexity and comprehensiveness based on the size of the organization and the risks they are facing. No matter the size of the organization, the only way to truly understand the cybersecurity risks relevant for SOX is to start by performing a risk assessment. It may be appropriate to build these new considerations into your existing SOX risk assessment process. This will likely require expanded thinking beyond a typical approach of backtracking from financial accounts and determining materiality. This type of thinking requires expertise from all specialties on the audit team — and should include executive and board level input as well — to determine how your organization will determine what constitutes a “material” cybersecurity risk.
However, other organizations may determine a more dedicated cyber approach is better suited. This is sometimes referred to as a Cybersecurity Risk Management Program (CRMP). There are many resources from common frameworks (NIST, COSO, etc) to aid in a refresh to your risk assessment process. Overall, auditors should question how comprehensive and how well documented is their company’s risk assessment process? The risk assessment is a likely root cause regulators will point to if an enforcement action occurred.
2. Identify Disclosure Controls and Policies
If a breach were to occur today, as an audit team and as an organization, are you familiar with the steps that trigger SOX disclosure requirements? Will the correct cross functional communication take place to lead to a sufficient and timely disclosure? Organizations are likely better prepared to make that assertion relative to HIPAA or PCI than for SOX.
According to the SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the controls and policies in question should be designed to, “ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.”
Ensuring the company has a strong handle in this area is a great opportunity for an audit team to add value and give executives and the Board a level of comfort that the company is prepared.
3. Implement Cybersecurity Controls Using a Reliable Framework
Now that you have the risks, policies, and controls identified, management should design and implement controls to mitigate these risks in alignment with industry accepted standards. The best practice is to use a reliable framework as a foundation for the control environment. For example, leading companies frequently use the NIST Cybersecurity Framework (NIST CSF) as a baseline for designing Cyber SOX controls. Part of the implementation will include training the control owners on the reason why the controls exist and how to communicate if the control were to fail or need to be adjusted based on a changing environment.
4. Monitor and Test the Controls
As with any internal controls, management should monitor the Cyber SOX controls. This can include periodic self assessments, attestations, and other self certifications. As with any internal controls, the audit team can serve as a valuable resource to determine the efficacy of management’s program. An audit group savvy in this emerging area can provide practical and actionable areas to improve resiliency if a breach were to occur. Even basic conversations on this topic and review of documentation can provide valuable insights on the maturity of these SOX cyber disclosure controls and the overall program. Management will also no doubt appreciate having these conversations in advance of the external auditors coming with these questions. As the SEC and PCAOB further ratchet expectations in these areas, external auditors will no doubt increase the level of scrutiny and documentation they require to satisfy their audit requirements.
Managing SOX Cybersecurity Compliance
SOX cybersecurity compliance is just one of several cybersecurity requirements your organization needs to manage every day — so it’s crucial to be deliberate in architecting how these requirements are met. An internal common controls framework is the best way to satisfy requirements across any number of frameworks and regulations while saving time, money, and employee pain and suffering in the process. The days of leveraging spreadsheets to manage increasingly complex environments and areas with mission critical consequences are numbered. The smart organizations will determine what is best to avoid becoming the next “lesson learned” case study as it relates to SOX cybersecurity compliance.
Using software like AuditBoard’s SOX and InfoSec compliance solutions to manage your SOX cybersecurity compliance program will provide the intuitive visibility to react quickly and provide updates to management on impacted controls, compensating controls, and issue remediation if a breach were to occur. On a day to day basis, control updates, evidence collection, and testing are seamless for all stakeholders involved.
