When most people think of the Sarbanes-Oxley (SOX) Act, they consider protecting investors from fraudulent financial reporting, inaccurate financial statements, or inadequate accounting and finance controls. After all, SOX was passed in response to several high-profile corporate financial scandals. These scandals involved accounting fraud by publicly traded companies such as Enron Corporation, Tyco International PLC, and WorldCom. SOX also includes whistleblower provisions, and corporate executives face significant criminal penalties for non-compliance.
With the increasing role of technology today, the risks to financial reporting, and the accuracy of financial data and financial statements posed by cybersecurity threats are greater than ever. Real-time issues that fall into this category include data breaches and phishing attacks in publicly traded companies and private companies alike. The2023 Gartner Hot Spots report identifies Cyberthreats, Information Technology (IT) Governance, and Data Governance as critical risk areas for organizational and stakeholder consideration.
Regulators will continue to emphasize protections against these trends and the impacts they can have on executive officers and investors. Auditors need to understand the emerging requirements at a fundamental level to best position their companies for success. In this article, you will learn four steps to incorporate cybersecurity requirements and related security controls into your SOX program to protect your company from risks associated with threats exploiting vulnerabilities.
What Is SOX Cybersecurity Compliance?
SOX cybersecurity compliance generally refers to a public company implementing strong internal control processes over the IT infrastructure and applications that house the financial information that flows into its financial reports to enable them to make timely disclosures to the public if a breach were to occur.
Financial disclosure is a key component of SOX compliance. To that point, the Securities and Exchange Commission (SEC) recently adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.
SEC staff issued related interpretive guidance in 2011, and the Commission itself in 2018 on the application of existing disclosure requirements to cybersecurity risk and incidents. The 2023 SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure requirements (the final rule) were created to facilitate “consistent, comparable, and decision-useful disclosures that would allow investors to evaluate registrants’ exposure to material cybersecurity risks and incidents as well as registrants’ ability to manage and mitigate those risks.” The final rule necessitates collaboration between the IT and financial audit teams to more fundamentally understand risk, specifically cybersecurity risk, at their respective companies.
How Are SOX Cybersecurity Requirements Incorporated?
Average companies will understand that the regulatory requirements will only continue to expand around cybersecurity controls. However, forward-looking companies will understand that demonstrating compliance and risk management activities publicly is another venue in which they compete, especially as it relates to cyber threats and cyberattacks. Companies that view SOX and similar programs as opportunities to demonstrate their ability to be nimble in the face of new requirements and put their investors at ease with their risk management and corporate governance approaches will be the most attractive investments. One approach to incorporating SOX cybersecurity requirements is to follow these four steps:
1. Perform a Cyber SOX Risk Assessment
This step will vary widely in complexity and comprehensiveness based on the size of the organization and the risks they are facing. No matter the size of the organization, the only way to truly understand the cyber risk relevant to SOX is to start by performing a risk assessment. It may be appropriate to build these new considerations into your existing SOX risk assessment process. This will likely require expanded thinking beyond a typical approach of backtracking from financial accounts and determining materiality. This thinking requires expertise from all specialties on the audit team — and should include executive and board-level input — to determine how your organization will determine what constitutes a “material” cybersecurity risk.
Other organizations, however, may determine a more dedicated cyber approach is better suited. This is sometimes referred to as a Cybersecurity Risk Management Program (CRMP). There are many resources from common frameworks (NIST,COSO, etc) to aid in a refresh to your risk assessment process. Overall, auditors should question how comprehensive and well-documented their company’s risk assessment process is. The risk assessment is a likely root cause regulators will point to if an enforcement action occurs.
2. Identify Disclosure Controls and Policies
If a breach were to occur today, as an audit team and as an organization, are you familiar with the steps that trigger SOX disclosure requirements? Will the correct cross-functional communication take place to lead to sufficient and timely disclosure? Organizations are likely better prepared to make that assertion relative to HIPAA or PCI than for SOX.
Expanding on the note above, the 2023 SEC final rule specifically requires the disclosure of the following information regarding material cybersecurity:
- Disclosure of Cybersecurity Incidents on Current Reports
- When the incident was discovered and whether it is ongoing;
- A brief description of the nature and scope of the incident;
- Whether any data were stolen, altered, accessed, or used for any other unauthorized purpose;
- The effect of the incident on the registrant’s operations; and
- Whether the registrant has remediated or is currently remediating the incident.
- Disclosures about Cybersecurity Incidents in Periodic Reports
- Any material effect of the incident on the registrant’s operations and financial condition;
- Any potential material future impacts on the registrant’s operations and financial condition;
- Whether the registrant has remediated or is currently remediating the incident; and
- Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.
- Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks
- Whether the registrant has a cybersecurity risk assessment program and if so, a description of the program;
- Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
- Whether the registrant has policies and procedures to oversee, identify, and mitigate the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- Whether the registrant undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents;
- Whether the registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
- Whether previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
- Whether cybersecurity-related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
- Whether cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation, and if so, how.
Ensuring the company has a strong handle regarding disclosure of sensitive data is a great opportunity for an audit team to add value and give executives and the Board a level of comfort that the company is prepared.
3. Implement Cybersecurity Controls Using a Reliable Framework
Now that you have the risks, policies, and controls identified, management should design and implement controls to mitigate these risks in alignment with industry-accepted standards. The best practice is to use a reliable framework as a foundation for the control environment. For example, leading companies frequently use the NIST Cybersecurity Framework (NIST CSF) or ISO 27001 as baselines for designing Cyber SOX controls. Part of the implementation will include training the control owners on the reason why the controls exist and how to communicate if the control were to fail or need to be adjusted based on a changing environment.
4. Monitor and Test the Controls
As with any internal controls, management should monitor the Cyber SOX compliance requirements and the overall cybersecurity posture. This can include periodic self-assessments, attestations, and other self-certifications. As with any internal controls, the audit team can serve as a valuable resource to determine the efficacy of management’s program. An audit group savvy in this emerging area could provide practical and actionable areas to improve resiliency if a breach were to occur. Even basic conversations on this topic and a review of documentation can provide valuable insights into the maturity of these SOX cyber disclosure controls and the overall program. Management will also no doubt appreciate having these conversations in advance of the external auditors coming with these questions. As the SEC and PCAOB further ratchet expectations in these areas, external auditors will no doubt increase the level of scrutiny and documentation they require to satisfy their audit requirements.
What Is the Best Way to Manage SOX Cybersecurity Compliance?
SOX cybersecurity compliance is just one of several cybersecurity requirements your organization needs to manage every day — so it’s crucial to be deliberate in architecting how these requirements are met. An internal common controls framework is the best way to satisfy requirements across any number of frameworks and regulations while saving time, money, and employee pain and suffering in the process. The days of leveraging spreadsheets to manage increasingly complex environments and areas with mission-critical consequences are numbered. The smart organizations will determine what is best to avoid becoming the next “lesson learned” case study as it relates to SOX cybersecurity compliance.
In conclusion, organizations should take a risk-based approach to identifying controls and policies, implementing those controls based on best practices, and monitoring and testing controls related to SOX cybersecurity compliance efforts. Using software like AuditBoard’s SOX management and InfoSec compliance solutions to manage your SOX cybersecurity compliance program will provide the intuitive visibility to react quickly and provide updates to management on impacted controls, compensating controls, and issue remediation if a breach were to occur. Your implementation of AuditBoard solutions could lead to similar results as existing customers who have successfully implemented AuditBoard products to map financial accounts to entities and processes, assess materiality and other qualitative factors, centralize control environments, and streamline control testing.
Will Cryer, CISA, CIPT, is a Senior Manager of Solutions Advisory Services at AuditBoard. Prior to joining AuditBoard, Will spent 9 years with EY in Denver specializing in information technology audits, SOX/ICFR, cybersecurity, privacy, ISO 27001, and SOC Reporting across the FinTech, Technology, and Real Estate industries. Connect with Will on LinkedIn.