What is SOX Compliance in the Cybersecurity World?

Sarbanes-Oxley (SOX) Act is most associated with company transparency and using accounting and financial controls to safeguard investors from fraudulent financial reporting, however, it’s always important to remember the ever-increasing key role that cybersecurity plays in SOX as digitalisation continues to accelerate and cybersecurity threats, financial reports and auditors intersect.  

After all, financial data is sensitive data and the financial sector has seen increasing attacks by threat actors in 2020, rising by 238 percent in 2020 alone. Moreover, the 2021 Gartner Hot Spots report names cyber vulnerabilities as a paramount area of risk that auditors need to address, stating the threat has been further amplified by “large-scale remote working” due to the Covid-19 pandemic and subsequent “Lapses in Security Controls”.  

With regulators taking into account these new and emerging threats to investors, companies and auditors need to be aware of evolving requirements to keep up with SOX compliance and cybersecurity practices in order to protect themselves from cybersecurity risks. Even companies that don’t operate in the US or engage with US customers should take notes, as SOX is becoming increasingly global, with the UK Financial Reporting Council (FRC) reportedly working on a UK equivalent. 

What is SOX Cybersecurity? 

The Sarbanes-Oxley Act (2002), arguably born out of major fraud by senior executives at Enron and WorldCom in 2002 that not only ruined both companies but helped cause a worldwide economic crash, has implemented wide reforms on company reporting and internal controls, including criminal penalties for company officials responsible for internal corporate fraud. Generally, SOX cybersecurity compliance is about companies implementing robust, internal controls to protect financial information and related financial reports in company infrastructure and applications.  

Two key sections of SOX concerning cybersecurity are:   

• Section 302, which requires companies to have internal controls which ensure accurate, timely financial disclosures. The controls have to make sure data is accurate and remains secret until it’s disclosed. Company officials must evaluate these controls when they make a regular report.   
• Section 404, which requires internal controls to protect financial data and ensure proper reporting. As many companies outsource financial activities, they rely on SOC reports to show compliance 

To further protect investors and the public, companies are expected to make timely, public disclosures when a breach occurs, with Section 409 requiring companies to disclose on a near real-time basis any material changes in the financial condition or operations.  

SOX also has mandates on establishing payroll system controls and under SOX a company must account for its: 

• Workforce. 
• Salaries.  
• Training costs. 
• Benefits and incentives. 
• Paid time off. 

Certain employers will also need to adopt an ethics program that contains a code of ethics, a communication plan, and staff training. 

Who does SOX apply to? 

SOX compliance applies to the following entities: 

• Publicly traded companies, wholly-owned subsidiaries and foreign companies that operate in the United States. 
• Accounting firms that audit public companies. Firms auditing a publicly held company’s books aren’t allowed to do the company’s bookkeeping, audits, business valuations or design/implement an information system, provide investment advisory and banking services, or consult on other management issues. 
• Private companies need to comply with SOX prior to going public when they are planning their Initial Public Offering (IPO). 

Generally, private companies, charities, and NGOs don’t need to comply with the entirety of SOX, although there are critical factors that remain non-negotiable and will incur penalties regardless if companies don’t comply with them. None of these organisations should knowingly destroy or falsify financial information, nor retaliate against whistle-blowers working with law enforcement. 

What are the penalties for non-compliance with SOX? 

Being found non-compliant with SOX can include penalties like: 

• Steep fines. 
• Removal from delistings from public stock exchanges. 
• Invalidation of Directors and officers liability (D&O) insurance policies.  

There are a number of sections that outline penalties for being found in non-compliance with SOX, such as: 

• Section 906, where submitting and certifying a misleading or fraudulent financial report can have fines of up to 5 million dollars and result in a criminal penalty of 20 years in prison. 
• Section 802, where altering, falsifying, mutilating, destroying or concealing financial records, documents, or tangible objects to obstruct, impede, or influence legal investigations can incur penalties of up to 20 years in prison. It also has a penalty of upward to 10 years in prison for accountants, auditors, or others that knowingly and wilfully violate the requirements of maintenance of all audit or review papers for a period of 5 years. 
• Section 806, where whistle-blowers complaints are protected against retaliation, further authorising the US Department of Justice in criminally charging employers that retaliate against the said individual(s). 

How do you comply with SOX?  

SOX compliance is traditionally related to information technology over cybersecurity, however, shifts over recent years have required IT auditors, to expand their focus and collaborate with financial audit teams in a team effort to deal with growing cybersecurity risks. 

Now more than ever, it’s important that companies keep on top of compliance, cybersecurity best practices and the competition by utilising SOX effectively in the face of new requirements and maintaining confidence from their investors and the public with how sensitive data is being handled.  

When incorporating SOX, it’s important that you follow the steps below. 

1. Performing a SOX risk assessment and Materiality Analysis 

Your organisation needs to do a rigorous, SOX risk assessment that takes into account the cybersecurity risks that fall under SOX. This approach will require cybersecurity expertise in the audit teams and should also include executive and board-level input to help determine your organisation definition of “material” cybersecurity risk.  

To ensure you’re covering a wide number of bases, cybersecurity best practices recommended you perform Cybersecurity Risk Management using common frameworks like NIST and COSO to assist you in the process. When conducting risk assessments, auditors should always examine how comprehensive and well-documented they are as risk assessments are one of the main things that regulators and enforcement will look at first.  

2. Fraud Risk Assessment 

Ensure that your organisation has conducted a thorough risk assessment for potential fraud activity to help early detection and prevention of fraud. Internal controls you are implementing should be helping prevent fraud and mitigate the material impacts if it does occur. 

3. Implementing Cybersecurity Controls 

After performing a risk assessment where you’ve identified the cybersecurity risks, policies, and needed control solutions to comply with SOX, your company must implement these controls following industry standards. Once again, cybersecurity best practices recommend using a reliable framework like the NIST Cybersecurity Framework (NIST CSF) as a baseline for designing Cyber SOX controls when beginning the construction of a control environment. 

Part of the implementation process will be training the control owners on the purposes of and reasons for controls and the way they should communicate should a control fail or require adjustment due to changes in the environment. 

4. Monitoring and Testing Controls  

Organisations must monitor and test the security controls they’ve implemented, doing things like periodic self-assessments, attestations, and other self-certifications. Audit teams can be a valuable resource in evaluating the efficiency of management programs and even provide practical and actionable areas to improve resiliency if trained with that in mind.  

It’s important that you are regularly testing controls and continuously doing security monitoring for your own infrastructure and your vendors in order to prevent and impede data breaches, data leaks and cyber threats. Having an understanding of log management is important in this process. 

5. SOX Disclosures 

It’s important for an audit team and organisation to be familiar with SOX disclosure requirements, knowing the correct ways of communication and the steps needed to make a timely, appropriate disclosure in the event of something like a data breach. 

Setting out communication guidelines and who needs to be informed is a key part of incident response preparation. 

Securiwiser 

Securiwiser is a cybersecurity threat detection and monitoring tool that greatly complements a company’s aims in meeting compliances like SOX. 

Securiwiser effectively evaluates and monitors the cybersecurity posture of your organisation and your vendors, flagging up vulnerabilities, exposures and exploits in real-time and presenting them in an easy-to-read, straightforward dashboard. It can check the overall security of your network and cloud, if you have security misconfigurations like a misconfigured Amazon S3 bucket, what company information exists on the dark web, if sensitive data has been exposed, and much, much more. 

Give yourself a free scan today!