Although the Sarbanes-Oxley Act of 2002 (SOX) has been around for nearly two decades, many companies still struggle to meet compliance requirements. Initially enacted in response to public companies mishandling financial reporting, SOX is a compliance requirement for all public companies. Understanding SOX compliance, as well as its requirements and controls, helps organizations create more robust governance processes.
What is SOX?
In 2001, multiple public companies – Enron, Tyco, and WorldCom – became the public face of a corporate scandal. In response to these companies purposefully inflating their financials and lying in public reports, the US government enacted SOX.
Fundamentally, SOX focuses on establishing governance and forcing accountability on senior leadership and Boards of Directors. SOX established the Public Company Accounting Oversight Board (PCAOB), directing it to:
- Oversee public company audits
- Establish audit report standards and rules
- Inspect, investigate, and enforce compliance across auditors, including public accounting firms, their associated persons, and certified public accountants (CPAs)
What are SOX compliance requirements?
To outline a process for corporate governance, SOX consists of ten different titles.
Title I: Public Company Accounting Oversight Board
By establishing the PCAOB, SOX created a standard for governing how audits should be done and principles for auditors to follow.
Some primary components of Title I include:
- Establishing the PCAOB
- Requiring accounting firm to register with the PCAOB
- Establishing auditing standards, including evaluation of internal control structures, assurance over transaction documentation, reporting of material control weaknesses, and noncompliance
- Authorizing PCAOB to impose sanctions
- Requiring the adoption of a principles-based accounting system
Title II: Auditor Independence
One of the reasons that Enron could falsely report their earnings was that their audit firm Arthur Anderson helped them and never reported their false financials. SOX set out multiple rules to govern auditor independence and ensure that audit functions never enabled clients again.
Some of the primary requirements include:
- Prohibiting auditors from engaging in specified non-audit services while engaging in audit work for the client
- Audit committee governance overall auditing and non-auditing services and disclosing approvals to investors
- Audit reports that include critical accounting policies and practices used, alternate treatments discussed with management officials, auditor treatment preference, material written communications between the auditor and senior management
- Audit committee pre-approval of all auditing and non-auditing services, disclosing pre-approval to investors
- Prohibiting auditor from engaging with an organization if the auditor had previously employed the organization’s senior executives within the previous year to remove the conflict of interest issues
- Constraints on how long an auditor can work with an organization
Title III: Corporate Responsibility
This section requires an audit committee to govern auditors and audits.
Some primary requirements under this title include:
- SEC creating requirements that principal executive officer and principal financial officer are responsible for internal controls and receive all material information, certify that financial reports do not contain false statements or material omissions, and certify financial statement fairly present financial condition and operations
- Senior officers certify that auditors and audit committee know all significant internal control deficiencies and any fraud
- Corporate personnel attempting to exert improper influence on auditor is illegal
- Senior leadership or Board of Directors activities that are illegal
- Lawyer professional responsibilities
- Establishment of civil penalties
Title IV: Enhanced Financial Disclosures
This section requires that SEC filings include disclosing material off-balance sheet transactions and relations that have material impact on financial and ensuring no misleading financial information by reconciling financial
Requirements under this title include:
- SEC reports to Congress on off-balance sheet transaction and special purposes entity use, clear communications with investors off-balance sheet transactions, how special purpose entities are used for off-balance sheet transactions
- Prohibiting personal loans by a company to its executives or directors
- Senior management, directors, and principal stockholder disclosures around securities ownership
- Annual reports include internal control report with senior leadership attestation for maintaining internal financial reporting controls, evaluates controls, requires auditing firm attestation around the report
- SEC establishing code of ethical conduct
- SEC review of periodic disclosures
Title V: Analyst Conflicts of Interest
To prevent potential securities analysts from having a conflict of interest, this section:
- Restricts people engaged in investment activities from sharing reports
- Requires that someone not engaged in investment banking activities to oversee analysts
- Prohibits brokers or dealers from sharing negative reports that may hurt banking relationships with subject of report
- Established review and oversight for securities analysts
Title VI: Commission Resources and Authority
This section allocates resources for the SEC for the fiscal year 2003.
Title VII: Studies and Reports
This section established a General Accountability Office (GAO) report to Congress on:
- Public accounting firm consolidations and reduction in firms providing audit services
- Impact consolidation has on capital formation and securities market
- Investment bank and financial advisor roles in assisting public companies to misrepresent financials
It also sets out SEC reports to Congress:
- On credit rating agencies in the securities market
- Problems with securities professional enabling violations
- Enforcement action taken for violations
Title VIII: Corporate and Criminal Fraud Accountability
This title imposes federal criminal penalties for individuals who intentionally obstruct a Federal investigation or bankruptcy case by destroying documents and auditors who do not retain documentation for the five-year required period.
Additionally, this title includes:
- Disallowing debts incurred while violating securities fraud laws from being discharged during bankruptcy
- Prohibiting retaliation against employees who assist in regulatory, Congressional, or supervisory investigations or shareholder fraud proceedings.
- Establishing fines and prison sentences for people knowingly defrauding shareholders
Title IX: White-Collar Crime Penalty Enhancements
This title establishes criminal penalties for attempted and conspiracy to commit criminal fraud and increases criminal penalties for mail and wire fraud.
Additionally, this title includes:
- A requirement that senior corporate officers certify in writing that all financial statement and disclosure comply with SEC rules and daily present all material information on operations and financial condition
- Corporate officer criminal liability for not certifying report, including imprisonment for up to ten for certifying while knowing and up to twenty years for willfully certifying reports that violate the law
Title X: Corporate Tax Returns
This title sets out that the Chief Executive Officer (CEO) should sign the company’s Federal income tax return.
Title XI: Corporate Fraud Accountability
This title amends multiple federal criminal laws to increase criminal penalties and establish prison terms for violation of the law.
Where do SOX and cybersecurity overlap?
SOX itself never mentions cybersecurity. However, in 2018, the SEC released a “Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the Guidance).” The SEC realized that increased technology use and data breach risk impact corporate financials. In fact, the Guidance lists several financial risks linked to cybersecurity:
- Remediation costs
- Cybersecurity protection costs
- Lost revenue due to customer churn after an attack
- Litigation and legal risks, including regulatory fines
- Increased insurance premiums
- Reputation damage
- Damage to competitiveness, stock price, and long-term shareholder value
In order to comply with SOX, public companies need to ensure that they establish appropriate controls and security monitoring programs that mitigate risk.
In 2020, the SEC released new guidance “Cybersecurity and Resiliency Observations” (Resiliency Guidance) through its Office of Compliance Inspections and Examinations (OCIE). This revised guidance offered greater specificity for organizations that need to file public financial reports.
What are the SOX cybersecurity requirements and controls?
Under the Resiliency Guidance, OCIE set out seven primary requirements organizations need to meet.
1. Governance and risk management
Keeping the SOX theme of senior leadership and Board of Director accountability, the first requirement focuses on how organizations can establish cyber resilient programs.
- Senior-level engagement: Assign board and senior leadership responsibilities for oversight.
- Risk assessment: Develop and conduct a risk assessment that identifies, manages, and mitigates risk according to the organization’s business goals, including identifying and prioritizing vulnerabilities.
- Policies and procedures: Adopt and implement comprehensive policies and procedures.
- Testing and monitoring: Establish comprehensive testing and monitoring to validate security controls’ effectiveness.
- Continuously evaluating and adapting to changes: Responding to any gaps or weaknesses by updating policies and procedures
- Communication: Establish policies and procedures for internal and external communication for various stakeholders.
2. Access rights and controls
Access controls should limit user access according to the principle of least privilege, meaning the least amount of access necessary for a user to complete their job function.
- User access: Understand access needs, limit access to sensitive systems and data according to the principle of least privilege, and periodically review access
- Access management: Manage user access by:
- Limiting access during user onboarding, transfer, and termination
- Implement separation of duties to limit fraud
- Recertify access periodically
- Require strong, periodically changed passwords
- Use multi-factor authentication (MFA)
- Revoke system access upon employment termination
- Access monitoring: Monitor use and develop procedures that:
- Monitor for failed login attempts and account lockouts
- Ensure appropriate handling of customer password/login requests and for authentication abnormal requests
- Review system hardware and software changes
- Ensure appropriate access requests processes and policies
3. Data loss prevention
Data loss prevention focuses on ensuring that sensitive data is not lost, misused, or accessed by unauthorized users.
- Vulnerability scanning: Establish a vulnerability management program that scans all networks, endpoints, systems, and applications
- Perimeter security: Control, monitor, and inspect all incoming and outgoing network traffic
- Detective security: Implement endpoint security scanning for both signature and behavioral-based capabilities to prevent unauthorized software or malware from running
- Patch management: Establish a program for installing security updates on all software, hardware, and firmware.
- Inventory hardware and software: Maintain current inventory of hardware and software assets, including identifying critical assets and information
- Encryption and network segmentation: Ensure appropriate:
- Data-in-motion encryption both internally and externally
- Data-at-rest encryption on all systems
- Network segmentation and access control lists to limit data availability
- Insider threat monitoring: Establish an insider threat program to identify suspicious behavior, including chain of reporting
- Securing legacy systems and equipment: Before decommissioning hardware or software ensure:
- Removal of sensitive information
- Prompt hardware and software disposal
- Reassessment of vulnerability and risk
4. Mobile security
Since mobile devices pose unique risks, organizations need appropriate security measures.
- Policies and procedures: Establish mobile device use policies and procedures
- Managing the use of mobile devices: Use mobile device management (MDM) or similar technology for the organization’s business, including a “bring your own device” policy
- Implementing security measures: Require MFA for all internal and external users.
- Training employees: Employ cyber awareness training for mobile device security and policies
5. Incident response and resiliency
Incident response includes detecting and disclosing information about incidents in a timely manner and assessing the corrective actions taken.
OCIE suggests the following for incident response planning:
- Development of a plan: Develop a risk-based incident response plan for various, business-context drive scenarios using threat intelligence, including procedures for timely notification, escalating incidents through the management chain of command, and communicating with key stakeholders.
- Addressing applicable reporting requirements: Comply with applicable federal and state reporting requirements, including:
- Contacting local authorities or the FBI
- Informing regulators
- Notifying customers, clients, and employees as necessary
- Assigning staff to execute specific areas of the plan: Designate employees with specific roles and responsibilities in case an incident occurs.
- Testing and assessing the plan: Test the plan and recovery times using a variety of methods, including tabletop exercises.
OCIE suggests the following for resiliency:
- Maintain inventory of core business operations and systems: Identify and prioritise core business services to understand the impact a system or process failure would have
- Assessing risks and prioritizing business operations: Align the operational resiliency strategy with risk tolerance, including:
- Determining systems and process that can mitigate business interruption
- Ensuring geographic separation of backup data
- Understanding the effects business disruption has on stakeholders and other organizations
- Considering additional safeguards: Maintain backup data both offline and on a different network
6. Vendor management
Practices and controls around vendor management include conducting due diligence, monitoring, and governance, including vendors as part of risk assessment process, and assessing vendor security.
- Vendor management program: Establish a vendor management program to ensure vendors manage security appropriately, including using questionnaires and independent audits. Establish procedures for terminating contracts, including for cloud-based service providers.
- Understanding vendor relationships: Understand all contract terms around risk and security, including liability, right, responsibilities, expectations, and vendor security risk management.
- Vendor monitoring and testing: Monitor the vendor relationship to ensure they meet contractual security requirements and ensure governance over services and personnel.
7. Training and awareness
Training helps employees mitigate cyber risks by understanding their responsibilities and heightening their cyber threat awareness.
- Policies and procedures as a training guide: Train staff on the organization’s cybersecurity policies and procedures to build a culture of cybersecurity readiness and operational resiliency
- Including examples and exercises in trainings: Provide specific cybersecurity and resiliency training, including phishing exercises, that educate on how to identify and respond to indicators of a breach.
- Training effectiveness: Track and maintain records of training and assessment effectiveness.
SecurityScorecard: Continuous monitoring and vendor risk management for SOX compliance
SecurityScorecard’s security ratings platform enables organizations to continuously monitor their cyber risk posture. Our easy-to-read security ratings provide at-a-glance visibility into the strength of an organization’s security program, using A-F ratings.
SecurityScorecard’s platform scans networks to identify and detect devices, including workstations, servers, and Internet of Things (IoT) devices. Our alerts help prioritize risks and include actionable steps that security teams can take to remediate control weaknesses.
SecurityScorecard’s platform also monitors third-party vendors, giving insight into supply chain risk. With our Atlas platform, companies can compare vendor questionnaire responses to our security ratings, getting real-time, independent assurance over vendor risk.