-mask

SOX Compliance & Requirements in Cybersecurity

The Sarbanes-Oxley Act (known as SOX) went into effect in 2002 to protect shareholders and the general public from accounting errors and fraudulent practices of organizations. It was also tailored to improve the accuracy of corporate disclosures.

SOX was drafted to improve corporate governance and accountability following a number of financial scandals that occurred at Enron, WorldCom, and Tyco as shown below:

Company Details Corporate Fraud Fallout
Enron was a Houston-based commodities, energy and service corporation October 2001

After posting $638 million in third-quarter losses and a $1.2 billion reduction in shareholder equity, the SEC launched an inquiry into Enron finances

· Kept huge debts from the balance sheet and in earnings reports to shareholders

· Embezzlement of corporate funds by Enron executives

· Illegal manipulations of the energy market

· Public accounting firm Arthur Anderson helped falsifying Enron’s financial reports

· Shareholders lost $74B

· Employees lost their jobs and retirement funds

· Former CEO Ken Kay died before serving prison time

· CEO Jeff Skilling was sentenced to 24 years in prison

WorldCom, a telco currently known as MCI, Inc. Early 2001

WorldCom starts turning profits into losses for 2001 and Q1 2002, $9B in total. WorldCom filed for bankruptcy on July 21, 2002

· Inflated assets by $11B

· Inflated revenues with fake accounting entries

· Filed false documents with regulators

 

· $180B loss for investors

· 30,000 jobs were lost

· CEO Bernie Ebbers was sentenced to 25 years in prison

· The CFO was fired, the Controller resigned

· WorldCom filed for bankruptcy

Tyco, New Jersey-based blue-chip Swiss security systems company The CEO and former CFO are charged on September 12, 2002 with fraud · CEO Dennis Koslowski and former CFO Mark Swartz stole S150M

· CEO and former CFO inflated company income by $150M

· Shareholders lost $24M

· Employees lost their jobs and retirement funds

· CEO and former CFO were sentenced to 8 – 25 in prison

· Tyco had to pay investors $2.92B following a class action lawsuit

 

Background of SOX Compliance

In order to crack down on corporate fraud, Senator Paul Sarbanes (MA) and Representative Michael Oxley (OH) drafted the Sarbanes-Oxley Act (aka SOX) to protect investors by:

  • Closing loopholes in accounting practices
  • Strengthening corporate governance rules
  • Increasing accountability and disclosure requirements of corporations, including corporate executives and public accountants
  • Increasing requirements for corporate transparency in reporting to shareholders and descriptions of financial transactions
  • Strengthening whistle-blower protections and compliance monitoring
  • Increasing penalties for corporate and executive malfeasance

SOX is as relevant as ever. It applies to all publicly-held American as well as international organizations that have registered equity or debt services with the U.S. Securities and Exchange Commission (SEC), as well as accounting firms or third parties that provide financial services to these organizations. The SOX compliance landscape has shifted lately to also include cybersecurity as is evident in e.g., COSO launching its “Enterprise Risk Management—Integrating with Strategy and Performance (COSO-ERM) to help organizations with their SOX compliance.

According to the “2017 Sarbanes-Oxley Compliance Survey” of global consultancy firm Protiviti, organizations pay far more attention to cybersecurity and allocate substantial time and resources for compliance than way back in 2002. To illustrate, nearly one-third of organizations that released security disclosures in 2016 have increased their time spent on SOX compliance by 16%.

The Cybersecurity Bill for SOX

To keep up with the times, a proposed new bill, the Cybersecurity Systems and Risks Reporting Act, will amend SOX to also apply to cybersecurity systems and cybersecurity systems officers and bring it up to date. Currently, there are two SOX sections that relate specifically to cybersecurity.

  • The first is Section 302 which requires companies to have systems in place that protect against data tampering – both internally by unauthorized personnel as well as externally by malware or hackers.
  • The second is Section 404 which requires that the organization’s security system can protect the handling of data which should be verified independently. All data must be made available to auditors, including financial records as well as any potential security breaches.

With the new bill, the current Sections 2, 3, and 10 will be modified to add cybersecurity.

In Section2 – Cybersecurity and information system requirement, the current Section 2(a) of SOX will be amended by changing “financial statements” to “financial statements and information systems”. In the current Section 3 (a) “and financial” will be replaced by “financial, and cybersecurity systems”, and in Section 10(b) “quality control policies and procedures” will be replaced by “quality control policies and procedures, cybersecurity systems standards and practices.”

The bill will also add three sections that define the terms information system, cybersecurity system and cybersecurity risk. The latter refers to “a significant vulnerability to, or a significant deficiency in, the security and defense activities of a cybersecurity system.”

How to Become Sox Compliant for Cybersecurity

In short, being SOX compliant (as well as complying with other regulatory standards) requires that security solutions must be in place and the anti-retaliation provisions will protect a wide range of potential cybersecurity whistleblowers. As it stands now, each SOX compliance audit must establish how well an organization is managing its internal controls. Such internal control consists of any type of protocol dealing with the infrastructure that handles the organization’s financial data.

SOX ensures the validity of financial records and protection against disclosure of confidential information. To remain SOX compliant, organizations must have effective security controls in place to ensure the confidentiality, integrity, and availability of their financial data. All financial data must be accurate and protected against modifications, as well as internal and external loss. Moreover, financial information must be made available to the SEC as well as the public. Continuous availability and disaster recovery are crucial for SOX compliance.

Maintaining Compliance

Compliance is a complicated and ongoing process. Cymulate assists organizations with their SOX compliance while reducing their SOX management costs.

Since Cymulate’s assessment platform conducts on-demand simulations delivering immediate results, it provides a full picture of an organization’s security posture thus helping with SOX compliance. The platform allows organizations (and their CISOs) to intelligently implement fixes to mitigate vulnerabilities in their internal controls to prevent SEC repercussions. These capabilities are also valuable for meeting the upcoming cybersecurity provisions as formulated in the new bill.

Want to find out how Cymulate can help your organization with SOX compliance? Do you want to know if your security posture truly holds up? See for yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues to remain SOX compliant.

Start a Free Trial