The Sarbanes-Oxley Act (SOX), enacted by the United States Congress in 2002, is a landmark law that aims to improve transparency, accountability and integrity in financial reporting and corporate governance. The act was a response to high-profile corporate scandals, such as those of Enron, WorldCom and Tico International, which shook investor confidence and highlighted the need for regulatory reforms to prevent corporate fraud and protect investor interests.
Compliance with the SOX Act is mandatory for companies listed on a stock exchange in the US. Failure to comply with SOX requirements can result in significant legal, financial and reputational consequences for companies and their managers. Organizations must prioritize SOX compliance efforts to maintain the integrity of financial reporting, protect the interests of investors and preserve on public trust in the capital markets.
SOX Cybersecurity Compliance Requirements
While the Sarbanes-Oxley Act focuses primarily on financial reporting and corporate governance, cybersecurity plays an increasingly significant role in ensuring the integrity, confidentiality and availability of financial data. Although SOX does not specifically mandate cybersecurity requirements, several provisions of the law indirectly affect cybersecurity practices and compliance efforts. SOX audits include verification of technical controls, which are heavily focused on cyber security.
The relevant technical components are:
- Internal control over financial reporting (ICFR):
- Section 404 of SOX requires public companies to establish and maintain adequate internal controls over financial reporting (ICFR). While the focus is on financial controls, cybersecurity controls are an integral part of ensuring the accuracy and reliability of financial information. This is the section most often referred to for cyber security purposes.
- Cyber security controls, such as access controls, data encryption and intrusion detection systems, are essential components of ICFR to protect financial data from unauthorized access, manipulation or disclosure.
- Risk assessment and management:
- SOX encourages companies to perform risk assessments to identify and assess risks to the accuracy and completeness of financial reporting. Cyber security risks, including data breaches, unauthorized access and system vulnerabilities, can have a significant impact on financial reporting and should be considered in risk management efforts.
- Companies should assess cyber security risks, vulnerabilities and threats to financial and data systems and implement controls to mitigate identified risks.
- Data integrity and confidentiality:
- SOX emphasizes the importance of data integrity and confidentiality in financial reporting. Cyber security measures, such as data EncryptionIntegrity checks and access controls help ensure the accuracy, completeness and confidentiality of financial data.
- Companies must implement measures to protect financial data from unauthorized access, alteration or disclosure to maintain data integrity and confidentiality.
- Reporting and responding to events:
- Although not specifically stated in SOX, incident reporting and response capabilities are essential to reducing the impact of cybersecurity incidents on financial reporting and compliance.
- Companies must have procedures in place to report and promptly respond to cybersecurity incidents, including data breaches, unauthorized access, or malware infections, that could affect the integrity of financial data.
- Third Party Supply Chain Risk Management:
- SOX requires companies to assess and manage risks associated with service providers and third-party vendors with access to financial systems or data.
- Companies should evaluate third-party vendors' cybersecurity practices and controls to ensure they meet security standards and do not pose a risk to the integrity of financial reporting.
- Independence and supervision of an auditor:
- SOX requires auditor independence to ensure the objectivity and integrity of a financial audit. Cyber security controls and practices are relevant to audit processes and may affect the auditor's evaluations of internal control and financial reporting.
- External auditors must evaluate cybersecurity controls and practices to evaluate ICFR's financial reporting processes.
Cybersecurity Best Practices for SOX Compliance
To comply with Sarbanes-Oxley, make sure you implement the following best practices:
- Strong password management:
- The strongest passwords are long passphrases – the longer they are, the stronger they are. While many requirements include a minimum of 8 characters, 14 or more is preferable. Complexity is less important but may also be a policy or other requirement.
- Prohibit password reuse. Passwords should have a single purpose for each application or context.
- Avoid shared passwords wherever possible. Passwords should be directly associated with a single user. Additional controls should be in place where a shared password is used (eg, restricting access to who can see a service account or access token and access it in the registry).
- Encourage the use of password managers to securely store and generate strong passwords for users.
- Multi-Factor Authentication (MFA):
- Require users to perform multi-factor authentication, such as passwords, biometrics or one-time access code, wherever possible.
- MFA adds an extra layer of security and helps prevent unauthorized access, even if passwords are compromised.
- Avoid email or SMS as triggers, if possible. Hardware tokens, authentication apps and biometrics are less susceptible to social engineering attacks.
- Phishing awareness training:
- Provide comprehensive training to Educate users about the risks of phishing attacks and how to identify and report suspicious emails or messages.
- Conduct mock phishing exercises to test user awareness and reinforce cybersecurity best practices.
- Data handling methods:
- Educate users on the importance of protecting sensitive financial data and the consequences of mishandling or unauthorized disclosure.
- Apply Data Classification Policy Clearly define the sensitivity of the financial information and specify appropriate handling and storage methods.
- Device security:
- Ensure devices that access financial systems or data, such as laptops, desktops and mobile devices, are secured with anti-virus software and up-to-date security patches.
- Encrypt devices using full disk encryption to protect data stored locally and implement remote wipe capabilities to reduce the risk of data loss or theft in the event of device loss or theft.
- Remote work security:
- Establish secure remote access policies and procedures to allow employees to work remotely without compromising the security of financial data.
- Encrypt data transmitted over remote connections using virtual private networks (VPNs) and secure remote desktop protocols to prevent unauthorized access.
- Reporting and responding to events:
- Encourage users to immediately report suspicious activity, security incidents, or data breaches to the appropriate IT security or incident response team.
- Develop and review incident response plans to ensure a coordinated and effective response to cyber security incidents affecting financial or data systems.
- Regular security awareness training:
- Provide ongoing cybersecurity awareness training to strengthen users' knowledge of security best practices and promote a culture of security awareness within the organization.
- Include real-world examples and case studies to illustrate the consequences of security breaches and the importance of SOX compliance.
In summary, while SOX does not explicitly mandate cybersecurity requirements, several provisions in the law directly affect cybersecurity practices and compliance efforts. SOX audits will examine cybersecurity controls, and there is an expectation that they are in place to protect financial data and reporting. By incorporating cybersecurity controls and procedures into their overall compliance programs, organizations can reduce risk, protect financial data, and meet SOX compliance principles. As cybersecurity threats evolve, companies must remain vigilant and proactive in addressing cybersecurity risks to maintain compliance and protect investor interests.
To find out how you can make your next SOX audit faster and more efficient, request a demo of Fortra's Tripwire compliance solution here.