Home / Resources / ISACA Journal / Issues / 2022 / Volume 5 / Should Cybersecurity Be Subject to a SOX Type Regulation

Should Cybersecurity Be Subject to a SOX-Type Regulation?

Should Cybersecurity Be Subject to a SOX-Type Regulation?
Author: Mike Tomaselli, CISA, CISM, CIA, CISSP
Date Published: 1 September 2022
Related: IT Control Objectives for Sarbanes-Oxley, 4th Edition | Digital | English

As the digital transformation trend continues, cyberattacks are becoming increasingly common, leading to escalating threats to and impacts on individual businesses and the global economy. An enterprise’s operations can be halted by one attack if substantial amounts of data are encrypted or improperly transferred through the work of a malicious actor. Large enterprises have increased their focus on securing proprietary and customer information in recent years, driven by enhanced regulatory requirements and customer expectations. Despite these efforts, well-known retail, technology and social media enterprises, along with others in the healthcare, defense and aerospace industries, have experienced breaches, allowing the personal data of millions of people and sensitive industrial and defense-related data to be exfiltrated and used by criminal and nation-state actors.

Given the current landscape, it is apparent why regulatory agencies, such as the US Securities and Exchange Commission (SEC) and the European Union Agency for Cybersecurity (ENISA), and executive agencies, including ministries and departments of health and defense around the world, are taking serious interest in the cyberthreats affecting investors, customers, patients, infrastructures and national security interests. In the United States, numerous laws and regulations have been passed at both the federal and state levels to protect certain types of information, creating a patchwork of requirements with which enterprises must comply. However, because enterprises have limited resources available for cybersecurity investment, this uncoordinated approach has clouded objectives and led to decision paralysis. Could cybersecurity implementation benefit from a US Sarbanes-Oxley Act of 2002 (SOX)-type approach?

Regulatory Oversight Through Internal Controls

SOX was enacted in the aftermath of multiple major corporate accounting and fraud scandals in the United States.1 Among its key provisions, SOX authorized the SEC to create regulations to define how publicly traded corporations must comply with the law’s requirements related to public disclosures, internal controls and financial reporting. A core tenet of the law that translates well to current cybersecurity challenges is the need for a strong internal control framework in which both control design and effectiveness are tested by management and certified by executive leadership. Under SOX section 302, the principal executive officer(s) and principal financial officer(s) must, among other things, establish, maintain, assess and certify the effectiveness of the enterprise’s internal controls.2 Under SOX section 404, an independent auditor must attest to management’s assessment of the internal control environment.3

SOX does not prescribe specific controls or a specific framework for assessing controls over financial reporting or the safeguarding of financial data, leaving that decision to the individual enterprise.

There is no shortage of cybersecurity frameworks that can be leveraged to form a risk-based approach to assessing the design and operating effectiveness of cybersecurity controls.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Integrated Framework is a popular choice that contains five components for compliance:

  1. Control environment
  2. Risk assessment
  3. Information and communication
  4. Monitoring activities
  5. Existing control activities

Several IT and cybersecurity best practices are required or highly recommended for the protection of information systems involved in the financial reporting process. A SOX IT audit is concerned primarily with controls in the areas of change management, access control, and data backup and recovery as they relate to in-scope financial reporting systems.

A cybersecurity program may be designed to become more comprehensive as the organizational scope extends beyond financial reporting. There is no shortage of cybersecurity frameworks that can be leveraged to form a risk-based approach to assessing the design and operating effectiveness of cybersecurity controls. Some of the more popular cybersecurity control frameworks in use today are outlined in figure 1.

Figure 1

Sources: a) National Institute of Standards and Technology (NIST), NIST Cybersecurity Framework (CSF), USA, http://www.nist.gov/cyberframework; b) American Institute of Certified Public Accountants (AICPA), “Trust Services and Information Integrity,” http://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/trustdataintegritytaskforce; c) National Institute of Standards and Technology, Special Publication (SP) 800-171 rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organization, USA, February 2020, http://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final; d) National Institute of Standards and Technology, SP 800-53 rev. 5, Security and Privacy Controls for Information Systems and Organizations, USA, September 2020, http://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final; e) International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001: 2013 Information Technology—Security Techniques—Information Security Management Systems—Requirements, Switzerland, 2013, http://www.iso.org/isoiec-27001-information-security.html; f) ISACA®, COBIT®, USA, 2018, http://xhrj.yutb.net/resources/cobit; g) HITRUST, HITRUST CSF Framework, USA, http://hitrustalliance.net/product-tool/hitrust-csf/; h) Secure Controls Framework (SCF), Security and Privacy Metaframework, USA, http://www.securecontrolsframework.com/; i) Center for Internet Security (CIS), “CIS Critical Security Controls,” http://www.cisecurity.org/controls; j) Payment Card Industry (PCI) Security Standards Council, http://www.pcisecuritystandards.org/

Although many frameworks have been developed for specific uses, they share some of the same underlying principles. While COSO is generally applicable to all internal controls, COBIT® is used primarily for the assessment of IT integrated accounting and financial systems and is the most widely accepted source of guidance on SOX IT compliance.4 In addition to and separate from its oversight of SOX, the SEC is now focusing on financial risk stemming from data breaches and vulnerabilities and is requiring organizational processes that promote the timely escalation of cybersecurity issues to the executive level and the disclosure of material vulnerabilities and incidents in quarterly and annual reports. The SEC’s newly proposed rules would also require consistent and informative disclosure regarding cybersecurity risk management and strategy.5

Also widely accepted for conducting IT, cloud and software vendor assessments are the Service Organization Controls (SOC 2) reports (types I and II) promulgated by the American Institute of Certified Public Accountants (AICPA). These reports, issued by accountants, are intended to assess a service organization’s internal controls in one or more of the following areas: privacy, confidentiality, processing integrity, availability and security. The SOC reporting structure was created to ensure that third-party service providers, vendors and business partners offer trusted and secure platforms and software, which are essential in the rapidly expanding as-a-Service market. The SOC 2 report can increase trust between enterprises and among consumers by providing an objective report on the system standards underlying a service or platform. Furthermore, to demonstrate that enterprises have effective processes and controls in place to detect, respond to, mitigate and recover from security events, the AICPA developed the SOC for cybersecurity, which reports on the enterprisewide cybersecurity risk management program.

The US Department of Defense (DoD) and its industry partners in the defense industrial base are responsible for securing information directly related to US national defense. Although a structure has been in place for decades to protect classified information,6 the DoD is working to implement an assurance framework for the protection of controlled unclassified information. The Cybersecurity Maturity Model Certification (CMMC) program, which is planned to go live in mid-2023, will be implemented through contractual requirements included in the US Defense Federal Acquisition Regulation Supplement (DFARS); in certain cases, it will require contractors to pass an assessment based on US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security requirements every three years.7 One potential aspect of the CMMC program that will have similarities to SOX is a requirement for executive certification of an enterprise’s cybersecurity framework, requiring executives to take responsibility for ensuring that the program meets requirements and is functioning effectively. It should be noted that program requirements are still under development, and there is concern that the costs of implementing new safeguards may disincentivize smaller contractors and nontraditional contractors from bidding on US defense contracts, limiting innovation and readiness.

As other federal agencies grapple with cyber challenges, SOX-like programs may be enacted beyond the DoD to safeguard important information for all enterprises working under US federal contracts. Such programs would likely consist of similar requirements for internal controls, based on NIST SP 800-171 requirements, along with the obligation to disclose network and data breaches. This approach would help ensure consistency and standardization of sound cybersecurity practices, implementing procedures that, at a minimum, would incorporate routine training, access controls, change management, monitoring and alerting, and vulnerability scanning, as well as guidelines for incident response and breach disclosure.

Implementing requirements that impact so many would take a large investment of political capital and stakeholder energy, but it would be an investment in making enterprises that operate in the US and global economy more safe.

Investment and Benefits

As things stand, the growing risk of cyberattacks has been recognized by industry leaders and regulators alike, but the patchwork approach currently being taken has created uncertainty, inefficiency and confusion, resulting in vulnerabilities. SOX is by no means a perfect law, and many of those involved with early compliance actions can attest to the high costs of building an internal control program and the ongoing monitoring required to maintain it. However, SOX established a consistent and sound framework of controls over financial reporting that embedded accountability and independent oversight, helping to restore faith in financial markets. Certain industries present an outsized risk to the greater economy and national security, and SOX-like flexibility allows for targeted supplemental requirements to ensure that commensurate safeguards are in place. A common risk-based framework that accounts for enterprise size, data criticality and impact and is built on sound cybersecurity and risk assessment principles, consistent reporting requirements, independent attestation and executive-level accountability would do much to improve cybersecurity for both US enterprises and global enterprises doing business within the United States. Implementing requirements that impact so many would take a large investment of political capital and stakeholder energy, but it would be an investment in making enterprises that operate in the US and global economy more safe. The costs of continuing the current fragmented approach will ultimately be greater.

Endnotes

1 Blokhin, A.; “The Impact of the Sarbanes-Oxley Act of 2002,” Investopedia, 17 January 2022, http://www.investopedia.com/ask/answers/052815/what-impact-did-sarbanesoxley-act-have-corporate-governance-united-states.asp#:~:text=The%20act%20implemented%20new%20rules,imposes%20harsher%20penalties%20for%20violators
2 United States Congress, Sarbanes-Oxley Act of 2002, P. L. 107‒204, USA, 2002, http://www.congress.gov/bill/107th-congress/house-bill/3763/text
3 Ibid.
4 ISACA®, IT Control Objectives for Sarbanes-Oxley, 4th Edition, USA, 2021, http://store.yutb.net/s/store#/store/browse/detail/a2S4w000004LF0QEAW
5 Southwell, A.; A. Beringer; L. Zyskowski; T. Kim; J. Lapitskaya; “SEC Proposes Rules on Cybersecurity Disclosure,” Gibson Dunn, 11 March 2022, http://www.gibsondunn.com/sec-proposes-rules-on-cybersecurity-disclosure/
6 Code of Federal Regulations, Part 117—National Industrial Security Program Operating Manual (NISPOM), 32 CFR 117, USA, 2020, http://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-117
7 Bourne, T. L.; N. Snyder; “Updated Timeline for DoD’s Cybersecurity Certification Program,” The National Law Review, 18 July 2022, http://www.natlawreview.com/article/updated-timeline-dod-s-cybersecurity-certification-program

MIKE TOMASELLI | CISA, CISM, CIA, CISSP

Is a senior manager with Chess Consulting LLC. He has more than 15 years of experience in risk management, regulatory compliance and cybersecurity. His primary focus is assisting government contractors with procurement regulations and information security requirements.