What Is SOX Cybersecurity Compliance?

When most people think of the Sarbanes-Oxley (SOX) Act, they consider protections that prevent fraudulent financial reporting, inaccurate financial statements, or inadequate internal controls in accounting and finance operations. The SOX ACT was established in response to high-profile corporate financial scandals involving publicly traded companies, such as Enron Corporation, Tyco International PLC, and WorldCom. Additionally, SOX compliance includes critical whistleblower provisions and imposes significant criminal penalties on corporation executives for non-compliance.

With technology advancing at a rapid pace, cybersecurity risks impacting financial reporting and financial data accuracy have grown significantly. Real-time issues, such as data breaches and phishing attacks, now pose serious threats to both publicly traded and private companies. The 2023 Gartner Hot Spots report identifies Cyber threats, Information Technology (IT) Governance, and Data Governance as top risk areas for protecting organizations and stakeholders.

To address these rising risks, regulators are expanding requirements to safeguard executives, auditors, and investors. For auditors, understanding and integrating these cybersecurity requirements at a fundamental level is key to positioning companies for compliance success. In this article, you will learn four steps to incorporate cybersecurity requirements and security controls into your SOX compliance program, equipping your organization to counteract cyber threats effectively.

Key Point: New SEC 2023 Cybersecurity Disclosure Requirements In 2023, the SEC expanded disclosure requirements to include material cybersecurity incidents and ongoing risk management information. Companies must disclose:

• Incidents impacting operations or data security,

• How they manage and mitigate cyber risks,

• Annual updates on governance strategies related to cybersecurity.

What Is SOX Cybersecurity Compliance?

SOX cybersecurity compliance involves establishing robust internal controls over IT systems and applications that handle financial data, ensuring timely public disclosure if cybersecurity breaches impact financial reporting.

A key element of SOX compliance is financial disclosure, and the Securities and Exchange Commission (SEC) recently adopted rules requiring registrants to disclose significant cybersecurity incidents they experience. These new regulations also mandate that companies provide annual disclosures on their cybersecurity risk management, strategy, and governance practices. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.

SEC staff issued related interpretive guidance in 2011, and the Commission itself in 2018 on the application of existing disclosure requirements to cybersecurity risk and incidents. Additionally, the 2023 SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure requirements (known as “the final rule”) were designed to ensure consistency and comparability across disclosures, enabling investors to assess a company’s cybersecurity risks and its preparedness.”  This final rule emphasizes collaboration between the IT and financial audit teams to gain a deeper understanding of cybersecurity risks, impacting their organization. 

How Are SOX Cybersecurity Requirements Incorporated?

Average companies will understand that the regulatory requirements will only continue to expand around cybersecurity controls. However, forward-looking companies will know that demonstrating compliance and risk management activities publicly is another venue in which they compete, especially as it relates to cyber threats and cyberattacks. Companies that view SOX and similar programs as opportunities to demonstrate their ability to be nimble in the face of new requirements and put their investors at ease with their risk management and corporate governance approaches will be the most attractive investments. 

One approach to incorporating SOX cybersecurity requirements is through a structured, proactive process. Here are four critical steps to bolster your organization’s SOX cybersecurity programs:

1. Perform a Cyber SOX Risk Assessment

This step will vary widely in complexity and comprehensiveness based on the size of the organization and the risks they are facing. No matter the size of the organization, the only way to truly understand the cyber risk relevant to SOX is to start by performing a risk assessment. It may be appropriate to build these new considerations into your existing SOX risk assessment process. This will likely require expanded thinking beyond a typical approach of backtracking from financial accounts and determining materiality. This thinking requires expertise from all specialties on the audit team — and should include executive and board-level input — to determine how your organization will determine what constitutes a “material” cybersecurity risk.

Other organizations, however, may determine a more dedicated cyber approach is better suited. This is sometimes referred to as a Cybersecurity Risk Management Program (CRMP). There are many resources from common frameworks (NIST, COSO, etc) to aid in a refresh to your risk assessment process. Overall, auditors should question how comprehensive and well-documented their company’s risk assessment process is. The risk assessment is a likely root cause regulators will point to if an enforcement action occurs.

2. Identify Disclosure Controls and Policies

If a breach were to occur today, as an audit team and as an organization, are you familiar with the steps that trigger SOX disclosure requirements? Will the correct cross-functional communication take place to lead to sufficient and timely disclosure? Organizations are likely better prepared to make that assertion relative to HIPAA or PCI than for SOX.

Expanding on the note above, the 2023 SEC final rule specifically requires the disclosure of material information related to cybersecurity incidents in both current and periodic reports.  This includes:

• Disclosure of Cybersecurity Incidents on Current Reports
  • Date of discovery and status of the incident (whether it is ongoing);
  • A brief description of the nature and scope of the incident.
  • Impact on data, including any unauthorized access, alteration, or theft.
  •  The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.
• Disclosures about Cybersecurity Incidents in Periodic Reports
  • Any material effect of the incident on the registrant’s operations and financial condition.
  • Any potential material future impacts on the registrant’s operations and financial condition.
  •  Whether the registrant has remediated or is currently remediating the incident; and
  • Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.
• Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks
  • Whether the registrant has a cybersecurity risk assessment program and if so, a description of the program.
  • Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program.
  • Whether the registrant has policies and procedures to oversee, identify, and mitigate the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
  •  Whether the registrant undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents.
  •  Whether the registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident.
  • Whether previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies.
  • Whether cybersecurity-related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
  • Whether cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation, and if so, how.

Ensuring the company has a strong handle regarding disclosure of sensitive data is a great opportunity for an audit team to add value and give executives and the Board a level of comfort that the company is prepared.

Key Point: Monitor Third-Party Vendors for Hidden Cybersecurity Risks

In today’s interconnected environment, third-party service providers present significant cybersecurity risks. Companies should have protocols to assess and monitor these external vendors, especially those accessing sensitive financial or personal data. Your organization should be conducting thorough due diligence on these vendors, implementing contractual agreements that outline cybersecurity responsibilities, and performing regular assessments to confirm third-party compliance with SOX cybersecurity standards.

3. Implement Cybersecurity Controls Using a Reliable Framework

Now that you have the risks, policies, and controls identified, management should design and implement controls to mitigate these risks in alignment with industry-accepted standards. The best practice is to use a reliable framework as a foundation for the control environment. For example, leading companies frequently use the NIST Cybersecurity Framework (NIST CSF) or ISO 27001 as baselines for designing Cyber SOX controls. Part of the implementation will include training the control owners on the reason why the controls exist and how to communicate if the control were to fail or need to be adjusted based on a changing environment.

To enhance the effectiveness and efficiency of SOX compliance, many organizations are turning to automation and advanced technologies such as artificial intelligence (AI) and machine learning (ML). These tools allow companies to automate repetitive compliance tasks, detect anomalies in real-time, and manage complex data requirements more accurately. By implementing automation, companies can reduce human error, streamline compliance processes, and maintain a strong cybersecurity posture even as regulatory demands grow.

4. Monitor and Test the Controls

As with any internal controls, management should monitor the Cyber SOX compliance requirements and the overall cybersecurity posture. This can include periodic self-assessments, attestations, and other self-certifications. As with any internal controls, the audit team can serve as a valuable resource to determine the efficacy of management’s program. An audit group savvy in this emerging area could provide practical and actionable areas to improve resiliency if a breach were to occur. Even basic conversations on this topic and a review of documentation can provide valuable insights into the maturity of these SOX cyber disclosure controls and the overall program. 

Learning from Recent Cybersecurity Incidents

Examining recent cybersecurity incidents can provide practical insights into the effectiveness of SOX compliance programs. For example, high-profile breaches in publicly traded companies have highlighted the need for timely reporting and robust control environments. By studying these cases, companies can learn about potential pitfalls in cybersecurity management and disclosure, while also understanding best practices in mitigating similar risks. This approach allows organizations to assess their current controls and ensure they are well-prepared for possible incidents.

Management will also no doubt appreciate having these conversations in advance of the external auditors coming with these questions. As the SEC and PCAOB further ratchet expectations in these areas, external auditors will no doubt increase the level of scrutiny and documentation they require to satisfy their audit requirements. 

Key Point: In July 2024, cybersecurity firm CrowdStrike released a software update that inadvertently caused widespread disruptions across various sectors, including airlines, healthcare, and financial services. The faulty update led to system crashes and operational halts, highlighting the critical importance of rigorous testing and monitoring of cybersecurity controls. This incident underscores the need for robust monitoring and testing protocols to prevent similar disruptions.

What Is the Best Way to Manage SOX Cybersecurity Compliance?

SOX cybersecurity compliance is just one of several cybersecurity requirements your organization needs to manage every day — so it’s crucial to be deliberate in architecting how these requirements are met. An internal common controls framework is the best way to satisfy requirements across any number of frameworks and regulations while saving time, money, and employee pain and suffering. The days of leveraging spreadsheets to manage increasingly complex environments and areas with mission-critical consequences are numbered. The smart organizations will determine what is best to avoid becoming the next “lesson learned” case study as it relates to SOX cybersecurity compliance.

In conclusion, organizations should take a risk-based approach to identifying controls and policies, implementing those controls based on best practices, and monitoring and testing controls related to SOX cybersecurity compliance efforts.  Using software like AuditBoard’s SOX management and InfoSec compliance solutions to manage your SOX cybersecurity compliance program will provide the intuitive visibility to react quickly and update management on impacted controls, compensating controls, and issue remediation if a breach occurs. Your implementation of AuditBoard solutions could lead to similar results as existing customers who have successfully implemented AuditBoard products to map financial accounts to entities and processes, assess materiality and other qualitative factors, centralize control environments, and streamline control testing.