SEC Cybersecurity Rules: Using the SOX Model to Get It Right

The Sarbanes-Oxley Act (SOX), enacted two decades ago, has transformed business operations, particularly in the realm of accounting transparency and financial reporting. This landmark legislation rose from the ashes of a series of catastrophic corporate financial failures, including the infamous Enron scandal, the largest bankruptcy in U.S. history.  

Fast forward to 2023, the cybersecurity rules and amendments proposed by the Securities and Exchange Commission (SEC) are today’s parallels to SOX, aiming to address a different but equally crucial issue: cyber threats to business viability. These regulatory changes could have similar implications for reducing the number and impact of cyberattacks, improving the management of cyber risk, and enhancing board accountability for cybersecurity.

What Is SOX and Why Did It Work?

The Sarbanes-Oxley Act is widely hailed for its positive influence on corporate governance, the integrity of financial reporting, and ultimately the prevention of accounting scandals. SOX set out to address critical issues contributing to these scandals, such as the obscurity of complex business models, difficult-to-understand financial statements, and aggressive risk-taking behaviors. The law also managed to restructure the relationship between the audit firm and the company, thereby ensuring the reliability of financial reporting. It also established the Public Company Accounting Oversight Board (PCAOB), which independently oversees the accounting profession, creating a robust system for accountability and transparency.

CyberSOX?

Similarly, the proposed SEC cybersecurity rules aim to address growing concerns around cyber threats in today’s digitized corporate landscape. While these rules are not yet in place, it is clear that their intention aligns with that of SOX: to protect stakeholders, in this case, from the damage wrought by cyberattacks rather than financial misrepresentation. This involves ensuring that corporations take appropriate precautions to safeguard sensitive data and digital infrastructure, that they have robust incident response plans, and that they disclose any cybersecurity risks and breaches promptly and transparently.

Specifically, for publicly traded companies, the current SEC proposal would:

• Require current reporting about material cybersecurity incidents on Form 8-K
• Require periodic disclosures regarding, among others:
• Policies and procedures to identify and manage cybersecurity risks
• Management’s role in implementing cybersecurity policies and procedures
• Board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
• Updates about previously reported material cybersecurity incidents
• Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL)

This blog post is not the first time that SOX has been referenced in the context of needing to elevate our nation’s cybersecurity posture. In December of 2020, Suzanne Spaulding, Nozomi Networks advisor and former Under Secretary for the National Protection and Programs Directorate (NPPD, a predecessor to CISA) at the US Department of Homeland Security (DHS), co-authored with fellow members of the Cyberspace Solarium Commission (CSC) a blog post highlighting recommendations of that congressionally-mandated commission calling for congress to update the SOX Act to reflect this new digital landscape and codify into it an earlier version of the proposed cybersecurity rules.

This SEC cybersecurity proposal cannot come soon enough, as cyberattacks against businesses are growing in frequency as is their level of sophistication and automation. According to a recent study, global cyberattacks increased by 38% in 2022, compared to 2021. 2021 was already a challenging year with possibly the most visible cybersecurity incident occurring in May of that year – the Colonial Pipeline ransomware attack, which proved that the monetization of uptime and availability of our critical infrastructure is not out of bounds for cyber criminals. These cyberattack numbers were driven by smaller, more agile hacker and ransomware gangs, who focused on exploiting the use of post COVID-19 collaboration tools rapidly adopted in work-from-home environments. Organizations are unprepared for the volume and sophistication of cyberattacks in this post-Colonial-Pipeline world. This new world requires immediate actions and equivalent use of sophistication and automation in defenses to identify and remediate risks before they are exploited.  Simply put, cyberattacks are outnumbering and outmaneuvering even prepared defenses.

Is Executive and Board of Directors Accountability Important?

Without the component of board accountability, it is unlikely that SOX would have been as effective or had such a transformative impact on corporate financial reporting practices. This requirement placed a new level of responsibility on those at the highest levels of the organization, thereby encouraging more careful and accurate financial reporting. SOX holds the chief executive officer and chief financial officer directly responsible for the accuracy, documentation, and submission of all financial reports and internal control structure, increasing their personal liability. It meant that executives could no longer claim ignorance of financial misrepresentation or fraud within their organizations.

The introduction of these SEC cybersecurity rules also implies a significant increase in board accountability, similar to the effects of SOX. Just like SOX holds boards accountable for their companies’ financial integrity, the new SEC rules will hold them responsible for their organizations’ cybersecurity posture. This includes ensuring the implementation of sound cybersecurity practices and fostering a culture of cybersecurity awareness and preparedness.

What Could the SEC Cybersecurity Rules Look Like?

Let’s take this comparative analysis between Sarbanes-Oxley and the Proposed SEC Cybersecurity Rules to the next level! While the specific details of the SEC’s cyber proposal are not yet final or publicly available, it’s possible to speculate about selected enhancements that could potentially make such rules more effective in reducing the likelihood, frequency, and impact of cyberattacks (somewhat following SOX and Financial Reporting parallels):

1. Comprehensive Cybersecurity Framework: In accounting, all accountants speak and report using GAAP (Generally Accepted Accounting Principles). For cybersecurity, requiring public companies to adopting a standardized, comprehensive cybersecurity framework, such as the NIST Cybersecurity Framework, would give organizations a reliable and well-vetted guide for implementing and reporting on implementation of cybersecurity best practices.
2. Comprehensive Cybersecurity Framework: In accounting, all accountants speak and report using GAAP (Generally Accepted Accounting Principles). For cybersecurity, requiring public companies to adopting a standardized, comprehensive cybersecurity framework, such as the NIST Cybersecurity Framework, would give organizations a reliable and well-vetted guide for implementing and reporting on implementation of cybersecurity best practices.
3. Regular Cyber Risk & Resilience Assessment: Just like having audited financial statements annually, public companies should be required to conduct regular risk assessments (and even penetration testing) to identify and address vulnerabilities, as well as to ensure compliance with the SEC’s cybersecurity rules. Companies should also be required to periodically review and practice resiliency exercises in their most critical systems to ensure fast and effective recovery following a cyberattack.
4. Detailed Incident Reporting: Already included in the proposal, mandatory and timely reporting of cybersecurity incidents can help raise awareness about the types and magnitude of cyber threats facing companies. This requirement could also promote faster response and mitigation, reducing the overall impact of attacks. Now, taking it to the next level, sharing the technical details of an incident or attack (Threat Intelligence sharing) can help prevent similar incidents in other organizations.
5. Third-Party Risk Management: Many cyberattacks occur through vulnerabilities in third-party suppliers or service providers. Companies should be required to manage third-party risks, ensuring their suppliers and service providers comply with stringent cybersecurity standards.
6. More Board-Level Accountability: All publicly traded companies are required to have an audit committee that is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external. The passage of SOX evolved the audit committee adding whistleblower and financial expert disclosure requirements. Similarly, the SEC can require a specific Cybersecurity Committee to be responsible for the oversight of cybersecurity practices, cyber risk management, and related reporting. The chairperson should have minimal cybersecurity expertise to be able to execute these duties with competence.
7. Cybersecurity Education and Training: Requiring regular training for all employees can significantly reduce the risk of cyberattacks, as many attacks exploit human error (phishing, etc.).
8. Cyber Insurance Coverage: Requiring or encouraging companies to have cybersecurity insurance coverage can also minimize the financial impact of cyberattacks.

Of course, as the SEC cybersecurity proposal becomes the law of the land (ideally including some of the enhancements in this post), it should allow for limited time for public companies to get to full compliance, as some of these firms are starting from lower levels of cyber-sophistication. This is especially true for companies in critical infrastructure sectors that have not invested in industrial cybersecurity and need to close a large gap. While SOX was adopted and enforced relatively fast, the incremental gap to close was relatively small. These new cybersecurity rules will need time to get built into the companies’ business models.

No Silver Bullets in Cyber! Only Strong Defense and Resiliency

While the SEC proposal and the enhancement proposed in this post can reduce the risk, frequency, and impact of cyberattacks, no set of rules or regulations can completely eliminate these risks or prevent attacks. Cybersecurity is an ongoing process that requires constant vigilance and adaptation to the evolving threat landscape. SOX cannot guarantee the elimination of financial reporting scandals or fraud in publicly traded companies, but empirical evidence shows that that it has reduced them significantly. Similarly, cybersecurity is a cat-and-mouse game where hackers are evolving and trying new techniques to cause harm and companies need to stay ahead of them to stay safe.  

While the SOX comparison is appropriate for many aspects of the SEC cybersecurity proposal, the one aspect that is different is the strong need for resiliency (while fraud isn’t guaranteed, cyberattacks are almost inevitable). Perhaps the better comparison here is with the seasonal flu… None of us want to get the flu, and we avoid it. Those of us who are more fragile or susceptible should take more precautions (e.g. face masks, vaccines, or otherwise). Our bodies’ immune systems should be in great shape, with antibodies at the ready, so that if and when we get the flu, we can minimize its impact and bounce back quickly. It is not reasonable in this day and age for a seasonal flu or a ransomware attack to have an existential impact on our livelihood. Where perimeter defenses falter, additional security tactics and resilience measures can reduce the severity of impacts. Prevention, Detection, Response, and Resilience are key.

Regulating a More Cyber-Secure Future

While we do not yet have the benefit of hindsight to evaluate the proposed cybersecurity rules’ effectiveness as we do with SOX, the similarity in approach and objectives suggests that these new rules could have a substantial impact. In an era where data breaches and cyberattacks are increasingly common, these new cybersecurity rules might be the SOX of the digital age, transforming corporate cybersecurity practices and holding boards accountable for cyber resilience in the same way that SOX improved financial reporting and held boards accountable for financial integrity.

‍