Thinking outside the SOX: Cybersecurity and SOX

The world around us is changing - revolutionised by technology. Organisations are adopting digital technologies to service their customers and increase their global reach. As the technology continues to mature, so have the sophistication in cyber attacks. Organisations are planning for “when” cyber attack as opposed to “if”. This has a financial as well as reputation impact on the organisation, more so for those that are publicly traded as they have a responsibility to protect the shareholders value. Does this seem daunting? Don’t worry, there is a lot of guidance out there to help you.

SOX and cyber security

I hear you ask - SOX programmes focus on internal controls over financial reporting (ICFR) so why should I care about cyber? The SEC issued their guidance on this matter in 2011 and further interpretation in 2018, but simplistically cyber is relevant to the extent it has an impact on ICFR; and this is the most common pitfall we see: organisations assume cyber is a business risk and therefore by default a risk for ICFR. This is not always the case! For a SOX programmes, cyber is only relevant if it has an impact on ICFR.

What should cyber for SOX focus on?

Having been through these with my clients, here are my top 4 areas to consider when evaluating cyber risk:

1. Risk assessment: I refer to my colleague Jerome’s previous blog? It is all about the risks! Ask yourself whether cyber is a business risk or an ICFR risk.
2. Governance: As I said before, cyber threat is not an operational risk. It often challenges organisations defence and can paralyse the organisation leading to significant financial and reputational loss. This therefore needs to be owned and managed by the Board. Cyber risk assessment should be reviewed and approved by the Board on a regular basis with adequate sponsorship from the Board.
3. Safeguarding of assets: Linking into the risk assessment, organisations needs to identify those crown jewels which have an impact on ICFR. For example, does the balance sheet carry intellectual property rights, patents as intangibles and if so what is the process adopted by management for identifying these assets and protecting them? Where there has been a breach or unauthorised access, does the organisation have a process to identify these and assess the impact on ICFR?
4. Security breaches: As I noted earlier, most organisations are preparing for a cyber attack and therefore create cyber defense programmes which includes incident response and crisis management. The assessment performed by management needs to consider the effectiveness of the incident response plan including the frequency at which these are tested and validated.
5. Disclosures: With stringent breach reporting requirements such as GDPR (72 hrs from breach), there is an onus on organisations to have a robust incident response plan. The effectiveness of these should be tested on a regular basis and reported to the Board. The evaluation of this should be performed by management.

My favourite way to cover all these topics: Adopt a questionnaire-based analysis. It will ensure you complete a comprehensive analysis and you will have documented cyber approach for your SOX programme.

Sarbanes-Oxley has been around for nearly two decades now, but expectation from the regulator is changing. The market conditions and changes in the regulatory landscape are requiring companies to adapt and continue their focus on areas which can affect ICFR - cyber is just the start.