Can the SEC use SOX as a model to get cybersecurity rules right?

The Sarbanes-Oxley Act (SOX) has transformed business operations, especially in the realm of accounting transparency and financial reporting. This landmark legislation rose from the ashes of a series of catastrophic corporate financial failures, including the infamous Enron scandal more than 20 years ago, the largest bankruptcy in U.S. history.

Fast forward to 2023, the cybersecurity rules and amendments proposed by the Securities and Exchange Commission (SEC) are today's parallels to SOX, aiming to address a different but equally crucial issue: cyber threats to business viability. These regulatory changes could have similar implications for reducing the number and impact of cyberattacks, improving the management of cyber risk, and enhancing board accountability for cybersecurity.

Why SOX worked

The Sarbanes-Oxley Act has been hailed for its positive influence on corporate governance, the integrity of financial reporting, and ultimately the prevention of accounting scandals. SOX set out to address critical issues contributing to these scandals, such as the obscurity of complex business models, difficult-to-understand financial statements, and aggressive risk-taking behaviors. The law also managed to restructure the relationship between the audit firm and the company, thereby ensuring the reliability of financial reporting. It also established the Public Company Accounting Oversight Board (PCAOB), which independently oversees the accounting profession, creating a robust system for accountability and transparency.

Similarly, the proposed SEC cybersecurity rules aim to address growing concerns around cyber threats in today's digitized corporate landscape. While these rules are not yet in place, it’s clear that their intention aligns with that of SOX: to protect stakeholders, in this case, from the damage wrought by cyberattacks rather than financial misrepresentation. They would seek to ensure that corporations take appropriate precautions to safeguard sensitive data and digital infrastructure, that they have robust incident response plans, and that they disclose any cybersecurity risks and breaches promptly and transparently.

For publicly traded companies, the current SEC proposal would:

Require current reporting about material cybersecurity incidents on Form 8-K; require periodic disclosures regarding, among others: policies and procedures to identify and manage cybersecurity risks; management’s role in implementing cybersecurity policies and procedures; board of directors cybersecurity expertise, if any, and its oversight of cybersecurity risk; and updates about previously reported material cybersecurity incidents. The proposal would also require the cybersecurity disclosures get presented in Inline eXtensible Business Reporting Language.

This SEC cybersecurity proposal cannot come soon enough, as cyberattacks against businesses are growing in frequency, as well as the level of sophistication and automation. The introduction of these SEC cybersecurity rules also implies a significant increase in board accountability, similar to the effects of SOX. Just like SOX holds boards accountable for the company’s financial integrity, the new SEC rules will hold them responsible for their organization’s cybersecurity posture. This includes ensuring the implementation of sound cybersecurity practices and fostering a culture of cybersecurity awareness and preparedness.

What the new SEC cybersecurity rules could look like

Let's take this comparative analysis between Sarbanes-Oxley and the Proposed SEC Cybersecurity Rules to the next level. While the specific details of the SEC's cyber proposal are not yet final or publicly available, it's possible to speculate about selected enhancements that could potentially make such rules more effective in reducing the likelihood, frequency, and impact of cyberattacks. Here are some educated guesses:

Comprehensive cybersecurity framework: In accounting, all accountants speak and report using Generally Accepted Accounting Principles (GAAP). For cybersecurity, requiring public companies to adopt a standardized, comprehensive cybersecurity framework, such as the NIST Cybersecurity Framework, would give organizations a reliable and well-vetted guide for implementing and reporting on implementation of cybersecurity best practices.

Regular cyber risk and resilience assessment: Just like having audited financial statements annually, the government should require public companies to conduct regular risk assessments (and even penetration testing) to identify and address vulnerabilities, as well as to ensure compliance with the SEC's cybersecurity rules. Companies should also have to periodically review and practice resiliency exercises in their most critical systems to ensure fast and effective recovery following a cyberattack.

Detailed incident reporting: Already included in the proposal, mandatory and timely reporting of cybersecurity incidents can help raise awareness about the types and magnitude of cyber threats facing companies. This requirement could also promote faster response and mitigation, reducing the overall impact of attacks. Now, taking it to the next level, sharing the technical details of an incident or attack (threat intelligence sharing) can help prevent similar incidents in other organizations.

Third-party risk management: Many cyberattacks occur through vulnerabilities in third-party suppliers or service providers. Companies should have to manage third-party risks, ensuring their suppliers and service providers comply with stringent cybersecurity standards.

More board-level accountability: All publicly-traded companies are required to have an audit committee that’s responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external. The passage of SOX evolved the audit committee adding whistleblower and financial expert disclosure requirements. Similarly, the SEC can require a specific Cybersecurity Committee that’s responsible for the oversight of cybersecurity practices, cyber risk management, and related reporting. The chairperson should have minimal cybersecurity expertise to execute these duties with competence.

Cybersecurity education and training: Require regular training for all employees to significantly reduce the risk of cyber-attacks, as many attacks exploit human error, such as phishing.

Cyber insurance coverage: Require or encouraged companies to have cybersecurity insurance coverage to help minimize the financial impact of cyber-attacks.

The SEC proposal and the enhancements proposed in this post can reduce the risk, frequency, and impact of cyberattacks, but no set of rules or regulations can completely eliminate these risks or prevent attacks. Organizations must accept cybersecurity as an ongoing process that requires constant vigilance and adaptation to the evolving threat landscape. SOX cannot guarantee the elimination of financial reporting scandals or fraud in publicly traded companies, but empirical evidence shows that that it has reduced them significantly. Similarly, cybersecurity operates as a cat-and-mouse game where hackers evolve and try new techniques to cause harm and companies need to stay ahead of them to stay safe.

While the SOX comparison rings true for many aspects of the SEC cybersecurity proposal, the one aspect that’s different is the strong need for resiliency because while fraud isn't guaranteed, cyberattacks are almost inevitable. And while we do not yet have the benefit of hindsight to evaluate the proposed cybersecurity rules effectiveness as we do with SOX, the similarity in approach and objectives suggests that these new rules could have a substantial impact. In an era where data breaches and cyberattacks are increasingly common, these new cybersecurity rules could become the SOX of the digital age, transforming corporate cybersecurity practices and holding boards accountable for cyber resilience in the same way that SOX improved financial reporting and held boards accountable for financial integrity.

Edgard Capdevielle, chief executive officer, Nozomi Networks