Over twenty years ago, a series of corporate financial scandals set off a chain reaction, culminating in criminal convictions and new legislation. After uncovering accounting fraud across public companies like Enron, WorldCom, and Tyco, the US Congress enacted the Sarbanes-Oxley Act of 2002 (SOX). As companies have become more reliant on technology, the Securities and Exchange Commission (SEC), the agency tasked with overseeing SOX Compliance, has updated the requirements to address cybersecurity and looks to implement further changes.
As SOX compliance increasingly incorporates cybersecurity risk, companies can use centralized log management to help with their audit and reporting requirements.
A Brief History of SOX and Cybersecurity
Unlike other regulations, SOX focuses on financial reporting and corporate governance, which means that its connection to cybersecurity requires a bit of explanation.The Original 2002 Act
SOX was a direct response to fraudulent financial reporting and auditor malfeasance. The original sought to protect investors by improving corporate disclosure accuracy and reliability, by implementing:- Public Company Accounting Oversight Board (PCAOB): responsible for implementing and maintaining auditing, quality control, and independence standards and rules
- Auditor Independence: oversight for auditors to mitigate collusion risks
- Corporate Responsibility: rules for corporate governance and penalties for non-compliance
- Financial Disclosures: reporting requirements including management assessment of internal controls
- Corporate and Criminal Fraud Accountability: penalties for altering documents and whistleblower protections
- White-Collar Crime Penalty Enhancements: additional definitions of and penalties for criminal fraud, including corporate responsibility for financial reporting
- Corporate Fraud and Accountability: penalties for corporate misdeeds and protection for informants
- Compromised technologies can undermine reporting accuracy and reliability.
- Data breaches arising from weak internal controls reduce revenue.
Commission Statement and Guidance on Public Company Cybersecurity Disclosures 2018
In 2018, the SEC published a guidance to help public companies prepare cybersecurity risk and incident disclosures. The guidance formalized these by incorporating reference to Section 302 and noting: These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.OCIE Cybersecurity and Resilience Observations 2020
In January 2020, the SEC’s Office of Compliance Inspections and Examinations released its Cybersecurity and Resiliency Observations report. Recognizing that cybersecurity risk management is essential to protect securities markets, the OCIE outlined the various industry cyber risk management and operational resiliency practices observed across its ecosystem, outlining the following seven categories:- Governance and Risk Management: Senior level engagement, developing and conducting a risk assessment, implementing policies and procedures, comprehensive testing and monitoring, continuous evaluation and adaptation, communication across internal and external stakeholders
- Access Rights and Controls: Limiting access according to the principle of least privilege, managing access across the identity life cycle, monitoring access
- Data Loss Prevention: Vulnerability scanning, perimeter security, detective security, patch management, maintaining a hardware and software inventory, encryption and network segmentation, insider threat monitoring, securing legacy systems and equipment
- Mobile Security: establishing policies and procedures, managing mobile device use, implementing security measures like multi-factor authentication (MFA), training employees
- Incident Response and Resiliency: developing a risk-assessed incident response plan, addressing reporting requirements, assigning specific roles and responsibilities, testing and assessing the plan, identifying and prioritizing core business services, assessing risks and prioritizing business operations, considering additional safeguards like backup and recovery
- Vendor Management: establishing a vendor management program that applies industry standard questionnaires and independent audits to third parties, understanding all contract terms to ensure shared risk and security tolerance, monitoring vendor relationship
- Training and Awareness: training staff on organization’s policies and procedures, providing exercises and examples, measuring training effectiveness
The Future of SOX and SEC Cybersecurity Requirements
In May 2022, the SEC proposed new rules around cybersecurity risk management and incident reporting that included the following:- Require reporting about material cybersecurity incidents on Form 8-K
- Require periodic disclosures, including cyber risk identification and management policies and procedures, management role in implementing them, board of directors’ expertise an oversight of cybersecurity risks, updates about previously reported incidents
- Require cybersecurity disclosures to be presented in Inline eXtensible Business
- Reporting Language (Inline XBRL)
- Periodic cybersecurity risk assessments
- Controls that minimize user-related risks and prevent unauthorized system access
- Measures for monitoring systems and overseeing service providers that receive, maintain, process, or otherwise access information or information systems
- Measures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities
- A written plan with processes and measures to detect, respond to, and recover from a cybersecurity incident
Centralized Log Management for SOX Compliance
SOX exists to hold executives accountable for their decisions and internal controls. As the SEC evolves its cybersecurity reporting requirements, organizations need technologies that enable them to address cyber risks while ensuring appropriate communication across senior executives and board of directors. With a centralized log management solution that incorporates security analytics, companies can implement many of OCIE’s best practices for cybersecurity and resilience.Access Rights and Controls
In complex environments, a centralized log management solution that ingests identity and access data from across your environment then pairs it with entity and user behavior analytics (UEBA) enables robust access monitoring. By continuously monitoring user access and looking for anomalous behavior, organizations can handle security functions like:- Privileged access management (PAM)
- Password policy compliance
- Abnormal privilege escalation
- Time spent accessing a resource
- Brute force attack detection
Data Loss Prevention
Some of the data loss prevention tools and processes that OCIE identifies include:- Endpoint security and vulnerability monitoring
- Network traffic inspection, using firewalls, intrusion detection systems (IDS), and email security
- Anti-spam and anti-virus tools
- Encrypting data at-rest and in-motion
- Using access control lists (ACLs)
Incident Response and Resiliency
The faster a company can identify an incident, the faster it can respond to one. With centralized log management, the security team can incorporate threat intelligence and create queries using parameters rather than specific values. With parameterized searches, the team can proactively search for advanced threat activities like:- Abnormal user access to sensitive information
- Abnormal time of day and location of access
- High volumes of files accessed
- Higher than normal CPU, memory, or disk utilization
- Higher than normal network traffic
- Manage investigation priority and status to focus their activities
- Share information, including notes on findings and updates
- Assign investigations to different users to streamline escalation processes
Governance and Reporting
Although all compliance mandates incorporate governance, SOX exists solely to create accountability. With a centralized log management that provides easy-to-read dashboards, security teams can create reports that give senior leadership teams high-level metrics. For example, a dashboard showing that no logon failures were high severity alerts indicates that people forgot their passwords rather than the company facing a credential-based attack. With the right centralized log management solution, security teams can:- Document daily activities to show continuous monitoring
- Document incident response processes, including investigation and remediation
- Automate sending regular reports to senior leadership