Over twenty years ago, a series of corporate financial scandals set off a chain reaction, culminating in criminal convictions and new legislation. After uncovering accounting fraud across public companies like Enron, WorldCom, and Tyco, the US Congress enacted the Sarbanes-Oxley Act of 2002 (SOX). As companies have become more reliant on technology, the Securities and Exchange Commission (SEC), the agency tasked with overseeing SOX Compliance, has updated the requirements to address cybersecurity and looks to implement further changes.
As SOX compliance increasingly incorporates cybersecurity risk, companies can use centralized log management to help with their audit and reporting requirements.
A Brief History of SOX and Cybersecurity
Unlike other regulations, SOX focuses on financial reporting and corporate governance, which means that its connection to cybersecurity requires a bit of explanation.
The Original 2002 Act
SOX was a direct response to fraudulent financial reporting and auditor malfeasance. The original sought to protect investors by improving corporate disclosure accuracy and reliability, by implementing:
- Public Company Accounting Oversight Board (PCAOB): responsible for implementing and maintaining auditing, quality control, and independence standards and rules
- Auditor Independence: oversight for auditors to mitigate collusion risks
- Corporate Responsibility: rules for corporate governance and penalties for non-compliance
- Financial Disclosures: reporting requirements including management assessment of internal controls
- Corporate and Criminal Fraud Accountability: penalties for altering documents and whistleblower protections
- White-Collar Crime Penalty Enhancements: additional definitions of and penalties for criminal fraud, including corporate responsibility for financial reporting
- Corporate Fraud and Accountability: penalties for corporate misdeeds and protection for informants
Section 302 “Corporate Responsibility for Financial Reports” subparagraph (a)(4) states that the principal executive officer(s) and the principal financial officer(s) or those performing similar functions:
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
Section 404 “Management Assessment of Internal Controls” subparagraph (b) states:
INTERNAL CONTROL EVALUATION AND REPORTING .—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
When combined, Sections 302(a)(4) and 404(b) Act as the foundation for bringing cybersecurity under the purview of SOX requirements and independent audits. Cybersecurity and internal controls impact financial reporting accuracy in two different ways:
- Compromised technologies can undermine reporting accuracy and reliability.
- Data breaches arising from weak internal controls reduce revenue.
Commission Statement and Guidance on Public Company Cybersecurity Disclosures 2018
In 2018, the SEC published a guidance to help public companies prepare cybersecurity risk and incident disclosures. The guidance formalized these by incorporating reference to Section 302 and noting:
These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.
OCIE Cybersecurity and Resilience Observations 2020
In January 2020, the SEC’s Office of Compliance Inspections and Examinations released its Cybersecurity and Resiliency Observations report.
Recognizing that cybersecurity risk management is essential to protect securities markets, the OCIE outlined the various industry cyber risk management and operational resiliency practices observed across its ecosystem, outlining the following seven categories:
- Governance and Risk Management: Senior level engagement, developing and conducting a risk assessment, implementing policies and procedures, comprehensive testing and monitoring, continuous evaluation and adaptation, communication across internal and external stakeholders
- Access Rights and Controls: Limiting access according to the principle of least privilege, managing access across the identity life cycle, monitoring access
- Data Loss Prevention: Vulnerability scanning, perimeter security, detective security, patch management, maintaining a hardware and software inventory, encryption and network segmentation, insider threat monitoring, securing legacy systems and equipment
- Mobile Security: establishing policies and procedures, managing mobile device use, implementing security measures like multi-factor authentication (MFA), training employees
- Incident Response and Resiliency: developing a risk-assessed incident response plan, addressing reporting requirements, assigning specific roles and responsibilities, testing and assessing the plan, identifying and prioritizing core business services, assessing risks and prioritizing business operations, considering additional safeguards like backup and recovery
- Vendor Management: establishing a vendor management program that applies industry standard questionnaires and independent audits to third parties, understanding all contract terms to ensure shared risk and security tolerance, monitoring vendor relationship
- Training and Awareness: training staff on organization’s policies and procedures, providing exercises and examples, measuring training effectiveness
The Future of SOX and SEC Cybersecurity Requirements
In May 2022, the SEC proposed new rules around cybersecurity risk management and incident reporting that included the following:
- Require reporting about material cybersecurity incidents on Form 8-K
- Require periodic disclosures, including cyber risk identification and management policies and procedures, management role in implementing them, board of directors’ expertise an oversight of cybersecurity risks, updates about previously reported incidents
- Require cybersecurity disclosures to be presented in Inline eXtensible Business
- Reporting Language (Inline XBRL)
Companies that want more insight into the SEC’s approach to cybersecurity compliance can take a look at the proposed new Rule 10 announced in March 2023. While the Market Entities are outside the SOX reporting requirements, the rule highlights the policies, procedures, and technical controls that the regulatory agency feels mitigate risk.
For organizations that must comply with SOX, the SEC’s proposed requirements for Market Entities look similar to those outlined in 2018, 2020, and 2022:
- Periodic cybersecurity risk assessments
- Controls that minimize user-related risks and prevent unauthorized system access
- Measures for monitoring systems and overseeing service providers that receive, maintain, process, or otherwise access information or information systems
- Measures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities
- A written plan with processes and measures to detect, respond to, and recover from a cybersecurity incident
Centralized Log Management for SOX Compliance
SOX exists to hold executives accountable for their decisions and internal controls. As the SEC evolves its cybersecurity reporting requirements, organizations need technologies that enable them to address cyber risks while ensuring appropriate communication across senior executives and board of directors.
With a centralized log management solution that incorporates security analytics, companies can implement many of OCIE’s best practices for cybersecurity and resilience.
Access Rights and Controls
In complex environments, a centralized log management solution that ingests identity and access data from across your environment then pairs it with entity and user behavior analytics (UEBA) enables robust access monitoring.
By continuously monitoring user access and looking for anomalous behavior, organizations can handle security functions like:
- Privileged access management (PAM)
- Password policy compliance
- Abnormal privilege escalation
- Time spent accessing a resource
- Brute force attack detection
Data Loss Prevention
Some of the data loss prevention tools and processes that OCIE identifies include:
- Endpoint security and vulnerability monitoring
- Network traffic inspection, using firewalls, intrusion detection systems (IDS), and email security
- Anti-spam and anti-virus tools
- Encrypting data at-rest and in-motion
- Using access control lists (ACLs)
Since every technology generates event and security log data, a centralized log management solution becomes a single source for aggregating, correlating, and analyzing data. Companies can implement robust security monitoring that correlates data generated by business applications and data from the cybersecurity technology stack.
For example, an organization can monitor inbound and outbound traffic with its firewall tools:
When combining this data with the IDS system, the team gains insights into potential evasion techniques.
With all the log data in a single location, the security team can correlate the network monitoring, antivirus logs, and anomaly detection capabilities for alerts around suspicious data downloads indicating a potential unauthorized exfiltration:
Incident Response and Resiliency
The faster a company can identify an incident, the faster it can respond to one. With centralized log management, the security team can incorporate threat intelligence and create queries using parameters rather than specific values. With parameterized searches, the team can proactively search for advanced threat activities like:
- Abnormal user access to sensitive information
- Abnormal time of day and location of access
- High volumes of files accessed
- Higher than normal CPU, memory, or disk utilization
- Higher than normal network traffic
For companies that want to further mature their security posture, Sigma rules can help automate threat hunting processes and help identify incidents faster:
Once the team detects an incident, it needs a centralized log management solution with lightning-fast search capabilities and the ability to easily pivot during the investigation. With all evidence in a single easy-to-find place, users across all areas involved in the investigation can:
- Manage investigation priority and status to focus their activities
- Share information, including notes on findings and updates
- Assign investigations to different users to streamline escalation processes
These capabilities enable faster time to contain and eradicate, reducing the incident’s impact.
Governance and Reporting
Although all compliance mandates incorporate governance, SOX exists solely to create accountability. With a centralized log management that provides easy-to-read dashboards, security teams can create reports that give senior leadership teams high-level metrics. For example, a dashboard showing that no logon failures were high severity alerts indicates that people forgot their passwords rather than the company facing a credential-based attack.
With the right centralized log management solution, security teams can:
- Document daily activities to show continuous monitoring
- Document incident response processes, including investigation and remediation
- Automate sending regular reports to senior leadership
Graylog Security: Advanced Analytics for SOX Compliance
With Graylog Security, organizations gain at-a-glance visibility that enables them to monitor and report on the effectiveness of their cyber risk management practices. Graylog gives security teams the functionality they need without the complexity and costs associated with traditional SIEM solutions. Combining centralized log management, data enrichment and normalization, correlation, threat detection, incident investigation, anomaly detection, and reporting in a single platform, Graylog enables teams to create high-fidelity alerts while shrinking investigation times by hours, days, or weeks.
Using Graylog’s power, lightning-fast features, security teams can use Graylog Security’s intuitive UI and out-of-the-box cybersecurity-focused content to gain actionable insights quickly.
For more information about how Graylog Security can help you comply with SOX, contact us today.