As cybersecurity becomes more complex, compliance can be increasingly difficult for businesses within highly regulated industries. The Sarbanes—Oxley Act of 2002 (SOX) ensures public companies maintain transparency in financial reporting, preventing fraudulent accounting activities, and protecting investors. When it comes to IT, SOX requires companies to have policies and procedures that prevent, detect, and disclose cybersecurity risks and incidents that are considered material—likely to be significant.
We live in a digital world. Our communications, transactions, and day-to-day workflows all happen within a digital enterprise. Companies rely on advancements in technology to support current and future business initiatives. Rapidly evolving technology brings increased rewards as well as cybersecurity risks. The cause of cybersecurity risks can range from technological and procedural weaknesses to human error. To maintain security, compliance, and a competitive edge, businesses need to keep pace with the ever changing nature of the digital marketplace.
SOX Cybersecurity Requirements and Reporting
Companies need to prove that they have data safeguards, and procedures ensuring those safeguards are operational. This includes quality access management, preventative security measures, as well as redundant and secure backups. Security systems must be able to detect data breaches, and the organization needs a communication plan for notifying leadership and investors of identified breaches. In reporting and during a yearly audit, businesses must attest to and provide evidence that these internal controls exist.
“About 90% of known cyber incidents at public companies went undisclosed in regulatory filings in 2018,” according to the Wall Street Journal, who cited data from the Securities and Exchange Commission (SEC). Businesses are responsible for reporting material cybersecurity risks in a timely manner. This can mean that an organization must disclose a risk or incident before regular reporting. The SEC published the Commission Statement and Guidance on Public Company Cybersecurity Disclosures to provide guidance on disclosures that involved cybersecurity risks and incidents.
SOX requires signing officer(s), typically the CFO or CEO, to attest that the information in their financial and internal control reports are accurate. They cannot contain any false statements, nor can they omit material information. They also need documentation demonstrating that the organization is SOX compliant. Intentionally or inadvertently generating misleading reports or falsifying information not only leads to noncompliance but can also result in expensive fines and prison time.
Understanding Risks and Their Impact
How do you know what your material cybersecurity risks and incidents are? How do you know if you’ve experienced a breach? If you are periodically reviewing alerts, you may miss the context or severity of threats. If your IT team does not have the expertise to analyze risks, they may not see correlations that signify a material risk. Businesses may not report minor security incidents deeming them to be immaterial. What if all these smaller threats and incidents turn out to be a much larger problem? Unable to see the connection between events, an organization could unintentionally omit a material cybersecurity risk in their reporting. Even worse, it can lead to a breach, data loss, and damages.
To truly understand the risks in your environment, you need to monitor your network continuously. You also need the expertise and systems for evaluating the severity of those risks. You cannot disclose what you do not know or fully understand.
With such high penalties for failure to appropriately disclose material cybersecurity risks and incidents, it’s critical your business has a system to identify and assess threats across your network. In the age of digital transformation, periodic reviews of your environment are not enough. Companies need to monitor their network around the clock. Identified threats and incidents need to be assessed and remediated promptly.
Actively Monitoring for Cybersecurity Threats
There is a difference between performance monitoring and cybersecurity monitoring. Performance monitoring lets you know if systems are operating efficiently, but it doesn’t tell you what cyber threats exist or the severity of those risks.
With a pandemic increasing the number of malicious cyberattacks and technology changing daily, it’s no longer acceptable to run occasional cybersecurity scans and assume you’re seeing an accurate picture of your overall security posture. To have a complete understanding of the risks and incidents that occur on your network, you need 24x7x365 monitoring. With a managed detection and response (MDR) service like CoreArmor, a team of security analysts with skills in forensic analysis are able to identify, evaluate, and provide a response plan to threats and breaches within your network.
Without the help of security analysts and security information and event management (SIEM) technology, you may not see the significant link between several small risks or incidents. Security experts use SIEM platforms to correlate and analyze threats. This gives your business the context and severity of risks, which helps you determine their materiality. Keep in mind that you need a security expert to utilize the full benefits of these types of security platforms.
Maintaining Compliance with Comprehensive Cybersecurity
To maintain SOX compliance, your organization needs to be able to measure the materiality of cybersecurity risks and incidents. Without the right tools and expertise, your business could experience a breach causing tremendous financial costs, permanent data loss, or even closure. Even if your organization does not need to be SOX compliant, implementing internal controls and data protection procedures increases your overall security posture.
Whether you are getting ready for IPO or need to boost your cybersecurity, we are here to help! CoreArmor provides the expertise and services needed to understand and respond to cybersecurity risks. We have years of experience supporting highly regulated organizations in life sciences. Give us a call at 1-855-841-5888 or contact us today.
Read our whitepaper to learn how to maintain IT compliance in the digital enterprise.