The (Cyber Security) Fuss About Sarbanes-Oxley

sarbanes-oxley requires financial auditing and internal controls

In the cyber security news realm, there’s been a lot of talk these days regarding Sarbanes-Oxley. To give some formal background, the Sarbanes-Oxley Act of 2002 (sometimes referred to as SOX or Sarbox) was an act passed by Congress in 2002 to keep companies from participating in dubious financial activity. The Act requires companies to provide disclosures of their internal accounting reports. This was a response to the early 2000s when we saw a lot of sketchy activity by corporations such as Enron and WorldCom. The Act was an overhaul of a system that changed the internal controls of corporations. Before SOX, companies used consultants or “auditors” for their corporate financial reports, but because the act of being an internal consultant could be so lucrative in itself… Well, I’m sure you could say that there was a conflict of interest.

Sarbanes-Oxley? Cyber Security?

Other than being difficult to pronounce, there might be some confusion about what this Act has to do with cyber security. When Senator Paul Sarbanes and Representative Mike Oxley proposed the bill, the world was still in the midst of becoming acquainted with the digital world. Although cyber security was an issue, it was not as prevalent as it is today. Therefore, back in April of 2016, Representative Jim McDermott proposed a Bill to amend SOX.

For example, let’s take a look at the original Section 302 of SOX. It states that the CEO and CFO of a company must certify that reports are correct and hence gives the final responsibility of the report to the highest executives of a company. It signifies the critical nature of financial reporting. The changes that Rep. McDermott has proposed are to include cyber-security systems into the Act and would extend Section 302 to the company’s CSO or CTO, and would add in information systems and cyber security systems as requirements for financial statements.

Other amendments have been proposed by Rep. McDermott to include more clarified and cyber-security focused issues within the sections of the act.

The Need in Government

This makes perfect sense, as a review of any information or data could be manipulated using any cyber attack or data breach. In this digital age, would you trust a database that hasn’t been encrypted? Or a company that doesn’t utilize a web application firewall? It’s not likely because we take it as a given that companies will secure our information. However, what we take as a given in everyday society, true implementation is slower to come into legislation.

It’s only been recently that more representatives and senators are starting to think that cyber security measures might be a good idea. Take for instance the recent political debacle within the presidential election regarding issues of hacking. Whether it’s left, right, Europe or North America – we’ve all started to see arguments here and there and true vulnerabilities within the government sector.

What’s Next For SOX?

So what now? The unfortunate reality is that this particular bill is probably not going to pass. Perhaps there isn’t enough tangible urgency that representatives or senators may see. However, there are tangible steps that you can take.

First, talk to your local representative or senator. Vocalize the need for cyber security to be implemented into the legislation of whatever country you live in. After all, because of the funnel system, to get your voice heard you have to go to the step right above you.

Second, push the corporations directly to follow cyber security standards, even without legislation pushing it. If enough corporations implemented proper internal controls within the enterprises, it would be less of a hassle in terms of lobbying and pushing bills for these changes to be implemented. Even the smallest company can start with a WAF or utilize encryption for their databases.

Unfortunately, sometimes legal compliance comes after the majority has already started to accept certain necessary acts – and it might be that way for cyber security. Although I sure hope I’m wrong, the best bet you can make is to secure it for yourself.


Cybersecurity Systems and Risks Reporting Act, H.R. 5069, 114th Cong. (2016).

Hamilton, J., & Trautmann, T. (2002). Sarbanes-Oxley Act of 2002: Law and explanation: As signed by President George W. Bush on July 30, 2002. Chicago: CCH.