Are We Heading for a Cyber Sarbanes-Oxley?

If you regularly track emerging stories about the effect that cybersecurity breaches are having on our economy, you may have missed this quote. Don’t worry, it hasn’t been said in public – yet.

The quote is in fact from Senator Paul Sarbanes during the time he co-sponsored a bill that became the Sarbanes Oxley Act of 2002. He was describing the impact of highly publicized financial fraud committed by executives at companies like Enron and Worldcom, but it’s not much of a stretch to envision a similar statement emerging to describe the economic consequences of cyber breaches.

Comparing the emerging field of cybergovernance with the historical progression of what is now a $5 billion Sarbanes-Oxley market produces a striking image:

In every aspect, cybergovernance appears to be tracking the path that “Hurricane SOX” has followed over the past 15 years:

Instigation. The number of highly publicized cyber breaches at JPMorgan Chase, Target, Home Depot, and others has exceeded the number of fraud events that led to the passage of Sarbanes-Oxley.

Motivation. The goal of the 2002 legislation was to recover and maintain the public and investor confidence lost after the revelations of lax financial controls at high profile public companies. We are currently threatened with a similar loss of confidence in company valuations as cyber breaches expose the massive negligence of public and private enterprises.

Challenge. The challenge in 2002 was to legislate new rules that would ultimately mitigate perceived and real financial risk by mandating accurate reporting. Board members surveyed by NYSE expect increases in cybersecurity regulation as public awareness of the impact of breaches grows.

Solution. The answer to financial fraud was stricter laws governing the management of and reporting by corporate financial systems. We appear to be headed toward stricter and more explicit legislation that will direct how companies and their boards mitigate cyber risk.

Driver. In 2002, the Senate Banking Committee led in investigating financial fraud and in devising corrective legislation. Current initiatives supporting stronger cybersecurity measures are spread across several agencies and groups, including the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), Federal Financial Institutions Examination Council’s (FFIEC), and the Consumer Financial Protection Bureau (CFPB).

Outcome. The outcome of extensive financial fraud was passage of the SOX legislation. As the frequency and destruction of cyber breaches continues to grow, it seems increasingly likely that significant regulatory action to mitigate cyber risk is imminent, and moves to significantly elevate the urgency of improving cyber maturity in all organizations will be driven by boards and management.

What actions should prudent directors and management take today to prepare? We mentioned several in an earlier post that are worth repeating here:

1. Realize that cybersecurity is not just IT’s problem – it’s everyone’s responsibility, and the board should lead the way.
2. Focus on defense before threats. Mitigating risk through internal changes that the organization can control is the best place to make rapid initial progress.
3. Work from a foundation of standards created by experts. Compare your organization to the NIST Cybersecurity Framework and other industry-specific models (e.g., HIPAA, ISO, FFIEC).