Whether you’re five years old or have kids that are too old to trick-or-treat, you’ve probably heard about poisoned Halloween candy. Maybe you were told that people put razor blades in apples, or maybe it was cyanide-laced Jolly Ranchers but no matter what you were told you’ve probably completely unwrapped a few pieces of Halloween candy before eating them. What does poison Halloween candy have to do with cybersecurity you ask? We’re getting there. Back in the 1970s, Ronald Clark O’Bryan was convicted of giving his son cyanide-laced pixie sticks on Halloween. His motive was to kill his son and collect on a large life insurance policy he’d taken out on him, but ever since generations of people have thought there is a chance that they’ll get poisoned candy trick-or-treating.
Because all it takes is one person to ruin something great for everyone else. For example, you can thank the guys over at Enron for the Sarbanes-Oxley Act. (SOX)
We all know that Enron hid financial information that led to investors losing billions of dollars when the company collapsed, but what some people don’t know is the legislation, SOX, that was signed into law to make sure it would never happen again. That meant that under SOX all publically traded companies would have to have a financial framework that could give accurate reports that would be read and approved by the executives of a company while not being altered in any way.
That’s the meat of the law, but there are two sections that apply specifically to cybersecurity. Section 404 of SOX requires companies to include how they protect financial information in their reports, and how well they protect it. For example, under SOX a company must have internal controls (cybersecurity measures) that can be audited using control frameworks like COBIT. The other section that regards cybersecurity is section 302 which hands all the responsibility of protecting sensitive information directly to the executives of a company. Not only do executives have to review SOX reports and sign off on them being factually sound, but under Section 302 also says that the “signing officers” are responsible for establishing internal controls, making sure that those operating the internal controls can send information to them, including their own conclusion of the effectiveness of the internal controls, and that all the deficiencies within the internal controls have been identified and presented to the auditor.
Basically, SOX makes sure that no executive can ever mislead anyone about the internal workings of a company again, including its cybersecurity.
And following SOX is just as to follow as it is to understand, not to mention expensive. In 2008 the SEC estimated that it costs the average company $2.3 million annually in compliance costs, and that’s not including the fines for not being SOX compliant. If a corporate officer submits inaccurate information they could face a fine of $1 million and 10 years in prison, and that’s if they do by mistake. If found to have purposefully submitted false information, a corporate officer could face fines up to $5 million and a 20-year prison sentence.
Does all this regulation and penalty seem unnecessary to you? At one time it was, but then a couple of idiots ruined it for everyone and now we’re all dealing with the consequences. Until we can completely trust CEO’s, SOX will be here to make sure no one plays by their own rules no matter how hard it is on honest people. If you’re dancing around being SOX compliant, don’t. Either read every last line of the law twice or hire a professional who has, and make sure you never find yourself on the wrong side of SOX.