Traditional View of SOX

When the Sarbanes-Oxley (SOX) Act was initially established, people thought of it as a means to increase the accuracy and reliability of financial statements and prevent financial reporting frauds by requiring effective internal controls over financial reporting (ICFR). The main emphasis of SOX in cyber security compliance is on internal controls, such as finance and accounting procedures, segregation of duties, financial data integrity, testing, and documentation of internal controls.

Origin of SOX

The SOX Act was introduced in response to major corporate financial scandals in the late 1990s and early 2000s, shaking investor confidence. Notable cases include Enron, Tyco International, and WorldCom, where companies hid debts and manipulated financial reports. Exposed by employees, these scandals led to key SOX reforms, including whistleblower protection, SOX section 302 holding executives accountable for financial reporting, and SOX section 404 ensuring internal control effectiveness.

Emerging Role of Cybersecurity in SOX

As digital transformation continues and internal controls depend on technology, cyber threats have shifted SOX focus on cybersecurity risks impacting financial data and financial reporting. Phishing attacks, data breaches and ransomware incidents can lead to financial data manipulation or unauthorized access to financial data, resulting in non-compliance and violations. Cyber threats, IT governance, and data governance are at the top of the risk areas, according to Gartner’s 2023 Audit Plan Hot Spots Report, which reinforces the need for cybersecurity integration into SOX compliance.

Regulatory Expansion and the Need for Integration

SOX compliance is continuously evolving to enhance stronger cybersecurity governance. Regulatory authorities like the SEC and PCAOB are expanding their SOX cyber security requirements to protect executives, auditors, and investors. Businesses are forced to integrate cybersecurity measures to ensure their financial reporting integrity. Internal and external auditors now must assess cybersecurity risks in internal controls over financial reporting.

New SEC 2023 Cybersecurity Disclosure Requirements

Although aligned with prior SEC guidelines of 2011 and 2018, the SEC has updated its cyber security rules in 2023 to further increase the accountability and transparency related to Sarbanes-Oxley Act cyber security risk disclosure. This has improved investors’ understanding of how publicly traded companies manage and respond to cyber security threats.

Significant cybersecurity incidents impacting financial reporting and operations and identifying and preventing cyber threats must be disclosed in annual reports, including executive accountability and audit board oversight, providing insight on improved cybersecurity governance strategies within a company.

What Is SOX Cybersecurity Compliance?

Sarbanes-Oxley cybersecurity compliance refers to implementing strong internal IT security controls in financial reporting systems and applications and ensuring they are managed effectively in compliance with the Sarbanes-Oxley Act.

Below are some key points to consider:

• Implement strong internal controls to protect financial data from modification, destruction, or unauthorized access.
• Use secure access controls, and monitor sensitive financial data by using encryption wherever possible.
• Enable timely public disclosure of cybersecurity breaches materially impacting financial data, advanced incident response plans for late findings, and prepare for the annual report filing.
• Following the requirement of SEC, disclose cybersecurity risk management practices, cybersecurity incidents, strategies, and the overall cybersecurity governance framework.
• Regularly test internal controls for risk assessment, and adjust controls as needed.
• Financial audit teams and IT departments should collaborate to ensure effective controls for cyber security and compliance.
• The primary goal should be to protect the availability, integrity, and confidentiality of financial information.

Read More

What is SOX Compliance in 2025? Complete Guide

Importance of Proactive SOX Cybersecurity Implementation

Organizations must proactively approach complying with expanded SOX compliance requirements by integrating their internal controls frameworks for cybersecurity as cybersecurity threats continue to evolve.

Regulatory Expansion

The SEC and other regulatory bodies are proactively expanding their requirements on the importance of cybersecurity control over financial reporting, leading to more strict expectations. Proactively enhancing internal controls as needed allows organizations to stay one step ahead of updated regulations, decreasing the risk of potential penalties and non-compliance.

Competitive Advantage

An organization that implements strong cybersecurity controls and risk management strategies is less likely to experience data loss or downtime than a company that does not. By disclosing cybersecurity programs to the public, organizations can also gain a competitive advantage in financial markets, increasing their brand reputation, stakeholder trust, and customer confidence.

Investor Confidence

With the increasing risk of cybersecurity threats, investors are more concerned about their potential impact on financial reporting. An organization’s initiative-taking approach to SOX in cybersecurity governance shows commitment to risk management, which can attract new investments and show that the organization is prepared to manage cyber threats and protect its stakeholders’ value.

SOX Cybersecurity Requirements

Protecting Financial Data

SOX cyber security compliance requires companies to protect their financial data by implementing secure access controls, such as multifactor authentication (MFA) and identity management systems, implementing encryption wherever possible, and conducting regular security audits to detect and prevent unauthorized access to critical financial data.

Ensuring Data Integrity

Data integrity and accuracy can be ensured using known methods, such as version control systems and data validation techniques, such as checksums. By implementing proper audit trails in financial systems, changes can be tracked, and discrepancies can be identified.

Mitigating Risk of Non-Compliance

Organizations must adopt a proactive cybersecurity approach by implementing continuous IT systems monitoring, conducting regular assessments to detect vulnerabilities, and implementing concrete incident response plans to minimize disruptions and maintain business continuity.

Four Steps to Incorporate Cybersecurity Requirements into SOX Compliance

Step 1: Perform a Cyber SOX Risk Assessment

Integrating cybersecurity risk assessment into your internal IT controls is the beginning of SOX cybersecurity compliance. The complexity of this assessment depends on an organization’s size, risk profile, and industry regulations.

Key points to consider are as follows:

• Assessment of the cyber risks impacting financial reporting.
• Integration of cyber risks into the existing risk assessment processes.
• Implementation of broader cybersecurity measures by going beyond conventional financial materiality.
• Establishing collaboration between executives, the IT team, the audit team, and the board.
• Defining an explicit criterion for material cybersecurity risk.
• Building a cyber security risk management program using known and recommended SOX internal control frameworks, such as NIST or COSO.
• Establishing and maintaining clear and thorough documentation for those risk assessments, which can serve as a defense against enforced regulatory actions.

Step 2: Identify Disclosure Controls and Policies

Organizations must ensure they are prepared with clear controls and policies to detect and disclose cybersecurity incidents that may trigger the SOX security disclosure requirements. This is essential for filing timely disclosures in current and periodic reports, considering the SEC’s most recent regulations, established in 2023. Companies must ensure they have established the process with cross-functional teams consisting of IT, Legal, Compliance, and Audit teams.

Disclosure of Cybersecurity Incidents on Current Reports

Current reports should contain:

• The date of incident discovery and its status,
• Brief nature, scope, and description of incident,
• Its impact on the security of data or financial reports, including alteration, theft, and unauthorized access,
• Its effect on the operations and financial position of a company and
• Any remediation plan if the incident is not yet resolved.

Disclosures about Cybersecurity Incidents in Periodic Reports

Periodic reports such as Form 10-Q and Form 10-K must be filed with the SEC for the material effect of the incident on the financial operation, which includes:

• Any future impact on the performance of the company,
• Any steps taken to resolve the incident and improve cybersecurity,
• Any procedural and policy changes followed by the breach.

Disclosure of a Company’s Risk Management, Strategy, and Governance towards Cybersecurity Risks

Organizations must establish and disclose cybersecurity risk assessment programs comprising risk management, strategy, and cybersecurity governance. The program should include conducting internal and external security audits to assess cybersecurity risks. It should also include threat detection, prevention, mitigation strategies, and recovery plans for cybersecurity incidents to ensure business operations continuity.

Third-party vendors or service providers pose more significant cybersecurity risks. Protocols should be implemented for assessment, management, and monitoring to avoid security risks. This could be achieved by conducting thorough due diligence and contractual agreements with them.

Step 3: Implement Cybersecurity Controls Using a Reliable Framework

Company management should implement strong IT security controls to address and resolve cyber risks impacting financial data proactively. To align with SOX cybersecurity compliance requirements of internal control over financial reporting (ICFR), companies can use known cybersecurity frameworks such as the NIST cybersecurity framework (CSF) and the best practices for information security management systems (ISMS) by ISO 27001. Control owners should be trained to identify and report failures in security controls that pose risks.

Step 4: Monitor and Test the Controls

Ongoing monitoring and testing of internal cybersecurity controls and their effectiveness enables companies to ensure compliance with SOX cybersecurity requirements. Companies must conduct periodic assessments, attestations, and certifications to prove that controls work as intended. Involving audit teams in evaluations can improve the process and help identify areas for improvement.

Comprehensive documentation is an integral part of cybersecurity controls and risk assessment strategies, which are designed to comply with regulatory requirements by the SEC and PCAOB and promote investor transparency. Therefore, reviewing cybersecurity controls documentation can provide insight into the increased scrutiny for disclosure purposes.

Read More:

SOX Testing: A Step by Step Guide

Learning from Recent Cybersecurity Incidents

Recent cybersecurity breaches provide critical lessons for companies on integrating cybersecurity controls into their SOX compliance. Examining these cases helps organizations understand real-world vulnerabilities and consequences. It highlights the importance of adequate internal controls, proactive risk management, and timely disclosure of incidents and mitigation plans.

Real World Examples of Cybersecurity Breaches

Many breaches affected the SOX compliance, disclosing the poor cybersecurity risk controls. Still, the prime examples are:

• Equifax data breach in 2017, which has resulted in fines up to $700 million by the SEC,
• The SolarWinds supply chain attack in 2020 has resulted in 4 companies being fined up to $7 million for not disclosing the incident in their financial reports,
• Uber’s data breach incident in 2022 resulted in their CSO being sentenced to three years in prison and fined up to $50,000 by the US Federal Trade Commission. The EU also fined Uber $324 million for GDPR violations.

The biggest of them all, in fact, the biggest in the history of cybersecurity, was the CrowdStrike software update incident in July 2024. It affected around 8.5 million computers worldwide and caused an estimated loss of $5.4 billion. By the end of the 2000s, it had surpassed the Y2K bug incident, but SOX was not established then.

The CrowdStrike incident has led the SEC to revise its regulations again. The new rules for identifying incidents for publicly traded companies mention whether they have affected them. They must disclose this incident in their periodic reports (Form 10-Q and Form 10-K) and their current reports (Item 1.05 of Form 8-K) filings.

These prime examples highlight the importance of monitoring and testing internal controls for cybersecurity. Implications, fines, and penalties are yet to be determined as the incident happened most recently.

Potential Pitfalls Leading to Cybersecurity Breaches

Analyzing cybersecurity threats brings out common pitfalls into the open, such as:

• Insufficient threat assessments,
• Lack of incident response plans,
• Lack of cybersecurity awareness by employees,
• Poor assessment and management of third-party vendors and services,
• Insufficient documentation, logging, and monitoring.

Learning from these pitfalls, organizations can adopt the best practices by:

• Implementing effective security measures using renowned frameworks like NIST CSF, ISO 27001 or COSO
• Implementing regular penetration testing and threat assessments,
• Implementation of incident response plans,
• Training employees for cybersecurity,
• Implementation of third-party risk management,
• Comprehensive logging and monitoring practices.

Learning from others’ mistakes decreases the chances of making the same mistakes.

Best Practices for Managing SOX Cybersecurity Compliance

Managing SOX cybersecurity compliance effectively requires a structured risk-based approach, implementing standard controls, strategic policies, and advanced technology solutions.

Companies can ensure compliance by following the below best practices:

Common Controls Framework

Based on their industry and profile, companies may have to comply with many regulatory requirements, including GDPR, PCI DSS, ISO 27001, and NIST requirements, SOX is just one of them.

Organizations can implement common controls frameworks (CCF) to avoid duplication efforts across several compliance programs. CCFs reduce overlapping controls, simplify risk management, financial reporting, security controls, and IT governance, and ensure consistent security processes for internal operations and external third-party vendors.

Strategic Approach

A strategic risk-based approach ensures that internal controls related to cybersecurity are aligned with SOX materiality requirements and improve the integrity of financial reporting. Focus on the most critical risks affecting regulatory compliance, adopting known frameworks like NIST CSF and COSO ICIF for the design of controls and risk mitigation. Implementing continuous monitoring and testing of controls for effectiveness and engaging cross-departmental approaches can help organizations achieve cybersecurity compliance.

Leveraging Technology

Technology plays a vital role in increasing cybersecurity compliance. Companies can benefit from automating and streamlining internal controls, reducing manual efforts and time consumed in control testing, reporting, and documentation.

Implementing third-party governance, risk, and compliance solutions like Pathlock can provide real-time information on cybersecurity risks affecting financial reporting. Pathlock helps organizations with efficient financial account mapping and materiality assessments by quickly assessing control gaps and financial exposure, along with improved visibility and quick detection of incidents to define an immediate mitigation strategy.

Best Practices to Address SOX Cybersecurity Requirements

As SOX compliance and cybersecurity are increasingly intertwined, the experts advise implementing the following excellent strategies for financial security.

Use of Identity Governance and Administration (IGA) Tools for Automation

SOX cybersecurity compliance mandates regular user access reviews and restricted financial systems access. Manual reviews can be prone to being time-consuming and errors. Using IGA tools such as Pathlock, you can set up automatic provisioning and role-based access control (RBAC) and ensure that newly provisioned users are part of their intended roles. These roles can later be used for user access reviews. Automating de-provisioning makes sure that terminated users are also removed from the roles they are part of, preventing access violations. Third-party tools can also provide comprehensive reporting and audit logs to track compliance-related access risks.

Strong Password Management

SOX compliance mandates controlled access to financial information to prevent unauthorized modification and compromised access. Weak password management can lead to breaches following SOX violations.

Organizations should employ complex password policies as per the best practices below:

• Minimum 12 to 20 characters passwords, mix and match of upper case, lower case, symbols, and numbers.
• Regular password updates, e.g., every 60 to 90 days rotation for high-risk accounts.
• Implement multi-factor authentication for all financial systems.
• If possible, use password management tools to generate and store strong passwords.
• Passphrases, which are longer but memorable than regular passwords, should be encouraged.

Implement Zero Trust Architecture (ZTA) for Financial Data Access.

There is a myth for assuming that internal users are trustworthy based on traditional security models, but SOX compliance requirements disagree. Zero Trust suggests that every user, device, and application is continuously authenticated and authorized. This can be done by implementing multi-factor authentication, a least privilege access permissions model, and forcing continuous user behavior monitoring for suspicious activities.

Implementing Data Loss Prevention (DLP) Solutions for Financial Information

The primary requirements of SOX compliance are data confidentiality and integrity for financial information, and DLP solutions prevent malicious or accidental data leaks. Implement known data loss prevention solutions, e.g., Microsoft Purview, Symantec DLP, or Forcepoint DLP, to monitor and block unauthorized financial data sharing and configure content inspection policies to detect sensitive financial data. These DLP solutions could be SaaS-based or integrated with cloud security services for on-premises or cloud-based SaaS applications.

Conduct Team Exercises (Red, Blue, Purple) Focused on Financial Systems.

Attackers love to target financial systems as they have high value in any organization.

Conducting regular or annual penetration tests focused on access controls, databases, or financial reporting systems is the best practice to prepare organizations for strong incident detection and response plans.

Red team penetration exercises simulate real-world cyberattacks to identify threats before attackers can exploit them. Examples of Red Team exercises include phishing attacks, exfiltration of sensitive data, physical breaches, social engineering attacks, tailgating attacks, lock-picking attacks, and cloning RFID passes.

Blue team exercises involve defenders improving security based on the penetration results of the red team.

Purple team exercises can be conducted using both red and blue teams together to simulate attack scenarios and identify improvements and gaps in an organization’s security strategy.

Maintain a Comprehensive Incident Documentation Process.

It is required by SOX compliance that auditors assess detailed cybersecurity incident records, responses, and action plans for remediation. Proper documentation for cybersecurity compliance simplifies compliance. Organizations can analyze and log security incidents by using Security Information and Event Management (SIEM) tools, e.g., Splunk, Microsoft Sentinel, or LogRhythm SIEM, including nature, date and time of incident, financial data at risk, systems affected, steps taken to resolve the issue, and future preventive measures.

Conclusion

The SOX compliance landscape is shifting beyond traditional financial controls, making cybersecurity compliance not optional but required by the SOX Act to protect and protect financial data. Organizations should take a proactive approach by integrating cybersecurity in their internal controls for risk management aligned with the best practices of industry-based frameworks such as NIST, COSO, or ISO 27001. The disclosure of cybersecurity controls is also part of the most recent changes in 2023 by the Securities and Exchange Commission to increase accountability and transparency regarding cyber risks. Organizations must perform cybersecurity risk assessments, establish strong cybersecurity policies and disclosure controls, and continuously monitor and test those controls’ effectiveness to improve security practices.