Sen. Paul Sarbanes (D-Md.) built a reputation as a lawmaker with a low profile and a high impact. His recent passing has brought one of his signature pieces of legislation back into the spotlight. The Sarbanes-Oxley Act of 2002 instituted protections to promote the stability of the national financial system. As the digital era reshapes the economy, we can honor Sen. Sarbanes’ work and legacy by ensuring that the Act continues to serve the same ends he envisioned nearly 20 years ago — promoting American prosperity through responsible corporate governance.
As recent news of a wide-scale hack via a product used by thousands of businesses reminds us, the risks to corporations are vastly different than they were when Sen. Sarbanes was writing his bill. The impact of the SolarWinds breach, and the growing list of companies and organizations affected, shines a clear light on the acute importance of building a better cyber defense. Cyber attacks are now ubiquitous, and no company is safe. Although businesses have increased their investment in cybersecurity, many CEOs and Boards still feel unprepared for the evolving and aggressive tactics employed by threat actors perpetrating this malicious activity. From retail to finance, hackers have exfiltrated hundreds of millions of business records and personal information. Companies such as Yahoo, Marriott International, eBay, Equifax, and Target have all been victims. The increasing frequency, scale, and consequences of these attacks have elevated and broadened the risks corporations face.
Not only do major cyber attacks harm companies, but they also negatively impact investors, markets, rank-and-file employees, and consumers. Yet, these groups are often unable to accurately evaluate their risk exposure because businesses may significantly underreport or delay their reporting of serious cybersecurity problems. Further, some companies may not even have the measures in place to know when a breach has occurred. Among those that do have the capacity to detect a breach, concerns of reputation, cost, or employee morale may dissuade them from sharing information pertinent to investors’ risk calculations.
The Sarbanes-Oxley Act (SOX) was intended to mitigate a very similar — albeit originally more analogue — set of problems by protecting investors against the risk of inaccurate corporate reporting. By increasing transparency and bolstering fail-safes, the bill protects against risks such as Enron’s severe accounting fraud that caused a billion-dollar loss of investments. SOX, enforced by the Securities and Exchange Commission (SEC), mandates that companies faithfully represent their business operations through financial reporting validated by third party audits. This law heralded a new era of corporate accountability, in which fraud became more readily identified and disclosed. But the SOX Act authors did not anticipate the hyper-connected realities of today. To try and address the interconnectivity of modern business, the SEC issued official guidance in 2018 stating unequivocally that cybersecurity risk is material to a company’s financial condition and business operations, cementing the fact that cybersecurity is inextricable from a company’s ability to manage its financial controls.
The SEC’s update to the guidance makes sense. Cybersecurity is a growing necessity that can mean the success or failure of a business. Companies cannot afford to ignore the cyber component of their responsibility. This is why the congressionally-mandated Cyberspace Solarium Commission (CSC) has recommended Congress update the SOX Act to reflect this new digital landscape and codify the 2018 SEC guidance. Specifically, the Commission calls for Congress to harmonize and clarify cybersecurity oversight and reporting requirements for publicly traded companies. By ensuring that senior corporate officers are considering the risks to cybersecurity alongside existing requirements for financial reporting, this cyber updating should also encourage more cyber expertise in corporate leadership.
The security of the financial system requires both long- and short-term tools to mitigate cyber risks. While congressional action runs its course, the SEC should operate in parallel to make cybersecurity a critical component of risk management. For this reason, the Commission has written a letter to the SEC outlining a list of steps they should follow to ensure companies are taking their security responsibilities seriously. While the 2018 SEC guidance is a good foundation, it must be enforced and built upon. The SEC should issue guidance clearly stating that cyber threats pose a risk to a company’s internal control over financial reporting (ICFR). Moreover, the SEC should set guidelines for how companies measure and monitor cybersecurity risks. These measurements will validate the effectiveness and accuracy of their ICFR in the annual assessments. In order to ensure they are meeting SEC cybersecurity guidelines, companies should conduct penetration testing on their networks and systems.
These two recommended improvements — updates to SOX legislation and new SEC guidance on compliance — will address many of the situations in which companies do not currently implement effective cybersecurity measures. By broadening reporting requirements to increase corporate transparency in cyber risk accounting, the late Sen. Sarbanes’ work will remain relevant to the future of finance, ensuring that more breaches will be detected and reported. As the fallout of the current SolarWinds cybersecurity crisis shows, risks to businesses — and even national security — have changed dramatically in recent decades. Legislation and enforcement must change, too.
Fanning is CEO of the Southern Company. Spaulding is former CISA head, Ravich is chair of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. They serve as commissioners of the Cyberspace Solarium Commission, established by the 2019 National Defense Authorization Act to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.”