November 9, 2022
SOX Compliance and Data Privacy: What Companies Need to Know
The Sarbanes-Oxley Act (SOX) was passed by the United States Congress in 2002 to protect the public from fraud by business entities such as corporations. The purpose of this act is to increase transparency in financial reporting with a formal system of checks and balances. SOX brings a legal obligation to what was already good business practice.
Financial security controls implemented for SOX compliance have a lot in common with the best practices for data protection, which helps prevent data theft. Prioritizing cybersecurity reduces the risk of data breaches, whether by insider theft or cyberattacks.
Which Companies Need SOX Compliance?
The Sarbanes-Oxley Act applies to all publicly traded companies in the United States. It also applies to publicly traded foreign companies or wholly-owned subsidiaries that do business in the United States. Tangentially, SOX also applies to auditors and accounting firms that audit SOX-regulated entities. Finally, any private company planning an IPO should be SOX compliant before going public.
Private organizations (including companies and nonprofits) are not required to be fully SOX compliant, though they may be affected in some cases. For example, the Sarbanes-Oxley Act contains language about penalizing any organization that knowingly falsifies or destroys financial data.
The requirement to retain some financial data can create problems. In many applications, best practices dictate that sensitive data be deleted when no longer needed: Companies should only retain the minimum amount of sensitive data, and for the absolute minimum amount of time possible. However, data cannot be erased or destroyed if it is required to prove SOX compliance, which is where the tension occurs.
This may seem like a catch-22, but data privacy laws do account for instances when data retention is mandated by other reporting requirements. SOX does not normally contradict GDPR, CCPA, and other data privacy regulations, for example. All of these regulations exist to encourage greater accountability on the part of companies, and (despite potential challenges) policies are not drafted to create impossible situations.
Exceptions: When SOX and Data Privacy Regulations Collide
SOX typically applies to the company’s financial data, not to any individual’s personal data. However, there are areas where a company’s financial data overlaps slightly with an individual’s data. For example, companies have to retain customer invoices for five years, tax returns for seven years, and payroll records forever. This is financial data related to the company, but it is also likely to include sensitive information related to individuals.
Can Data Be Safe and Useful?
A data privacy strategy is tested in these kinds of situations, where data must be retained, but also kept completely secure. There are numerous steps to a comprehensive data protection solution. First, it is important to identify and locate all sensitive data throughout the entire enterprise. From there, a plan should be put in place for all sensitive data discovered.
At this point, it is crucial to understand the difference between data encryption, tokenization, and masking. Encryption is an excellent solution for data that will be stored for the long term. Tokenization is ideal for data that must be moved or migrated. Masking is a great way to protect sensitive data while preserving its utility. Depending on an organization’s specific needs, there are applications where all three techniques are useful (both in the context of SOX compliance as well as the broader data privacy strategy).
Benefits of SOX Compliance
Ensuring SOX compliance creates benefits that ripple across an entire organization. It leads to more consistent financial reporting, which appeals to shareholders. Beyond the benefits of superior financial reporting, compliance with SOX also reduces exposure to data breaches. Preventing cyberattacks helps reduce costs and protect the brand. Finally, SOX compliance makes it easier to navigate an audit and avoid penalties.
Penalties of SOX Non-Compliance
The penalties for SOX non-compliance can be severe, and may occur in a number of categories. There may be fines, invalidation of directors and officers (D&O) liability Insurance, and removal from public stock exchanges. Individual executives, especially CEOs and CFOs or any others who intentionally submit incorrect information during a SOX audit, may be faced with millions of dollars of fines and lengthy prison sentences.
Preparing for a SOX Compliance Audit
As with any other type of audit, the best way to prepare is to stay prepared. In the case of SOX compliance, that means conducting a thorough discovery of all sensitive data, then protecting that data appropriately. When a company is audited for SOX compliance, they must prove they’re using the relevant controls to ensure appropriate data protection and accurate financial reporting.
Key Sox Compliance Requirements
There should be no need to scramble to prepare for an audit, because the strategy should already be established and maintained. That said, there are six especially important areas to consider before a looming SOX compliance audit:
- Section 302 – Corporate Responsibility for Financial Reports – This section states that the CEO and CFO are responsible for the accuracy, documentation, and submission of financial reports and the internal control structure to the SEC. These two executives must also establish and maintain SOX controls and validate their internal controls during the 90 days prior to their report.
- Section 404 – Management Assessment of Internal Controls – This is considered to be among the most complicated parts of SOX compliance, and is therefore among the most expensive. All annual financial reports must include an Internal Control Report confirming that management is responsible for an adequate internal control structure, and must include management’s assessment of the effectiveness of their own control structure. This report must include any shortcomings, and the accuracy of the report must be validated by an independent auditor.
- Section 409 – Real-Time Issuer Disclosures – Companies must immediately disclose any material changes in operations or financial condition, in order to protect investors and the general public.
- Section 802 – Criminal Penalties for Altering Documents – Unsurprisingly, it is illegal to tamper with investigations in any way. There are penalties for any employees, accountants, or auditors who willfully violate normal procedures to influence investigations.
- Section 806 – Employees who disclose corporate fraud are protected. Any retaliation over whistleblower complaints can lead to criminal charges.
- Section 906 – Certifying a fraudulent or otherwise misleading financial report can carry a criminal penalty of upwards of $5 million in fines and 20 years in prison.
The commonality between these six sections is that honesty and transparency are of utmost importance for SOX compliance. When a company has a robust security strategy and other necessary controls in place, the only thing to do for a SOX audit is to let the auditors do their jobs while you accurately report the appropriate information. The focus should be on maintaining SOX compliance at all times, rather than preparing for an upcoming or potential audit.
Data Protection for SOX Compliance and Beyond
The same capabilities a SOX auditor will look into are part of a good data protection plan anyway. Areas to consider include, but are not limited to, the following:
- Access – Is there a least permissive access model in place, such that every user has the minimum access required to do their jobs? Access should be controlled with physical controls (such as doors, badges, locking file storage) as well as technological controls (login policies, permission audits, and least privileged access).
- Change Management – Are there defined processes to install new software, add new users, modify databases, or change applications that relate to finance?
- Data Backup – Are all financial records backed up off-site in a SOX-compliant manner?
- Security – Can you demonstrate that you are protected against data breaches?
SOX provides organizations with a framework to help them manage their financial records. It is the legal minimum, however, and is not intended to be a full replacement for a thoughtful data protection plan. The Sarbanes-Oxley Act lays out measures every company must take, and it falls upon individual business leaders to take additional steps based on their specific situations.
Contact a cybersecurity partner to learn more about Data Governance, or schedule a demo to see specifically how a cybersecurity plan contributes to SOX compliance.