As published in the Privacy & Security Law Report © 2005 The Bureau of National Affairs, Inc. All Rights Reserved.

Introduction

"The cybersecurity of large enterprises can be improved through strong management to ensure that best practices and efficient technology are being employed." - National Strategy to Secure Cyberspace, p. 54 (February 2003)

In response to the accounting scandals that occurred in the early 2000s, Congress passed the Sarbanes-Oxley Act of 2002 (the "Act" or "SOX"). The law seeks to "protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."1 In order to achieve accuracy in the reporting of information by public companies, SOX mandates that companies employ systems capable of being objectively measured, including the provision of adequate internal controls over information within those companies.

Although never explicitly mentioned within SOX, many commentators believe that the system of internal controls contemplated by it necessarily includes an information security component. The logic is straightforward: if a company employs information technology in reporting its financial information, those information technology resources must contain accurate data in order for the financial reporting to be correct; accurate data can only be insured through a system that provides a confidentiality, integrity, and availability; therefore, a company must have appropriate information security controls in order to properly make assertions about its financial information.

To what extent companies will be explicitly required to implement information security under Sarbanes-Oxley remains to be seen. Until such a mandate and does appear, however, companies should consider the potential threats that face their organization and the appropriate mechanisms to implement in addressing those threats.

The Development of Sarbanes-Oxley and Section 404

Corporate accounting scandals

Enron, WorldCom, Adelphia, Tyco, Rite Aid. These names often evoke images of shredded documents, "cooked books", and other improprieties. According to one commentator, "[t]hese scandals have caused a reconsideration of corporate governance and the role of enforcement agencies such as the SEC, eventually leading to the Sarbanes-Oxley bill of 2002, which is arguably the single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting since the U.S. securities laws of the early 1930s."2

In the 107th Congress, both the House and Senate commenced work on addressing the financial accounting crises that had begun appearing. The House introduced H.R. 3763 on February 14, 2002. Titled the "Corporate and Auditing Accountability, Responsibility, and Transparency Act of 2002," the original text focused reactively on the reporting of issues (such as disclosing off balance sheet transactions and loans to officers) and the role of, and activities engaged in by, a company’s outside auditors. Six days prior to enactment as Public Law 107-204, a conference report (H.Rpt. 107-610) revealed that a significant portion of the text of a different bill (H.R. 5070, introduced on July 9, 2002) had made its way into Sarbanes-Oxley, which contained all of the somewhat more proactive internal controls language that finally passed into law.

Sarbanes-Oxley changes

Enactment of Sarbanes-Oxley resulted in number of changes. First, the Act created the Public Company Accounting Oversight Board (PCAOB or "Peek-a-boo"). In testimony before the Senate Committee on Banking, Housing and Urban Affairs in September of 2003, SEC Chairman William H. Donaldson stated that "we expect the PCAOB to continue to grow and to implement reforms that will restore investors' confidence in the audit process and in the integrity of the audited financial information that investors use every day to make investment and voting decisions."3

Second, in addition to the creation of the PCAOB, the Act also addressed the notion of auditor independence, by prohibiting audit firms from providing contemporaneous audit and non-audit services in a number of different areas (including, relevant to information security, the non-audit services of "financial information systems design and implementation.")4 The Act also requires company audit committee approval of any audit or non-audit services to be provided by an auditor, except in certain de minimus situations. From an auditor independence perspective, the Act further mandates such things as audit partner rotations, auditor reports to the company audit committees, and prevention of conflicts of interest.

A third broad category of changes that resulted from the Act involves corporate responsibility. The primary area of corporate responsibility is the requirement for companies to establish audit committees. Those audit committees have authority over all activities of the public accounting firms employed by that company.

Fourth, the Act requires enhanced financial disclosures. This includes a mandate that any financial report of a company properly reflects "all material correcting adjustments." This section includes many provisions focused on the types of transactions that led to the Act being passed (including, for example, off-balance sheet transactions, disclosures by directors officers and principal stockholders, and prohibition on the personal loans to executives). Most significantly, the enhanced financial disclosures section includes provisions directed to management assessment and implementation of internal controls.

Internal controls

Much scrutiny of Sarbanes-Oxley in the area of information security revolves around the internal controls discussed in Section 404 (and elsewhere in the Act). But what exactly comprises an "internal control"? In a Final Rule relating to internal controls promulgated in 2003, the SEC defined an internal control as a "process designed by, or under the supervision of, the registrant's principal executive and principal financial officers…to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements…in accordance with generally accepted accounting principles and includes those policies and procedures that:

  1. Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;
  2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and
  3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements."5

The SEC Final Rule noted that "internal control is a broad concept" and that the phrase "internal control over financial reporting" should be the focus of Section 404. The Final Rule further states that "the safeguarding of assets is one of the elements of internal control over financial reporting and it addresses the supplementation of the COSO Framework after it was originally promulgated." 6In defining the concept of safeguarding of assets, the SEC utilized a 1994 COSO addendum, which states that "[i]nternal control over safeguarding of assets against unauthorized acquisition, use or disposition is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the entity's assets that could have a material effect on the financial statements." Based on the above, companies should be aware of information security as a form of internal control over the safeguarding of assets.

In what other ways could Sarbanes-Oxley be viewed as requiring information security?

In addition to the specific reference to internal control over safeguarding of assets, some commentators have posited that a legal standard for information security is a developing trend within American jurisprudence.7 Although (as already mentioned above) Sarbanes-Oxley does not explicitly mention information security, several sections of the Act reinforce this perceived trend. For example:

Section 101. In Section 101, the description of the PCAOB board establishment states that it seeks "to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports" (emphasis added).8

The independent accounting function plays a role in producing such reports, so Section 103 of the Act requires "each registered public accounting firm" to "describe in each audit report the scope of the auditor’s testing of the internal control structure and procedures of the issuer."9 Such report must include an evaluation of whether the "internal control structures and procedures…include maintenance of records that…accurately and fairly reflect the transactions…of the issuer…[and] provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statement sin accordance with generally accepted accounting principles."10

The Act amended Section 19 of the Securities Act of 1933 to allow the SEC to "recognize as ‘generally accepted’…any accounting principles established by a standard setting body…that…considers, in adopting accounting principles, the need to keep standards current in order to reflect changes in the business environment."11 This could certainly be seen as applying to information security standards applicable to the protection of a company’s assets.

Section 302. In section 302(a), which addresses corporate responsibility for financial reports, the requirement exists that company officers must certify reports filed with the SEC do not "contain any untrue statement of a material fact" and that each report "fairly present[s] in all material respects the financial condition and results of operations of the issuer.12 Further, Section 302(a) requires certification by the officers that (a) they "are responsible for establishing and maintaining internal controls," (b) the internal controls allow material information to be made known to the officers, (c) they "have evaluated the effectiveness of the issuer’s internal controls," and (d) their report presents information about the effectiveness of the internal controls. In addition to this certification, Section 302(a) requires disclosure by the officers of "all significant deficiencies in the design or operation of internal controls" and identification of "any material weaknesses in internal controls" (emphasis added).13

Section 404. As discussed above, section 404 contains the crucial requirement that an internal control report be generated that "shall…state the responsibility of management for establishing and maintaining an adequate internal control structure, and…contain an assessment…of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."14 In addition to the report, section 404 also requires that the auditor "attest to, and report on, the assessment made by the management of the issuer."15

In light of the above discussion, deductive reasoning can be applied to the analysis of information security requirements under Sarbanes-Oxley. If the IT systems of a company cannot be relied upon as being accurate without those systems being secured against unauthorized access and impermissible modifications, then internal controls must include controls over the security of the IT systems. Therefore, appropriate information security protection would, arguably, be a necessary component of any system of internal controls. What constitutes appropriate information security measures, however, is a question that remains open. Though standards exist in the area of information security, no single standard has been determined to be applicable across all businesses. There are a number of standards or frameworks that can be analyzed in trying to determine an appropriate level of information security. Some of these standards include COSO, CoBIT, and ISO 17799.

COSO. The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, developed its framework in 1992. The COSO Framework states that internal controls include the control environment, risk assessment, control activities, information and communication, and monitoring. The SEC, in its Final Rule on Management’s Controls, recognized COSO in stating that "[t]he COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements." 16

CoBIT. The IT Governance Institute (ITGI) established another audit-based framework known as the Control Objectives for Information and related Technology (CoBIT). This framework was intended to be an interpretation of COSO from an IT perspective. CoBIT has been characterized as "a comprehensive approach for managing risk and control of information technology." CoBIT comprises four different domains, along with a number of audit-focused IT processes and related control objectives.

ISO 17799. From a more information security-centered perspective, the International Standards Organization (ISO) adopted ISO 17799, "Information technology - Code of practice for information security management", in 2000. The standard provides a framework that "provide[s] a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings." Many commentators have pointed to ISO 17799 as becoming a recognized broadly applicable information security standard.

Case law and current events

In at least one case involving an auditor for NextCard, a breach in the security over the information used to generate a company’s reports has led to an indictment and plea bargain by the auditor for violations under Sarbanes-Oxley. Although the case did not involve a lack of information security by a company (instead, the breach was by the auditor), it does give some insight into how these types of cases could arise. In the complaint, the government stated that two auditors for NextCard met on a Saturday at the auditor’s offices "in order to alter working papers from the NextCard engagement." In the process of doing so, the auditors made "changes to the [electronic copies of the] working papers that concerned NextCard’s allowance for loan losses and its securitization of receivables."17 The auditors also altered the date on the laptop computer that they were using "in order to give the appearance that their changes to various documents had been made at the time of [their] original work on the audit."18 An adequate system of internal controls might be viewed as needing to address this kind of breach of security.

Numerous other situations contribute to the calculus related to information security liability. In recent weeks, numerous well-publicized information security breaches have occurred (including ChoicePoint, Bank of America, DSW Shoe Warehouse, LexisNexis, and others). These types of occurrences inevitably lead to calls for greater accountability in the area of information security. At a recent committee meeting of the Senate Banking Committee, for example, plans were revealed about proposed legislation that would regulate data brokers, including one plan by New Jersey Democratic Senator Jon Corzine under which the FTC would be required to create information security guidelines "and, borrowing a page from the Sarbanes-Oxley law, would compel executives to sign off on their measures."19 It also would require financial institutions to notify consumers directly when their information has been compromised (similar to the California notification law commonly known as SB 1386).

What does the future hold?

In light of the above mentioned security breaches, combined with a greater awareness of information security in all sectors, it would not be surprising for the SEC to specifically address information security in the context of Sarbanes-Oxley. Even in the absence of such activity, however, reporting companies should be aware of the security of their IT systems and should take appropriate steps to protect those systems. As current events show, a lack of appropriate information security can lead to devastating results related to releases of personal information.

Footnotes

1. Introduction to the Sarbanes-Oxley Act of 2002 ("SOX"), PL 107-24.

2. Keith J. Crocker and Joel Slemrod, "The Economics of Earnings Manipulation and Managerial Compensation," February 3, 2005, available at http://www.smeal.psu.edu/faculty/ist/Accounting.fraud.February.3.2005.pdf ).

3. See Testimony Concerning Implementation of the Sarbanes-Oxley Act of 2002, by William H. Donaldson, Chairman U.S. Securities and Exchange Commission, Before the Senate Committee on Banking, Housing and Urban Affairs, September 9, 2003, available athttp://www.sec.gov/news/testimony/090903tswhd.htm.

4. SOX Section 201(a) (amending 15 U.S.C. 78j-1).

5. See Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, available at http://www.sec.gov/rules/final/33-8238.htm (hereinafter "SEC Final Rule"). For further detailed information on internal controls, see the PCAOB publication "Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements", available at http://www.pcaobus.org/Rules_of_the_Board/Documents/Rules_of_the_Board/Auditing_Standard_2.pdf.

6. Id., SEC Final Rule.

7. Tom Smedinghoff, "Trends in the Law of Information Security," BNA International, World Data Protection Report, Vol. 4, No. 8 (August 2004), available at http://www.bakernet.com/ecommerce/securitytrends.pdf.

8. SOX Section 101(a).

9. SOX Section 103(a)(2)(A)(iii).

10. SOX Section 103(a)(2)(A)(iii)(II)(aa-bb).

11. SOX Section 108(b)(1)(A)(v).

12. SOX Section 302(a)(2)-(3).

13. SOX Section 302(a) (4)-(5).

14. SOX Section 404(a).

15. SOX Section 404(b).

16. Id., SEC Final Rule.

17. Criminal complaint, U.S. v. Trauger, at page 12, available at http://news.findlaw.com/hdocs/docs/sarbanes/ustrauger92403cmp.pdf (September 24, 2003)

18. Id.

19. See "Senate Spotlight Turns To Data Security," March 11, 2005, available at http://banking.senate.gov.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.