Data security deserves its version of Sarbanes-Oxley.
Love it or hate it, Sarbanes-Oxley (SOX) was enacted as a reaction to major financial scandals which shook public confidence and cost investors billions of dollars.
The high-profile data security breach of Equifax has certainly shaken public confidence. The announced 143 million records compromised has prompted some to call for a “cyber Sarbanes-Oxley.”
Before we examine the benefits of Cyber-SOX, we should examine what led to SOX in the first place. Executives at Enron, Tyco, WorldCom and other companies were found guilty of deceptive financial reporting. But the problem was more insidious. Enron executives not only misled its board of directors, but they also pressured independent auditor Arthur Andersen into issuing fraudulent audits.
The cost of these financial scandals was staggering. Enron erased $11 billion of shareholder value. WorldCom wiped away billions of dollars from pension funds. Politicians seized the opportunity to enact far-reaching regulations. The public recognized the conflict-of-interest and lack of controls. SOX was passed with an overwhelming majority.
One key element of SOX was how it elevated the importance and responsibility of the Chief Financial Officer (CFO). The CFO became personally responsible for reviewing financial reports and vouching for the accuracy and integrity of reports. SOX meant CFOs had skin in the game.
SOX also made auditors more accountable and increased the penalties for destroying, altering, or fabricating records.
SOX has been criticized for being too far-reaching. True or not true, there are far few financial scandals.
A Cyber-SOX could have similar benefits for data security that SOX had for financial security.
The majority of breaches are the result of inadequate control and not sophisticated hacking. Cyber-SOX could make the Chief Information Officer accountable to implement and enforce policies that would better protect our privacy. Cyber-SOX could do for the CIO what SOX did for the CFO.
Likewise, Cyber-SOX should also increase penalties for destroying, altering, or fabricating records. A greater emphasis is needed on effective and transparent IT asset management. ITAM may be the most overlooked aspect of data security. A CIO cannot justifiably vouch for the integrity of data security if her company cannot account for all its computers.
Shareholders should support the idea of Cyber-SOX. Class action lawsuits against companies that suffer breaches cost investors billions of dollars. Boards should be accountable for putting qualified CIOs in place.
The data security breach of Equifax has compromised the privacy of every family in the United States. Does data security deserve its own version of SOX?
Tell me what you think.