Why Finance Companies Should Implement SOX Password Requirements

Although the Sarbanes-Oxley (SOX) Act doesn´t contain specific IT provisions, companies subject to U.S. Securities and Exchange Commission regulations should implement SOX password requirements in order to comply with Sections 302 and 404 of the Act requiring adequate internal control structures. 

When the Sarbanes-Oxley Act was passed by Congress in 2002, cyberattacks were a fraction of what they are today. Consequently, the sections of the Act relating to internal control structures barely touched data protection. However, following a series of significant data breaches in the finance industry, the Securities and Exchange Commission (SEC) issued guidance on disclosure obligations relating to cybersecurity risks and cyber incidents in 2011.

The guidance reminds companies of the requirement to disclose “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision” and suggests companies should evaluate existing cyber defenses to identify vulnerabilities that could result in unauthorized access to data, loss of data, or corruption of data, as these events could incur costs, operational disruption, and reputational damage.

With regards to maintaining adequate internal control structures, the guidance adds cyberattacks can pose a risk to the ability to complete SEC filings – not just SOX filings, but also those required under Regulation S-K, Regulation FD, Form 10-K, Form 20-F, etc. Therefore, companies should consider whether risks exist that could prevent accurate recording, processing, summarizing, and reporting, and the adequacy of “preventative actions” taken to reduce cybersecurity risks.

The 2011 guidance was followed by a more strongly worded statement in 2018, in which the SEC made it clear it expected financial statement disclosures to include a full breakdown of costs relating to the costs and financial consequences of a cyberattack. The required disclosures include:

  • The cost of investigating a cyberattack
  • Breach notifications, remediation, and litigation costs
  • Any loss of attributable customer asset value
  • Revenue losses and insurance premium increases
  • Diminished cash flows due to increased cybersecurity costs

What Prompted the SEC´s Guidance and Subsequent Statement?

The timing of the SEC´s 2011 guidance and 2018 statement wasn´t an accident. Both publications followed significant cyberattacks on the finance industry due to poor data security and access controls (Citigroup, NASDAQ, and Bank of America in 2010/11, and Equifax, Scottrade, and Deloitte in 2017). Unfortunately, the advice to consider the adequacy of “preventative actions” fell on deaf ears at First American and Capital One, who both suffered preventable data breaches in 2019.

While the causes of most data breaches are rarely revealed, those mentioned above were all attributable to cybercriminals hacking into computer systems via a vulnerability. In the case of the Citigroup and Equifax data breaches, these were attributable to unpatched software vulnerabilities. However, the Bank of America, Scottrade, Deloitte, and First American data breaches were caused by hackers obtaining log-in credentials either by brute force attacks or phishing.

According to Verizon´s 2020 Data Breaches Investigations Report, more than 80% of data breaches due to hacking are attributable to brute force attacks against weak passwords or stolen log-in credentials. Incredibly, an analysis of brute force attacks against companies who contributed to the report found that the average number of attempted brute force attacks per company was in excess of 30 million per year – a worrying statistic for any company not enforcing password best practices.

How to Reduce the Likelihood of Cyberattacks in the Finance Industry

The conclusion is that the best way to reduce the likelihood of cyberattacks in the finance industry is to develop password policies that empower the use of strong passwords and deploy a password manager that can enforce the policies and identify weak, re-used, and potentially compromised passwords. For finance companies subject to the Sarbanes-Oxley Act, the enforcement of password best practices with a password manager should be a minimum SOX password requirement.

Beyond the basic SOX password requirements, companies can deploy password managers that support secure password sharing, end-to-end encryption, and cross-platform synchronization. However, one important consideration to be aware of is that the password manager must be easy to use. Should administrators find it too complicated to configure and govern access controls, it is likely vulnerabilities will develop which will negate the effectiveness of the password manager.

SOX Password Requirements FAQs

What mechanisms does a password manager have that can address the requirement for adequate internal control structures?

While a password manager alone should not be relied on to address the requirement for adequate internal control structures, certain password managers have access control capabilities, can produce activity logs and audit trails, and be configured to automatically disconnect users after a period of inactivity. Furthermore, most commercial password managers can be integrated with SIEMs to provide greater visibility into cybersecurity events.

How does a password manager help reduce cybersecurity risks?

When a password manager is used to securely store strong passwords, it is harder for cybercriminals to gain access to accounts via brute force attacks and phishing, and therefore less likely they will be able to extrapolate data, deploy malware, or launch ransomware attacks.

What are brute force attacks against weak passwords?

Brute force attacks are when cybercriminals try to crack a password using software to try every possible combination of characters. Most 6-digit alphanumeric passwords and longer passwords consisting of dictionary words can be cracked within a day, so it is a best practice to always assign a unique, long, and complex password to each account.

How do password managers mitigate the threat from phishing?

Password managers save login credentials by URL and when a user visits a website for which login credential have been saved, the password manager usually autofills the login credentials to save the user remembering them or looking them up. When a user is directed to a phishing website, the URL will be different from the one saved by the password manager and therefore it will be unable to autofill the login credentials – alerting the user that the website is fake.

How else can a password manager reduce cybersecurity risks to finance companies?

Depending on the capabilities of the password manager, users can run health checks on saved login credentials to identify weak, re-used, or compromised passwords; the password manager can be used alongside MFA keys and authenticator apps to strengthen defenses against brute force and phishing attacks; or employees can take advantage of secure messaging capabilities to avoid sending sensitive data via email.