Cybersecurity Needs Its Own Sarbanes-Oxley
By the time it all came to light, investors had lost billions of dollars and regulators had shed credibility. That’s when Congress stepped in, with Senator Paul Sarbanes and Representative Michael G. Oxley sponsoring the bill that would bear their names.
Sarbanes-Oxley, or SOX, is a long and extensive set of regulations covering areas including the independence of auditors, enhanced financial disclosures, and obstructing an investigation.
One of the most potent parts, Section 302, forces executives to personally attest to the accuracy of their financial disclosures on a quarterly basis. It does so by requiring that a company officer certify that they’ve actually reviewed the report, and that it doesn’t contain any falsehoods. In other words, it removes “plausible deniability” loopholes that could allow C-level executives to commit fraud, or reign over a company where such misdeeds are carried out, while subsequently claiming innocence.
Today, the need for such accountability extends to data. Lawmakers should enact regulation that holds executives personally responsible for information security at the companies they run.
Three recent cases highlight just how crucial that it is.
Last month, an Australian mobile network subsidiary of Singapore Telecommunications Ltd. called Optus was hacked and the records of almost 10 million people stolen. Among the data accessed were customer names, dates of birth, email addresses, passport and drivers license numbers. In Australia, that’s enough information to potentially conduct identify theft under a points system used in the country for identity…