Newly proposed legislation would amend the Sarbanes-Oxley Act to expand mandated internal controls reports and disclosures to include cyber-security systems and risks of publicly traded companies. The Cyber-security Systems and Risks Reporting Act, sponsored by Rep. Jim McDermott (D-Wash.), has been referred to the House Committee on Financial Services.
SOX Section 302 requires CEO and CFO certifications regarding the quality and accuracy of financial reports. Attestations would be extended to a company’s designated cyber-security officer, or a comparable position, and the internal controls they oversee. The bill also adds “information systems” and “cyber-security systems” to existing SOX requirements for financial statements. Similarly, “cyber-security systems standards and practices” would be affixed to the traditional “quality control policies and procedures.” Requirements for “the principal financial officer or officers” would be extended to “cyber-security systems officer or officers.”
The legislation defines “cyber-security system” as “a set of activities or state, involving people, processes, data or technology, whereby the protection of an information system of the issuer is secured from, or defended against, damage, unauthorized use or modification, misdirection, disruption or exploitation.”