Would a Sarbanes-Oxley type law requiring public companies to attest to their cybersecurity integrity be a good idea?

390 views2 Upvotes6 Comments

CEO in Healthcare and Biotech, 2 - 10 employees
Congress reached agreement in 2015, after a decade plus of discussion, that it was time to pass cybersecurity legislation to facilitate information sharing, but it still has not been able to pass a national data breach law or any kind of basic privacy law around how our personal information is used by tech companies? The government side in the US is fairly well-regulated through the Privacy Act and the different laws that regulate how the federal government can use your information, but we just left it wide open to the private sector.

These discussions are taking place around Twitter, Google, Facebook, et cetera, and what they do, and how they manage information, how they use information. I mean, these are just continuous discussions that have been taking place for the entire existence of social media companies. We don't seem to be any closer really at the federal level, Congress and the administration, to figuring out how to build that basic framework of law and policy that covers the really fundamental things.

And then you see how hard it is even for really large private sector entities that have actual resources, that have resources and budgets, and people who know how to do cybersecurity and information security. How much they struggle. And that's challenging enough but all the medium and small enterprises that make up so much of the backbone of the actual US economy and global economy are just completely unable to even grasp, "What is it that I'm supposed to do just to secure myself?" And so we're just in such a challenging place I think, because of our inability to identify basic core standards and guidelines, and the likes. I think unless and until we start to get much more in the way of standards that come in a Sarbanes-Oxley-like form or SEC standards that actually have pain behind them in terms of non-compliance, so much of American society and the global society are just going to be like, "I know it's a problem. I know it's a risk, but I just don't know what to do."
Board Member, Advisor, Executive Coach in Software, Self-employed
I'm not a person that likes a lot of regulation, because I think it encumbers businesses. It creates other risks and idiosyncrasies. At the same time, regulations are meant to deal with the perhaps lack of economic incentives and fix issues where people don't necessarily do what they should be doing even though they might know better. By and large if I'm on a board or I'm an executive, my sole purpose is to increase shareholder value, and spending money on security takes away from net income because it's not growing my revenue unless I'm in a security company. If there's no long term implication to the shareholder then I'm always going to skimp on security. 

In a National Association of Corporate Directors survey of corporate directors across the US, 16 months ago, 61% said they'd compromise on cybersecurity for a business objective. It makes me wonder if we should have in essence a Sarbanes-Oxley type law that requires public companies to attest to their cybersecurity integrity. That would then create all the pressures for them. It would also make the role of the CISO, or CSO, or chief trust officer the equivalent of a general counsel and that could be disbarred in essence if they did certain things. Or the chief financial officer going to jail if there were financial integrity issues, or the CEO. At the same time, there should perhaps be a whistleblower statute that would protect the security team or the security leader from calling out the integrity issues and things. 

So I think if we created some type of structure like that, with a kind of a cybersecurity integrity attestation as well as some level of whistleblower protection, we might then move the needle. We know what to do, but nothing's happened because you need teeth in it. If the teeth are just a fine, I'm going to kick the can down the road. Look at all the antitrust things that occur and all the other fines that people kick the can down. It needs to be, "You could go to prison." And it would then create a level of oversight and obtrusive oversight from maybe the FTC or something like that. Or they're in your shorts all the time which then further encumbers your business. So I don't know. That's at least mentally for me, I'm going, "If we did something like that, that might at a minimum start making more traction for us."
3 2 Replies
CISO in Software, 51 - 200 employees

So Malcolm you're saying that we know what to do, but I'm not sure that they do know what to do. They're politicians and you can take all the negatives away and let's say they're all just shining examples of human beings, every single last one of them, right? They're still politicians. They don't have a background of an IT security or IT professional. They have gone in there, they know law, they know how to pass bills, they know how to do those pieces. Are the experts there, they can help them and are they willing to listen to those experts if that advice is given, right? So Malcolm, we could write the best list of, "This is what we think they should do." But do they give a rip? We need more attorneys and lawyers in the cybersecurity space. That's just so desperately needed. Somebody who has the deep expertise to be able to have these conversations around this stuff. Not just paper pushers, but the people who are embedded and ingrained in IT. And then they don't have to be hands on keyboard, but to understand what the cloud really is and all of these types of things.

Board Member, Advisor, Executive Coach in Software, Self-employed

Yes, lawyers with technical competency.

Senior Information Security Manager in Software, 501 - 1,000 employees
I think it is a good idea in potential.

But using SoX as an example showed the Congress does not know how to create a regulation that works. Such a regulation would be best if it was self-enforced.

Overall, I think something akin to PCI would be a good idea.
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
Yes, but attest using a blend of maturity and hygiene metrics. Maturity metrics alone don’t provide enough insight into the integrity of practices.

Content you might like

Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
Palantir Foundry
Read More Comments
6.1k views15 Upvotes48 Comments


Yes, but not enough, we want/need to ramp up39%


No, but I expect this will change soon6%


1.7k views1 Upvote1 Comment

We provide company-wide training57%

We only train certain departments/roles32%

We have a targeted individual training approach.9%

I am unsure how we handle security training.3%



Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
57.5k views48 Upvotes35 Comments