SOX was enacted in 2002, and its ICFR provisions went into effect in 2003. Since then, numerous other countries have adopted similar laws, such as:

• Canada: Bill 198, commonly known as C-SOX
• China: The Basic Standard for Internal Control, or ‘China SOX’
• Japan: The Financial Instruments and Exchange Act, or J-SOX

The European Union addresses corporate financial reporting through several directives, which each member state must then “translate” into national law. The EU 8th Company Directive addresses the duties of the audit committee and internal audit functions, including the effectiveness of internal controls.

Some countries don’t have a specific law that requires attention to ICFR, but have other regulations or codes that imply management’s responsibility for ICFR. For example, Britain does not have a “UK SOX” law, but the U.K. Corporate Governance Code holds corporate boards responsible for internal control generally, including ICFR.

The Sarbanes-Oxley Act (SOX) requires publicly-traded companies to maintain adequate controls over financial reporting (Section 404 of the law) so that management can certify that the company’s financial statements are a fair and accurate representation of financial performance (Section 302 of the law).

All filers are subject to Section 404(a), which says management must assess and report on the company’s internal control over financial reporting (ICFR).  Large filers are also subject to Section404(b), which requires an audit of ICFR by a certified public accounting firm.  Smaller filers are exempt from Section 404(b).

A company does not need effective ICFR to meet filing standards for the Securities and Exchange Commission: it can report that it has ineffective ICFR, usually by disclosing one or more weaknesses in its internal controls.  It does, however, need to make accurate disclosures about internal controls over financial reporting.

For example, if management attests to effective ICFR under Section 404(a), but auditors find weaknesses as they perform their duties under Section 404(b), then the certification senior executives make about financial statement accuracy under Section 302 of SOX are no longer reliable. 

Ineffective ICFR is often the precursor to a financial restatement. In the worst cases, CEOs and CFOs could be personally liable for making false statements under Section 302.

The Role of Cybersecurity in ICFR

Cybersecurity is crucial to ICFR and SOX compliance, but too often, the threat is misunderstood.

For example, user access controls to financial systems are one potential weakness; so are poor password reset policies, internal control frameworks already exist to help companies implement strong controls over those areas, and audit firms review and test those controls regularly. 

Those examples, however, only address cybersecurity at the application level.  Companies subject to SOX compliance must also consider cybersecurity risks at the infrastructure and data levels.

That is, an unauthenticated attack targeting a misconfiguration or vulnerability in your ERP system could let hackers manipulate underlying financial data without touching financial applications or leaving an audit trail. Even with strong internal controls and audits at the data and infrastructure layers, those other security weaknesses in the application layer can still leave financial data subject to exploitation.

So declarations about ICFT would not be correct, and the company would not be in SOX compliance like executives (and auditors) might mistakenly believe.

Steps to Take

• Understand the nature of this security threat and assign responsibility for it. CISOs may not understand the nuances of SOX compliance, while internal audit teams may not grasp how weak ERP security creates risks that evade internal control. Don’t let the issue go ignored.
• Develop a security strategy for mission-critical applications that encompasses ICFR concerns.  That strategy should address system configuration, log management, custom application development, patches, continuous monitoring and more. Otherwise your ICFR will remain vulnerable.
  
• Find the right tools to do the job.  Security, finance and audit teams need to identify weaknesses  that jeopardize ICFR, and then seal those gaps.  With ERP systems’ complexity supporting mission-critical applications,that’s no easy task. Using the right technology is crucial to success.

GDPR came into force in 2018. It has since become the model for other new data privacy laws cropping up around the world, such as:

• The California Consumer Privacy Act (CCPA)
• Brazil’s General Law for Protection of Privacy (LGPD)
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
• Japan’s Act on Protection of Personal Information
• Australia’s Privacy Act 

All of these laws work from the premise that personal data belongs to the individual, so companies collecting that data must meet certain duties of care to protect it. Chief among those duties is keeping the data secure from unauthorized access or  processing— including from hackers that might exploit weaknesses in mission-critical applications to reach PII in your company’s control.

The European Union’s General Data Protection Regulation (GDPR) is a far-reaching law that provides a set of privacy rights for all EU citizens. Any business working in the EU, as well as any business anywhere in the world that collects personal data about EU citizens, must comply with those GDPR standards or risk severe financial penalties. Some of these GDPR guarantees include:

• Right of access: an individual has the right to see all personal data a company has collected about him or her, upon request;
• Right of rectification; an individual can demand that inaccurate personal data about him or her be corrected, which the company must do within 30 days;
• Right of erasure: an individual can also request that personal data a company has collected about him or her be deleted.

GDPR doesn’t specify how a company must fulfill these rights; it only requires that a company covered by GDPR fulfill those rights somehow. 

Likewise, the GDPR mandate does not expressly say that businesses must encrypt the personal data they collect about individuals. Instead, GDPR repeatedly cites encryption and pseudonymization as examples of the “appropriate technical and organizational measures” a company must take to assure the security of personal data it collects.

GDPR has also become a model for other privacy laws, such as the California Consumer Privacy Act. While CCPA and GDPR aren’t identical, both are rooted in the principle that personal data belongs to the person, rather than to the company collecting the data. As such, the company must meet certain standards of care while personal data is in its possession—such as keeping the data secure.

The Role of Cybersecurity in GDPR Compliance

Article 5 of the GDPR mandate states that personal data must be protected against “unlawful or unauthorized processing; and against accidental loss, destruction, or damage.” This is where cybersecurity enters the GDPR compliance picture. The data must be protected from unlawful or unauthorized manipulation.

Part of that challenge is to keep unauthorized users away (PII) resides. Another part, however, is to protect data itself, at the data and infrastructure layers.

That is, hackers could target a misconfiguration or vulnerability in the company’s mission-critical applications, and gain access to personal data without using business applications or leaving an audit trail. Even with strong internal controls and audits at the infrastructure or database levels, weaknesses in the application layer can still leave personal data exposed to unauthorized manipulation—and leave the company violating GDPR.

The potential fines for violating GDPR are substantial; to €20 million or 4% of an organization’s global revenue, whichever is greater.

Steps to Take

• Understand the security nuances of GDPR compliance. CISOs may not understand the details of GDPR compliance, while internal audit and compliance teams, as well as the Data Protection Officer (DPO) may not grasp all the attack vectors that could create GDPR risk. You need a thorough assessment of GDPR risk.
  
• Develop a security strategy for mission-critical applications that encompasses GDPR compliance. That strategy should address configuration management, log management, custom application development, patches, continuous monitoring and more.
  
• Find the right tools to do the job. Security teams, in conjunction with internal audit and compliance, need to identify weaknesses that jeopardize GDPR compliance and seal those gaps. With modern ERP systems supporting mission-critical applications, that’s not easy. Using the right technology is crucial to success.

Protect business processes from the core to today’s new cloud edge

Connecting a Complex Mix of Application Environments

The mission-critical applications that run your business-supply chain management (SCM), human capital management (HCM), enterprise resource planning (ERP), customer relationship management (CRM), business intelligence (BI) and other systems-have shifted from running solely within a controlled, self-managed environment to a complex and interconnected mix of on-premises, infrastructure as a service (laaS), platform as a service (PaaS) environments and software as a service (SaaS) offerings.

At the same time, digital transformation, including cloud, DevOps, artificial intelligence, robotic process automation and other initiatives, introduces new software and capabilities in the most agile, fast and cost-effective way possible, with security often being an afterthought. As a result, constant change from continuous integration and continuous deployment can introduce errors, overly privileged user access and vulnerabilities that put the business at risk.
While cloud computing and interconnectivity bring operational benefits, such as agility, cost savings and efficiencies, they also create new challenges. IT, cybersecurity and risk professionals must overcome these challenges to protect the enterprise against internal and external threats, ensure compliance with regulatory requirements and optimize availability. Without a complete view across on-premises, laaS, PaaS and SaaS environments, it’s impossible to understand your company’s true application security risk or accurately identify and address the most severe gaps, vulnerabilities and threats.

Protecting Business Processes from the Core to Today’s New Cloud Edge

Onapsis is purpose-built to protect organizations from cyber threats, streamline regulatory compliance and improve availability and performance of mission-critical applications from SAP, Oracle, Salesforce and others across cloud, hybrid and on- premises deployments. You will get a complete view into your most important applications and how they connect to one another, no matter where the applications are running-without multiple tools and additional expertise. Onapsis simplifies interconnected systems and uncovers risk introduced by connecting applications to help you protect the intelligent enterprise, while ensuring compliance and enhancing performance and availability.

Uncovering Risks in Interconnected Applications

As business processes get extended into the cloud, it becomes increasingly difficult for IT, cybersecurity, development and audit and compliance teams to understand which applications and services support critical business processes, how they interconnect with each other and how changes impact compliance, security and performance over time.

Onapsis can help teams answer these and other questions about their extended business processes:

• Are interconnected processes compliant with relevant regulations and standards?
• Do connected SaaS applications follow best practices for configuration?
• Are users assigned too many privileges, violating Segregation of Duties requirements?
• Is there misuse of privilege?

Delivering Context into the Entire Application Environment

With The Onapsis Platform, your company gains application- and business-level context to the entire application environment, with a 360-degree view of cyber risk across your critical applications, both on-premises and in the cloud. Designed for cross-functional collaboration among IT, cybersecurity, development and audit and compliance teams, The Onapsis Platform gives you:

• Complete protection of mission-critical applications
• A holistic view into applications on-premises, in the cloud, in a managed service or in a SaaS model
• Expertise and experience to help you understand how mission-critical applications can be exploited
• Security, continuous compliance and the ability to ensure performance and availability

Protect the Core and Cloud Edge with The Onapsis Platform

Onapsis delivers the actionable insight, secure change, automated governance and continuous monitoring capabilities required by cross-functional teams to optimize workflows and automate manual tasks. Your teams will embrace and accelerate application modernization, cloud and mobility initiatives while keeping your company’s most vital systems and data protected and compliant.

The Onapsis Platform is powered by the Onapsis Research Labs, our dedicated security research team responsible for the discovery and mitigation of more than 800 vulnerabilities in mission-critical applications. The reach of our threat research and platform is broadened through leading consulting and audit firms such as Accenture, Deloitte, IBM, PwC and Verizon-making Onapsis solutions the de-facto standard in helping organizations protect their cloud, hybrid and on- premises mission-critical information and processes.