USA: Sarbanes-Oxley Act - What you need to know
The Sarbanes-Oxley Act of 2002, commonly called Sarbox or SOX Act, is a US federal law that established certain practices in relation to record keeping and reporting requirements for organisations under its scope. In particular, the SOX Act provides rules for US public company boards of directors and management and public accounting firms, while also setting out certain requirements which apply to privately held companies, although generally excluding such companies from its scope of application. This Insight article will detail the scope of the obligations under the SOX Act, highlighting key requirements for covered entities, and will provide a brief discussion on the enforcement of its provisions.
Passed in 2002 in response to some financial enforcement actions, the SOX Act both amended and supplemented existing laws within the US securities industry. More specifically, the SOX Act introduced changes to the Securities Exchange Act of 1934 ('the Securities Exchange Act') and laws and regulations enforced by the Securities and Exchange Commission ('SEC'). The SOX Act is set out in 11 Titles, but can be broadly divided into four areas, namely corporate responsibility, criminal punishment, accounting regulation, and increased protections.
Scope and obligations
Broadly speaking, the SOX Act applies to certain publicly traded companies in the US, to accounting firms which audit companies and must themselves comply with the requirements under the SOX Act, as well as certain foreign companies.
Furthermore, it details various responsibilities for organisations, such as:
- registering with the Public Company Accounting Oversight Board ('the Board') and paying annual fees; and
- preparing, and maintaining for a minimum of seven years, audit work papers, and other information related to any audit report, in sufficient detail to support any conclusions reached in these reports.
Among its various other provisions, the SOX Act outlines certain requirements with respect to whistleblower protections. More specifically, and to outline some of these, Section 1514A(a) of the SOX Act with respect to retaliation in fraud cases provides that 'no company with a class of securities under Section 12 of the Securities Exchange Act or any officer, employee, contractor, subcontractor, or agent of such company, may discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee in the terms and conditions of employment because of any lawful act done by the employee:
- to provide information or assist in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of Sections 1341 to 1344, or 1348 of the SOX Act or any rule or regulation of the SEC or any federal law relating to fraud against shareholders;
- to file, cause to be filed, testify, participate in or otherwise assist in a proceeding filed or about to be filed relating to an alleged violation of [the aforementioned laws] [...].'
Furthermore, under Section 1514(A)(b) of the SOX Act, any person who alleges discharge or other discrimination in violation of the aforementioned provision can seek relief by:
- filing a complaint with the Secretary of Labor; or
- bringing an action at law or equity for de novo review in the appropriate district court if the Secretary of Labor has not issued a final decision within 180 days of the filing of the complaint and there is no showing that such delay is due to bad faith of the complaint.
Moreover, under Section 1514A(c) of the SOX Act, an employee who prevails in any action is entitled to all the necessary relief in order to make the employee whole, with the SOX Act also providing for compensatory damages including:
- the reinstatement with the same seniority status that the employee would have had, but for the discrimination;
- the amount of back pay, with interest; and
- compensation for any special damages sustained as a result of the discrimination, including legal fees.
SOX and cybersecurity controls
As part of the SOX Act, covered entities are required to put in place procedures for increased financial disclosure of periodic reports, conflict of interest provisions, management assessment of internal controls, and codes of ethics for senior financial officers, among other things. Of note is the management of internal control processes, which the SEC clarified extends to cybersecurity, through the issuance of guidance on the same ('the SEC Guidance').1
In this SEC Guidance, the SEC provided interpretative guidance which could be used in order to assist in the preparation of disclosures about cybersecurity risks and incidents. As the SEC guidance discusses, this stemmed from an October 2011 issued guidance by the Division of Corporation Finance, which explained that 'although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents'. This led many companies to include cybersecurity disclosures in the form of risk factors. Then, in 2018, the SEC further expanded upon this topic, through the SEC Guidance, noting that '[c]ompanies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events', which extends to those related to cybersecurity. Moreover, the SEC Guidance outlines that companies must 'refrain from making selective disclosures of material non-public information about cybersecurity risks or incidents'.
In considering what cybersecurity disclosures are necessary, the SEC stated that companies should take into consideration the potential materiality of any identified risk, and in the case of incidents, the importance of any compromised information and the impact of such an incident on the company's operations. Further, the SEC explained that the materiality of cybersecurity risks or incidents depends on, among other things:
- 'the occurrence of prior cybersecurity incidents, including their severity and frequency;
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company's ability to prevent or mitigate certain cybersecurity risks;
- the aspects of the company's business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
- the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- the potential for reputational harm;
- existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents'.
The focus on cybersecurity as part of the obligations of organisations regulated by the SEC continues as the SEC recently voted to propose a rule2 that would codify many of the cybersecurity disclosure obligations previously mentioned. Importantly, the proposed rule would apply to investment companies, which can be both private or public, and many of which are regulated by the SOX Act. In particular, the proposed rule would, among other things,:
- require advisers and funds to adopt and implement written policies and procedures which are reasonably designed to address cybersecurity risks;
- require advisers to report significant cybersecurity incidents to the SEC;
- enhance adviser and fund disclosures related to cybersecurity risks and incidents; and
- require advisers and funds to maintain cybersecurity related records of a set time period.
The SEC is given the authority to promulgate rules and regulations in furtherance of the SOX Act. Furthermore, a violation of any of the obligations under the SOX Act is treated as a violation of the SEC Act of 1934 and thus a person will be subject to the same penalties. Since its enactment, the SEC has taken limited actions in relation to the SOX Act and more specifically with respect to the whistleblower protection provisions. Currently, the SEC's publicised list of enforcement actions sits at 15 actions based on actions taken to impede reporting, and four actions based on retaliatory conduct.
Public Company Accounting Oversight Board
As part of increased oversight of public companies, the SOX Act established the Board which is responsible for overseeing the auditing of public companies that are subject to securities laws and related matters. Further, the Board is also given authority to conduct inspections of registered public accounting firms, as well as investigations and disciplinary proceedings, and to impose appropriate sanctions.
As the cybersecurity obligations remain part of financial reporting obligations under the SOX Act, it is considered a criminal offence, in accordance with Section 1350(c) of the SOX Act, to certify any statement knowing that the periodic report accompanying the statement does not conform to the requirement set forth in the SOX Act. Any person who violates this will be fined $1 million or imprisoned for ten years, and for wilful certification a fine of $5 million is imposed, as well as imprisonment for 20 years. Notably, under Section 1350(a) of the SOX Act, these obligations for disclosure are the responsibility of C-suite management and therefore the penalties are applied to offending individuals.
One of the biggest effects of the SOX Act was the increased accountability of large publicly traded companies. With its enactment, many other countries followed suit to either reinstate or introduce similar laws. In fact, most recently, the UK concluded its UK SOX consultation and is currently considering 155 recommendations for reform. With the expanding scope of the obligations and high financial penalties, it is important for organisations to be mindful of compliance with the SOX Act from a holistic perspective.
Edidiong Udoh Privacy Analyst
1. Available at: https://www.sec.gov/rules/interp/2018/33-10459.pdf
2. Available at: https://www.sec.gov/rules/proposed/2022/33-11028.pdf