Why a Sarbanes-Oxley update is needed to protect our financial sector from hackers

Excerpt

Sen. Paul Sarbanes (D-Md.) built a reputation as a lawmaker with a low profile and a high impact. His recent passing has brought one of his signature pieces of legislation back into the spotlight. The Sarbanes-Oxley Act of 2002 instituted protections to promote the stability of the national financial system. As the digital era reshapes the economy, we can honor Sen. Sarbanes’ work and legacy by ensuring that the Act continues to serve the same ends he envisioned nearly 20 years ago — promoting American prosperity through responsible corporate governance.

As recent news of a wide-scale hack via a product used by thousands of businesses reminds us, the risks to corporations are vastly different than they were when Sen. Sarbanes was writing his bill. The impact of the SolarWinds breach, and the growing list of companies and organizations affected, shines a clear light on the acute importance of building a better cyber defense. Cyber attacks are now ubiquitous, and no company is safe. Although businesses have increased their investment in cybersecurity, many CEOs and Boards still feel unprepared for the evolving and aggressive tactics employed by threat actors perpetrating this malicious activity. From retail to finance, hackers have exfiltrated hundreds of millions of business records and personal information. Companies such as Yahoo, Marriott International, eBay, Equifax, and Target have all been victims. The increasing frequency, scale, and consequences of these attacks have elevated and broadened the risks corporations face.

Not only do major cyber attacks harm companies, but they also negatively impact investors, markets, rank-and-file employees, and consumers. Yet, these groups are often unable to accurately evaluate their risk exposure because businesses may significantly underreport or delay their reporting of serious cybersecurity problems. Further, some companies may not even have the measures in place to know when a breach has occurred. Among those that do have the capacity to detect a breach, concerns of reputation, cost, or employee morale may dissuade them from sharing information pertinent to investors’ risk calculations.

Fanning is CEO of the Southern Company. Spaulding is former CISA head, Ravich is chair of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. They serve as commissioners of the Cyberspace Solarium Commission, established by the 2019 National Defense Authorization Act to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.” FDD is a nonpartisan think tank focused on foreign policy and national security issues.