Following is my latest article in The CFO’s Edge series on “Cybersecurity for SOX: 2026 and Beyond”.  This is part of an ongoing series that includes pre-recorded webinars and articles.  I’ll have content for all sizes of public and private companies.  Let me know your ideas.

Over the course of my career with PwC, Deloitte, and now SingerLewak, I’ve focused not only on delivering strong project outcomes for financial and IT executives, but also on sharing meaningful value through in-person CFO gatherings, benchmarks, webinars & articles.  These events have featured speakers from Nasdaq, Donnelley, law firms, venture capitalists, and CFOs.

I’ve had the privilege of supporting hundreds of CFOs with best practices and internal controls, and I’m excited to share insights from that experience

I’d love to tailor future content to your preferences—whether that’s longer live webinars for CPE credit, in-person networking events, recorded short-form webinars, or articles. Just let me know what works best for you.

Cybersecurity for SOX: 2026 and Beyond

By Eric Weis,

National Partner in Charge – SOX, Risk & Internal Audit Services

Singer Lewak LLP

1. Introduction

The Sarbanes‑Oxley Act (SOX) of 2002 significantly strengthened internal controls, financial reporting, and executive accountability to protect investors from fraudulent reporting.

In today’s digital business landscape, cybersecurity is no longer a separate IT domain—it directly influences the confidentiality, integrity, and availability of financial data. Breaches, ransomware attacks, compromised credentials, or supply-chain vulnerabilities can disrupt financial systems, jeopardize reporting, and damage stakeholder trust. As a result, cybersecurity has become central to SOX compliance, influencing areas from internal controls to executive certifications.

Important SOX sections influenced by cybersecurity:

• Section 302 — CEO and CFO certification of financials
• Section 404 — Annual assessment of Internal Control over Financial Reporting (ICFR) and related IT General Controls (ITGCs)
• Section 409 — Prompt disclosure of material cybersecurity incidents
• Section 802 — Secure retention and protection of electronic records

SOX provisions promote stringent cybersecurity practices, including:

• Internal Control Over Financial Reporting (ICFR)
• Risk assessment and management
• Data integrity and confidentiality
• Incident reporting and response
• Third-party supply chain oversight
• Auditor independence and review of technology controls

The integration of cybersecurity within SOX frameworks is essential to defend against behavior that threatens financial integrity.

2. Core Technical Components Under SOX

2.1 Internal Control Over Financial Reporting (ICFR)

Under Section 404, public companies must establish and maintain ICFR. While the focus is on controls that ensure accurate reporting, cybersecurity controls—including access restrictions, data encryption, and intrusion detection systems—are essential to prevent unauthorized modifications or disclosures of financial data.

Key cybersecurity controls under ICFR include:

• Role-based Access Control
• Data Encryption
• Intrusion Detection Systems
• Audit logging and monitoring

2.2 Risk Assessment and Management

SOX strengthens the requirement for companies to identify and reduce risks to financial reporting. Cybersecurity risks—such as unauthorized access, breaches, malware infections, and system vulnerabilities—are now considered central financial report risks. Companies must:

• Regularly audit potential cyber threats
• Evaluate system vulnerabilities
• Implement controls to counter those risks

2.3 Data Integrity and Confidentiality

SOX requires data accuracy and retention. Cybersecurity supports this through:

• Encryption of data at rest and in transit
• Integrity checks (e.g., hashing, digital signatures)
• Strict access control policies

Maintaining these safeguards ensures that financial data remains accurate and secure.

2.4 Incident Reporting and Response

In 2023, the Securities and Exchange Commission (SEC) adopted rules requiring:

1. Prompt disclosure of material cybersecurity incidents on Form 8-K filings
2. Annual reporting on cybersecurity risk management, governance, and strategy

These requirements formalize cybersecurity linkage to SOX including:

• Development of incident response plans
• Fast identification, reporting, and management of cybersecurity incidents
• Internal escalation procedures to ensure financial integrity

2.5 Third-Party and Supply Chain Risk Management

SOX requires oversight of external entities that affect financial reporting. This now explicitly extends to:

• Evaluating vendor cybersecurity practices
• Ensuring that third-party systems comply with security baselines
• Monitoring data flows to detect unauthorized exposures

2.6 Auditor Independence and Technical Oversight

SOX mandates that financial statements be audited by independent auditors. Today, auditors routinely assess cybersecurity controls that:

• Secure data systems
• Enforce access and change management
• Support auditor evaluation of control effectiveness

3. Escalating SEC Enforcement Actions

Recent years have seen increased regulatory actions tying cybersecurity failures to financial misreporting and SOX violations:

1. Unisys received a $4 million penalty after underreporting the scope of a breach linked to SolarWinds and characterizing it as hypothetical.
2. Avaya was fined $1 million for misleading disclosures about a breach that affected more than just email systems.
3. Check Point and Mimecast faced similar consequences for misrepresenting cyber incidents.

In another case, R.R. Donnelley & Sons was found to have inadequate disclosure controls under Rule 13a-15(a) of the Securities Exchange Act—an integral part of SOX governance—triggering enforcement consequences.

These rulings highlight that:

• Inaccurate or minimal disclosures of cyber incidents may be treated as financial reporting fraud
• Control system deficiencies, especially in disclosure management, attract direct penalties
• Organizations must ensure accurate, full disclosure, and alignment between cybersecurity and financial governance

4. Legislative & Regulatory Momentum

4.1 Cybersecurity Systems and Risks Reporting Act (CSRRA)

The Cybersecurity Systems and Risks Reporting Act (CSRRA) proposes amending SOX to explicitly link cybersecurity to financial reporting controls. Key provisions include:

• Annual confirmation that cybersecurity systems are part of internal financial controls
• Disclosure of whether audit committees contain cybersecurity expertise

If enacted (expected to advance in late 2025 and potentially pass in 2026), CSRRA would require explicit discussion of cybersecurity capabilities in financial control reports.

4.2 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), effective March 2022, requires:

• Reporting covered cyber incidents within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA)
• Reporting any ransomware payments within 24 hours

These timelines now overlap SOX obligations (e.g., Section 409), demanding coordinated disclosure strategies.

4.3 California State Cybersecurity Mandates

California is leading state-level cybersecurity legislation:

1. California Privacy Protection Agency (CPPA) regulations—effective January 1, 2026:
   • Mandate risk assessments of cybersecurity programs
   • Require independent cybersecurity audits, scaled by revenue:
     • Over $100 million revenue: audits due April 1, 2028
     • $50–100 million: audits due April 1, 2029
     • Under $50 million: audits due April 1, 2030
   • Audits must be conducted by qualified, independent assessors
2. California IoT Security Law:
   • Requires reasonable security features (unique passwords, authentication) for internet-connected devices
   • Impacts healthcare devices and administrative financial systems

Overall, California state rules require cybersecurity measures to become integral to financial reporting and SOX compliance, especially for companies handling consumer or health data.

5. Case Studies and Historical Breaches

5.1 Unisys & Avaya — Misleading Disclosure of SolarWinds Breaches

These companies faced significant fines for downplaying breach scope and delaying proper disclosure, demonstrating how inadequate transparency constitutes a breach of SOX-related disclosure controls.

5.2 SolarWinds — Supply Chain Risks Hit Financial Systems

Malicious software updates in 2020 led to high-impact supply chain breaches. SOX-related enforcement highlighted:

• Weak control over vendor code
• Misstatements on password and access control
• Expanding SOX to include third-party and supply-chain risks

5.3 Pearson plc — Delay in Patch Management and Disclosure

Neglecting known vulnerabilities until March 2019, and mislabeling the situation as hypothetical, Pearson faced enforcement action for insufficient internal control disclosure.

5.4 Change Healthcare & Ascension Health (2024)

• A breach at Change Healthcare affected nearly 200 million individuals, disrupting financial systems
• Ransomware against Ascension Health led to a $1.1 billion impact due to EHR outages—a cautionary example of financial fallout from cybersecurity incidents

5.5 Dropbox Sign (2024)

A compromise exposed credentials and authentication metadata, underscoring the risk poor authentication controls pose to financial system security.

5.6 NotPetya Ransomware (2017)

The global cyber event triggered costly system disruptions and forced many companies to restate financials—revealing how breaches can undermine ICFR and prompt regulatory action.

6. Cyber-SOX Compliance Controls & Best Practices

Implementing the following measures helps align cybersecurity with SOX requirements:

6.1 Identity & Privileged Access Management

• IAM (Identity and Access Management) with strong authentication and provisioning
• Privileged Access Management (PAM) with session recording
• Integration of SoD (Segregation of Duties) controls
• Encourage long passphrases—ideally 14+ characters
• Ban password reuse and shared credentials
• Use password managers to store and generate secure passwords
• Restrict shared account access and enforce strict logging for service accounts

6.2 Multi-Factor Authentication (MFA)

• Require at least two factors—e.g., password plus biometrics or one-time code
• Avoid SMS or email OTP where possible; use hardware tokens or authenticator apps

6.3 Phishing Awareness Training

• Conduct regular training sessions, including simulated phishing exercises
• Reinforce the importance of spotting and reporting threats

6.4 Secure Data Handling

• Educate staff on the sensitivity of financial data
• Apply data classification policies and procedures for storage and transmission
• Users should know how to handle, transfer, and protect sensitive data

6.5 Device Security

• Equip devices (laptops, desktops, mobile) with up-to-date antivirus
• Use whole-disk encryption to protect data-at-rest
• Employ remote-wipe features to recover or disable stolen devices

6.6 Secure Remote Work

• Use secure remote access, such as virtual private networks (VPNs) and encrypted remote desktop tools
• Ensure all connections are encrypted to prevent interception

6.7 Incident Reporting and Response

• Create clear incident escalation procedures for suspected breaches
• Empower and encourage prompt reporting of incidents
• Conduct routine incident response drills aligned with financial system threats

6.8 Continuous Security Awareness

• Provide ongoing cybersecurity training with real examples and case studies
• Cultivate a culture of vigilance and compliance across departments

6.9 Continuous Monitoring & Anomaly Detection

• Organizations need real-time detection systems—including Security Information and Event Management (SIEM) platforms and automated analytics—to monitor identity systems, configurations, and privileged access continuously

6.10 AI-Enhanced Risk Management

• Automate anomaly detection and control failure alerts
• Auto-compile audit evidence for auditors and executives
• Provide real-time compliance dashboards

6.11 Cloud & Third‑Party Risk Controls

• Configuration governance, API logging, and audit trails must be extended into SOX’s ICFR
• Supply‑chain vetting must consider cybersecurity frameworks

6.12 Healthcare-Specific Cyber‑SOX Risk

• ePHI (electronic protected health information) adds complexity under both HIPAA (Health Insurance Portability and Accountability Act) and SOX
• Legacy networks, Internet of Things (IoT), Picture Archiving and Communication Systems (PACS), and mobile devices increase vulnerabilities

7. Industry-Specific Considerations

7.1 Healthcare Sector

• Dual compliance with HIPAA and SOX for patient data and billing systems
• Vulnerable points: legacy networks, medical Internet of Things (IoT), and administrative devices (e.g., Picture Archiving and Communication Systems—PACS)
• Ransomware in clinical systems can halt billing, disrupt revenue, and trigger SOX reporting failures

7.2 Technology Industry

• Risk from continuous integration/continuous deployment (CI/CD) pipelines and malicious code injection
• Ensure secret management and encryption for financial configuration
• All production infrastructure changes should be logged and auditable

8. Evolving Cyber–SOX Framework (2026 Blueprint)

1. Governance
   • Integrate SOX, HIPAA, and privacy
   • Real-time screening of security controls
2. Identity and Access Controls
   • Single Sign-On (SSO), Multi-Factor Authentication (MFA)
   • Privileged Access Management (PAM) with monitoring, session recording and vaulting
3. Continuous Monitoring & Logging
   • Adopt Security Information and Event Management (SIEM) from endpoints, cloud, IoT
   • log aggregation, and anomaly detection

Change & Configuration Management

• Controlled CI/CD pipelines. Continuous Integration (CI): Developers frequently merge code changes into a shared repository, where automated builds and tests run to detect issues early.  Continuous Delivery/Deployment (CD): Automates the release process so that code changes can be deployed to production quickly and reliably.  These pipelines should have governance and security measures in place, such as:
  1. Approval gates before deploying to production.
  2. Role-based access control.

• Compliance checks and audit trails.

1. Integration with Change Management processes.

• Infrastructure as code with auditability. Automating the provision and configuration of infrastructure should be traceable, reviewable, auditable, and approved.

2. Incident Response & Disclosure
   • Pre wired for 72-hour SEC and CISA timelines
   • Forensic readiness embedded in the response playbook
3. Risk Assessments, Penetration Testing & Red Team Exercises
   • Threat-hunting, supply-chain testing, patch evaluation
4. AI-Powered Dashboards & Evidence Packages
   • Real-time attestation and automated audit deliverables
   • Use AI to detect threats, evaluate risks, and auto-generate evidence
5. State-Level Compliance Integration
   • Incorporate California cybersecurity audit and risk requirements
   • Continuous compliance reporting to CPPA

9. Emerging Cybersecurity and Risk Trends

• Adversarial AI—malicious use of AI by attackers
• Quantum Cryptography Readiness—preparing for future encryption standards
• Internet of Things (IoT) and Operational Technology (OT)— New endpoints in healthcare financial ecosystems

Supply-Chain Risk— Third-party software or toolkits serve as attack vectors

10. Roadmap: Preparation Through 2027

Period	Actions
2025	Baseline cybersecurity controls, SIEM deployment, IAM setup, incident review under new laws
Early 2026	Implement CI/CD controls, introduce SoD and continuous auditing automation, secure cloud configurations
Late 2026	Deploy AI dashboards, conduct red-team exercises, unify SOX-security evidence systems
2027+	Integrate quantum cryptography, predictive compliance, global rollouts and regulatory harmonization

11. Summary

Cybersecurity under SOX is evolving from periodic compliance exercises into continuous governance-driven assurance systems. Organizations must integrate proactive identity controls, incident readiness, supply-chain risk management, and AI-driven monitoring into their internal control frameworks. Legislative pressure is increasing across federal (SEC, CIRCIA) and state levels (especially California). Pending laws like the Cybersecurity Systems and Risks Reporting Act could further tighten cybersecurity accountability. Firms that elevate cybersecurity as a financial control—not just an IT discipline—will reduce risk, gain regulatory advantage, and earn investor trust.

Key cybersecurity best practices—strong password use, multi-factor authentication, phishing training, encrypted devices, secure remote infrastructure, incident management, and ongoing awareness—are essential components of SOX compliance.

Regulatory and enforcement momentum is strong:

• The SEC has fined several firms for misleading cyber disclosures
• Pending legislation like the CSRRA may explicitly embed cybersecurity into SOX
• CIRCIA adds mandatory cyber incident timing obligations
• California’s evolving laws require cybersecurity audits, risk assessments, and specific protections for consumer and IoT data

By embedding cybersecurity deeply into SOX frameworks, companies can not only avoid penalties and legal risks but also strengthen investor trust, operational resilience, and long-term strategic resilience.

As SOX requirements continue to evolve, cybersecurity will define the difference between organizations that simply react to regulation and those that build lasting resilience. Companies that invest now in modern controls, continuous monitoring, and clear governance will be better prepared for enforcement, better equipped to protect financial integrity, and better positioned to earn stakeholder confidence. Cyber-SOX isn’t just about compliance—it’s about safeguarding the future of the business.