Any MSP working with publicly traded companies or handling sensitive financial data must understand Sarbanes-Oxley (SOX) compliance and regulations. It is also beneficial for MSPs with clients in the private sector to familiarize themselves with SOX because the principles align with broader IT governance and security best practices, said Scott Richman, founder and owner of Nerds Support.
“MSPs need to understand SOX because it regulates financial reporting and data security for publicly traded companies, many of which depend on MSPs to manage their IT infrastructure,” Richman explained. By knowing the ins and outs of SOX, “MSPs can help ensure data integrity, implement required security measures, and support compliance audits by maintaining accurate system records,’’ he said.
Most MSPs don’t need to have SOX knowledge — but they do need SOX awareness, according to Mike Semel, president and chief compliance officer at Semel Consulting.
Gary Yu
“The reason to be aware is if an opportunity arises with a publicly traded company that the MSP will understand what they need to do and if there should be additional fees because of the client’s needs,’’ he explained.
MSPs with a good understanding of SOX can implement better security practices, reducing overall risk, said Gary Yu, deputy CIO and vice president of Blue Mantis. Because publicly traded companies are subject to other regulations besides SOX, “This knowledge also puts MSPs in a better position to support customers … The byproduct of this will be increased and improved client trust,’’ Yu said. “Having SOX knowledge is a competitive advantage as well. Offering services that cater to a customer’s compliance needs is a market differentiator.”
Key Aspects of SOX Compliance
The first thing to know about SOX is that it is a financial regulation that focuses on the integrity of financial information and doesn’t discuss cybersecurity — leaving a lot to be interpreted, observed Semel.
For example, Section 404 of the regulation requires “Internal Controls Over Financial Reporting,” but doesn’t spell out all that should be done to secure data, Semel said. “Risk assessments, cybersecurity controls, and reporting can all be assumed, but there is no checklist for cybersecurity compliance.”
However, if an MSP delivers their services in a way that is aligned with a recognized cybersecurity framework, especially one from a federal agency, “it will be difficult for a SOX auditor, another regulator, or a lawyer suing a company after a breach that the government-recommended cybersecurity program isn’t reasonable,’’ Semel noted.
IT Security and Data Management Requirements
The easiest way to help clients prepare to comply with federal regulations is to implement the security practices in a federal cybersecurity framework like the NIST Cybersecurity Framework, Semel said.
Mike Semel
Noting that he has more than 20 years of experience working with federal regulators, Semel believes that “showing a regulator that your services align with a NIST framework will result in passing their audit faster than if you showed you implemented a non-government framework like CIS Controls.”
If an MSP delivers its services based on the NIST framework, “it will be difficult for any regulator or lawyer to argue against the recommendations of the U.S. government,’’ Semel added.
Strong security controls include encryption, firewalls, access management, and multi-factor authentication to protect sensitive data, Richman said. Implementing these is “crucial for preventing unauthorized access to sensitive financial systems.” Additionally, MSPs should deploy reliable backup and recovery processes, ensuring data is secure, accurate, and easily recoverable in case of failure or breach, he said. These practices help meet compliance and reduce the risk of data loss or manipulation.
However, the challenge for MSPs providing services to every regulated entity — not just public companies with SOX requirements — is that it’s not enough to just deliver great services, Semel stressed.
“If there is an audit, investigation, or lawsuit, the first demand will be for documentation, often going back months or years. If your client is audited and the demand is for two years of risk assessments, equipment inventories, patch status reports, vulnerability scans, etc., you can’t just create those when the audit letter shows up,’’ he said.
Richman agreed, saying that MSPs also need to ensure audit readiness by maintaining detailed logs of system activities to provide a clear audit trail.
Semel suggested that MSPs add documentation-as-a-service to their technical services so their clients pay for documentation to create a library to have when needed. This is easy and can be very profitable.”
Scott Richman
The Implications of Not Being SOX Compliant
Failing to stay SOX compliant can have serious consequences for companies. “Non-compliance can result in hefty financial penalties, legal consequences, and reputational damage,’’ Richman said. “For example, companies may face fines in the millions, and company executives could be held personally liable, leading to criminal charges or imprisonment in severe cases.”
Semel echoed that, saying non-compliance for public companies “is a big deal, because of the regulations that are designed to protect investors.’’ He pointed out that in October, the SEC charged four companies with misleading disclosures after the SolarWinds breach, for incidents that occurred in 2020 and 2021. The penalties started at just under $1 million and one was $4 million.
Beyond the legal and financial risks, non-compliance can erode trust with investors and customers, causing long-term damage to the business, Richman added. “Publicly traded companies that don’t comply may also see their stock value plummet, further harming their financial standing.”
“This may only be the beginning of their misery because shareholders are likely to sue for compensation based on how the misleading information affected the stock price and their share value,’’ Semel agreed. “Companies that work with the government could lose contracts and they may simply lose public trust with current and prospective customers.”
Operational disruption is also possible, since the need to address compliance and regulatory needs may divert resources from business operations, Yu said.
Advice for MSPs
Earning a data compliance certification goes a long way in providing clients with peace of mind, Richman said. “To start the process, MSPs should undergo a third-party audit to evaluate their data security practices, internal controls, and compliance readiness. This audit helps pinpoint any gaps that need to be addressed before pursuing certification.”
Image credit: DALL-E
