The SEC's cybersecurity disclosure rules — effective December 2023 — have now been in force for over two years. With more than 400 material cybersecurity incident disclosures filed on Form 8-K Item 1.05, a pattern of ITGC implications is emerging that every SOX auditor should understand.
The Rule in Brief
Public companies must disclose material cybersecurity incidents within four business days of determining materiality. They must also disclose annually their cybersecurity risk management program, governance, and strategy on Form 10-K.
Common ITGC Gaps Exposed by Incident Disclosures
- Privileged access monitoring: The majority of disclosed incidents involved compromised privileged accounts — highlighting gaps in PAM controls that ITGC testing should catch
- Third-party access: 38% of disclosed incidents originated through a third-party vendor with access to internal systems — ITGC scoping often excludes vendor access
- Detection and response lag: Average time from compromise to detection remained 197 days — indicating monitoring controls are either absent or not operating effectively
What This Means for Your SOX ITGC Scope
External auditors are now more frequently including privileged access monitoring controls and third-party access controls within ITGC scope, particularly for systems that are in-scope for financial reporting.
Practical step: Review whether your current ITGC scope includes monitoring controls for privileged accounts and vendor access to in-scope systems. If not, expect your auditor to raise this in the next planning meeting.