In 2001, we witnessed two major corporations, Enron and WorldCom, going bankrupt because executive management was egregiously manipulating financial statements. The impact on the U.S. economy was massively detrimental. As a result, the U.S. Security and Exchange Commission (SEC) drafted the Sarbanes-Oxley Act of 2002 (SOX) to protect against such fraudulent activities. However, it took years for the economy to recover.
We then saw one of the worst global depressions in history in 2008 when another major financial institution went under and created a massive economic meltdown. Once again, it took years for the economy to recover, this time on a global scale.
In both of these historical events, a snowball created an avalanche. The downfall of a single major corporation can have a devastating effect on one of the strongest economies in the world. So, why dredge up bleak economic history? Because it can happen again. On the plus side, we can attempt to prevent it from happening.
The problem to be cognizant of today is our reliance on technology and interconnectedness in conducting business. We are also at a time where other nations would love to see the U.S. economy suffer. Cyberattacks are not just conducted by malicious people out to make a dollar. These attacks are now being carried out by hacktivists and nation states wanting to do major damage to not just the company they are targeting, but something much larger like the U.S. economy.
While SOX focuses on IT controls to prevent financial fraud by proving the integrity of financial statements reported to the SEC, it does not directly address cybersecurity. What about all the IT controls that must be put in place and audited under the SOX directive?
These controls are set by and agreed upon by a company’s Board of Directors and audit board. Many are general IT controls and may or may not be security centric. There are no strict mandates or cybersecurity guidance under SOX. An audit will look to see if the controls are in place and report violations as weaknesses. If the weaknesses are serious enough, or if a breach occurs as a result, they will be disclosed to the SEC and reported in corporate financial statements, such as the Form 10-K, as material weaknesses. This disclosure can have an impact on the reputation and valuation of the company.
SOX does not help companies prevent a cyberattack. This problem was recently highlighted by a very serious public exploit targeting an SAP vulnerability, dubbed 10KBLAZE. 98% of the Fortune 1000 use ERP systems like SAP and Oracle and 77% of the world’s revenue touches these systems. The 10KBLAZE exploits that Onapsis addressed yesterday can potentially have such a detrimental impact on a company’s financial health that it could impact the overall economy.
What’s even more scary is that 50,000 companies and a collective 1,000,000 systems are currently configured using SAP NetWeaver and S/4HANA. The Onapsis Research Labs believes that nearly 90% of these systems, approximately 900,000, suffer from the misconfigurations for which these exploits are now publicly available. This misconfiguration vulnerability was originally addressed by SAP in a Security Note 10 years ago with two others since. If 90% of these systems are impacted, you do not have an IT control in place that is going to help keep you protected.
Remember the aforementioned snowball effect? Now think of the catastrophic possibility of thousands of major companies going down and the impact on the U.S. and global economies. While the SEC must put more emphasis on cybersecurity for SOX to better address the challenges, we must collectively get tougher on how protect our most business-critical ERP systems and applications. This is the Onapsis mission, and we are here to help.