OPINION: Repeal SOX

Manufacturing News, Source : The Manufacturer US
Published : 08 Mar 2007 19:06

A famous 1994 poll by Luntz Research claimed that more young Americans believed that UFOs exist than believed that Social Security would exist by the time they retire.

Critics of this poll pointed out that the organizer of this poll was later censured by the American Association for Public Opinion Research for his failure to disclose the techniques that he used in his Contract with America polling for the Republican party, implying that his earlier work must also contain inconsistencies because of his later difficulties.

Despite the controversy around Lutz’s poll, it was widely cited by politicians, by then-President Bill Clinton at an address at Georgetown University and by Richard Gephardt in an editorial in The Washington Post, for example. This poll showed that only 37 percent of respondents believed that Social Security would exist by the time they retire. By comparison, a study recently published in the Information Systems Control Journal found that an even smaller number of firms in the manufacturing sector believe that compliance with the Sarbanes-Oxley act (SOX) has had a positive affect on their business. Only 27 percent of manufacturing firms believe that this is the case. Will we soon be hearing politicians citing the fact that more young people believe that Social Security will exist by the time they retire than manufacturing firms believe that SOX has been beneficial to their business?

Opponents of SOX claim that it was poorly conceived and enacted during a regulatory panic, and that $1.4 trillion in market value has been lost due to affects of the regulation. Even many defenders of SOX admit that the direct compliance costs have much greater than anticipated; the best estimate for these costs in 2006 alone is approximately $6 billion. Indirect costs are probably much higher, and include the distraction caused by compliance efforts. If a CEO is spending his time on SOX compliance, after all, he is not spending time on keeping costs down and keeping his business competitive.

If firms could justify the compliance costs of SOX through a traditional ROI calculation, they would already have made the necessary investments. So the increase in compliance costs must be from costs that cannot be justified in this way. The return from these additional compliance costs is elusive, and may be impossible to find, particularly for manufacturing firms.

Businesses in the manufacturing sector often have distributed operations, often with parts located in foreign countries. Such distributed operations have too many variations in IT processes to be easily redesigned for the purposes of SOX compliance. Since standardization of processes is difficult, designing a common IT system and implementing it at each geographic location and testing all of the relevant controls is virtually impossible. So the lack of enthusiasm for SOX in the manufacturing sector should come as no surprise.

Not implementing measures for which there is no demonstrable return not only makes sense, but it is also supported by a 1947 ruling by the distinguished Judge Learned Hand, and the principle that resulted from Hand’s decision is often called the “Hand rule.” Hand’s decision in United States v. Carrol Towing Company was that if the cost to mitigate a risk is greater than the expected benefit of the mitigation, than a reasonable standard of care does not require incurring the costs of the mitigation.

So if there is a 10 percent chance of a $1 million loss from a particular event, then there should be no requirement to spend over 10 percent of $1 million, or $100,000 to mitigate this risk. Similarly, if spending an additional $1 million on internal audit creates less than $1 million in fraud, it should not be spent. So there is no reason to attempt to eliminate fraud, but only to reduce it to a reasonable level, a level where costs of additional reduction are more than the reduction in fraud. Firms should thus strive to attain the optimal level of fraud instead of the elimination of fraud. It seems likely that the additional controls required by SOX have taken many firms well below this optimal level of fraud in pursuit of the elimination of all fraud, no matter what the cost. The Hand rule tells that we should not be expected to do this.

SOX compliance has also reallocated investment away from projects that could otherwise increase efficiency and competitiveness. In particular, the budgets of IT departments now often favor compliance at the expense of information security. Visit the web sites of information security vendors and you will see this change reflected in how they position their products. In the past, the focus was typically on demonstrating a sound business case for their technology; such concerns are now secondary to describing how their technology can help with regulatory compliance.

While SOX addresses risks that are perceived to be important, at least by the US government, many information security projects can address risks that are very real. But with the reallocation of funding from information security to compliance, many of these real risks are going unaddressed.

Laptop computers, for example, are widely used, and security industry analysts estimate that there is roughly a 10 percent chance of a laptop being lost or stolen in a given year. At the same time, the data on these laptops is fairly valuable. One recent poll of laptop users suggested that the data on their laptops was worth an average of roughly $1 million. Using this $1 million estimate for the value of the data on laptops, we see that using a laptop causes roughly $100,000 in risk (the 10 percent chance of loss multiplied by the $1 million value of the loss). This risk can easily be mitigated through the use of encryption, which makes the data unreadable to anyone other that the authorized user, and effectively stops the loss of data from lost or stolen laptops.

The TCO of laptop encryption is roughly $150 per user per year, and is an extremely cost-effective way of mitigating the risk of data loss caused by using laptops. On the other hand, because information security projects are now often unfunded in favor of SOX compliance projects, many laptops that could otherwise be protected with encryption remain unprotected. Thus many firms find themselves in the position of accepting risks that would otherwise be mitigated due to the lack of funding for risk-mitigating technology. So one side-effect of SOX is that the government has effectively restricted the ability of businesses to manage risk in other areas than those covered by SOX itself.

The drafters of the SOX legislation probably started with the best of intentions, but the unintended consequences of their law seem to have been fairly significant while the benefits seem modest at best. The one-size-fits-all approach of SOX makes it particularly burdensome in industries like manufacturing, where the nature of the business makes implementing the requirements of SOX unnecessarily expensive. Refining SOX will probably become little more than an exercise in political influence, testing which industries can arrange for the best exemptions for their own constituents. A better solution is to repeal the law and accept that it did not do as good a job as it could have. Improved corporate governance is a good idea, but SOX is the wrong way to make it a reality.

###

About the Author

Luther Martin is chief security architect at Palo Alto, CA-based Voltage Security, Inc. (www.voltage.com). He is the author of the IETF draft standards on identity-based encryption algorithms and their use in encrypted e-mail, and is a frequent author in the areas of information security, risk management and project management. His interests include pairing-based cryptography, business applications of information security and risk management, and he holds a MS degree from The Johns Hopkins University in Electrical Engineering.

Comments on this story

click here to add a comment