The pressures of dealing with Sarbanes-Oxley (SOX) are forcing most firms to divert their spending away from security, according to a report released by the Internet Security Forum (ISF) today.
The organization surveyed more than 60 companies around the world, most of which are in the Fortune 500, and found that the majority are raiding their security budgets to ensure SOX compliance. Andy Jones, senior research manager at the ISF, says that this is causing gaps in areas such as disaster recovery and business continuity.
Because many firms are focusing their attention on financial systems in an effort to meet the SOX requirements, non-financial systems are being neglected, according to Jones. This means that the critical operational systems in industries such as manufacturing, retail, and travel could run into difficulty. An airline, for example, could face difficulties with its reservation system, says Jones.
Equally worrying is the fact that two thirds of the firms taking part in the ISF survey dont actually know how much they are spending on SOX compliance. Nine companies said they were spending more than $10 million on compliance, and the remaining five businesses were spending somewhere between $1 million and $10 million.
However, in many respects, it is still early days for SOX compliance. Although the deadline has already kicked in for Americas largest firms, earlier this year the Securities and Exchange Commission (SEC) threw a lifeline to what are known as non-accelerated filers (firms with a market cap of less than $75 million). These businesses must now comply for their first fiscal year ending on or after July 15, 2006, a one-year extension on the previous deadline (see SEC Extends Sarbanes Compliance).