IT CRIMES &

CYBERATTACKS AND
THE LEGISLATION
RELEVANT TO
INFORMATION
TECHNOLOGY

RAYMART D. ETCHON, CPA

BASIC RULES

LISTEN! WRITE! ASK!

WHAT IS CYBERCRIME?
Cybercrime is criminal activity that either targets or uses a
computer, a computer network or a networked device.
Most cybercrime is committed by cybercriminals or hackers
who want to make money. However, occasionally
cybercrime aims to damage computers or networks for
reasons other than profit. These could be political or
personal.
Cybercrime can be carried out by individuals or
organizations. Some cybercriminals are organized, use
advanced techniques and are highly technically skilled.
Others are novice hackers.
 WHAT ARE THE THREE TYPES OF CYBER CRIMES?

There are three major categories of cyber crimes:

1. Crimes Against People
These crimes include cyber harassment and stalking, distribution of child pornography, credit
card fraud, human trafficking, spoofing, identity theft, and online libel or slander.
2. Crimes Against Property
Some online crimes occur against property, such as a computer or server. These crimes
include DDOS attacks, hacking, virus transmission, cyber and typo squatting, computer
vandalism, copyright infringement, and IPR violations.
3. Crimes Against Government
When a cybercrime is committed against the government, it is considered an attack on that
nation's sovereignty. Cybercrimes against the government include hacking, accessing
confidential information, cyber warfare, cyber terrorism, and pirated software.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

1. November 2022: Government of Costa Rica

The government of Costa Rica recently declared a state of emergency after enduring weeks of
ransomware attacks on its critical systems. As a result, the government could not pay its
workers on time and asked them to apply for payment through email or paper-based methods.
The attack also disrupted tax and customs systems, causing the country’s import/export
logistics to collapse. The Conti ransomware gang demanded a $20 million ransom payment,
claiming the attacks were done to overthrow the government. The criminal gang published an
estimated 50% of the data stolen during the weeks-long attack. The Costa Rican government
has not paid the ransom.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

2. October 2022: Medibank

A costly attack on health insurer Medibank affected all of its 3.9 million current and former
customers. Attackers demanded a ransom payment of $9.7 million not to publish the stolen
data, which Medibank refused to pay. The criminal gang then threatened to release data each
day the ransom remained unpaid. Even before customer compensation and regulatory and
legal costs were paid, the attack was estimated to cost Medibank $25 to $35 million. In
addition, Medibank delayed insurance premium increases until January 2023, which will cost
the company another $62 million.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

3. October 2022: CommonSpirit Health System

A ransomware attack on CommonSpirit Health System affected patients across the country.
As one of the largest U.S. hospital operators, the system operates 140 hospitals and 2,000
patient care sites. Electronic health records were unavailable while the hospital’s system was
offline. The attack directly affected patient care when some patients received the wrong
dosages and others had to delay important surgeries, including at least one cancer surgery.
An estimated 20 million patients were affected by this attack.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

4. September 2022: Uber

The attack on Uber this year showcased the dangers presented by social engineering. Threat
actors broke through the company’s defense by sending a fake two-factor authentication
notification urging the victim to click a link to verify a request. After compromising the
employee account, the attackers used the company’s virtual private network to access
internal network resources. They gained access to the company’s privilege access
management service, used it to escalate account privileges and claimed to have access to
several Uber systems, including AWS, Duo, GSuite, OneLogin, Slack, VMware and Windows.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

5. September 2022: Rockstar Games

After gaining access to the company’s internal systems, an attacker downloaded the complete
source code for Grand Theft Auto 5 and 6 and other confidential information in an attack on
Rockstar Games. This breach occurred by targeting collaboration tools used by developers,
such as Slack and Confluence Wiki. The attackers appeared to be more interested in extortion
than publishing the stolen data.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

6. May 2022: AcidRain Wiper Malware

Widespread wiper malware attacks have wracked Ukraine since its war with Russia began.
The AcidRain malware uses brute-force attacks to find device file names and then wipes every
file it can find. The attacks have knocked tens of thousands of modems offline since they
began in early 2022.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

7. April 2022: U.K. National Health Service (NHS)

The NHS provides infrastructure for tens of thousands of health organizations. Over a period
of six months, an attack compromised over 100 NHS employee accounts and used them to
send phishing emails. Some phishing campaigns attempted to steal Microsoft credentials.
These phishing emails were primarily fake document download alerts, complete with an NHS
disclaimer at the end of each message. Though the NHS migrated to Office 365, that didn’t
entirely end the fraudulent messages, which continued in much smaller numbers.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

8. April 2022: Austin Peay State University

A ransomware attack on Austin Peay State University brought the university to a halt just
before final exams began. The university urged faculty, staff and students to disconnect
university computers from the network and avoid using any university devices on campus or
at home. Only personal devices such as laptops and cell phones could continue to access
email and other university resources. The university canceled final exams and closed all
computer labs.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

9. April 2022: Florida International University

A ransomware gang attacked Florida International University just weeks after the attack on
North Carolina Agricultural and Technical State University (A&T). The same group,
ALPHV/BlackCat, claimed responsibility for both. Attackers exfiltrated 1.2 terabytes of
sensitive data, including social security numbers, accounting documents and email
databases. At the time of the incident, the university announced there was no evidence that
the attack had compromised information. However, security researchers examined stolen data
and verified it was real.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

10. March 2022: North Carolina A&T

North Carolina Agricultural and Technical State University became a ransomware victim
during spring break. The attack targeted multiple systems, including Blackboard, Banner ERP,
Qualtrics, VPN, Jabber and Chrome River. Extended outages meant students could not submit
assignments, and classes were canceled. The ransomware gang responsible for the attack
claimed it stole the personal data of faculty, staff and students, as well as contracts,
financial data and multiple databases.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

11. February 2022: Nvidia

Earlier this year, microchip maker Nvidia suffered an attack during which one terabyte of data
was stolen, including usernames and cryptographic hashes for more than 70,000 Nvidia
employees. The Lapsus$ ransomware gang claimed responsibility for the hack. The criminal
gang first demanded the removal of a feature that makes Nvidia graphic cards less desirable
for crypto mining, then later modified the demand for open-source graphics drivers for all
future cards. The gang threatened to release the stolen data if Nvidia did not meet their
demands.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

12. January 2022: Red Cross

Attackers targeted a Red Cross family reunification program through an unpatched
vulnerability in the organization’s enterprise password management platform. The targeted
reunification program reconnects families separated by migration, war and disaster. State-
sponsored threat actors were likely responsible since the attack was tailored specifically for
Red Cross systems. Attackers remained in the system for more than 70 days with access to
personally identifiable information, including location, of more than 515,000 people in the
program.
 THE 13 COSTLIEST CYBERATTACKS OF 2022

13. January 2022: Twitter

At the beginning of 2022, an attacker used a zero-day vulnerability to gain access and siphon
the usernames, phone numbers and email addresses of nearly 6 million Twitter users. Stolen
user data was likely combined with other information scraped from the web to build a
database later offered for sale on a hacker forum.
Above all, these attacks illustrate the importance of continuous vigilance against
cyberattacks. Clearly, ransomware and high-profile attacks have proved especially insidious.
Whatever 2023 brings, we must be ready to face it with the right strategies and resources.
IBM’s Security Framing and Discovery Workshop is a great no-cost option to improve your
organization’s cybersecurity posture in time to meet the next threat.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

1. Malware Attack
This is one of the most common types of cyberattacks. “Malware” refers to malicious software
viruses including worms, spyware, ransomware, adware, and trojans.
The trojan virus disguises itself as legitimate software. Ransomware blocks access to the
network's key components, whereas Spyware is software that steals all your confidential data
without your knowledge. Adware is software that displays advertising content such as banners
on a user's screen.
Malware breaches a network through a vulnerability. When the user clicks a dangerous link, it
downloads an email attachment or when an infected pen drive is used.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

Let’s now look at how we can prevent a malware attack:

• Use antivirus software. It can protect your computer against malware. Avast Antivirus,
Norton Antivirus, and McAfee Antivirus are a few of the popular antivirus software.
• Use firewalls. Firewalls filter the traffic that may enter your device. Windows and Mac OS X
have their default built-in firewalls, named Windows Firewall and Mac Firewall.
• Stay alert and avoid clicking on suspicious links.
• Update your OS and browsers, regularly.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

2. Phishing Attack
Phishing attacks are one of the most prominent widespread types of cyberattacks. It is a type
of social engineering attack wherein an attacker impersonates to be a trusted contact and
sends the victim fake mails.
Unaware of this, the victim opens the mail and clicks on the malicious link or opens the mail's
attachment. By doing so, attackers gain access to confidential information and account
credentials. They can also install malware through a phishing attack.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

Phishing attacks can be prevented by following the below-mentioned steps:

• Scrutinize the emails you receive. Most phishing emails have significant errors like spelling
mistakes and format changes from that of legitimate sources.
• Make use of an anti-phishing toolbar.
• Update your passwords regularly.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

3. Password Attack
It is a form of attack wherein a hacker cracks your password with various programs and
password cracking tools like Aircrack, Cain, Abel, John the Ripper, Hashcat, etc. There are
different types of password attacks like brute force attacks, dictionary attacks, and keylogger
attacks.
Listed below are a few ways to prevent password attacks:
• Use strong alphanumeric passwords with special characters.
• Abstain from using the same password for multiple websites or accounts.
• Update your passwords; this will limit your exposure to a password attack.
• Do not have any password hints in the open.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

4. Man-in-the-Middle Attack
A Man-in-the-Middle Attack (MITM) is also known as an eavesdropping attack. In this attack,
an attacker comes in between a two-party communication, i.e., the attacker hijacks the
session between a client and host. By doing so, hackers steal and manipulate data.
As seen below, the client-server communication has been cut off, and instead, the
communication line goes through the hacker.
MITM attacks can be prevented by following the below-mentioned steps:
• Be mindful of the security of the website you are using. Use encryption on your devices.
• Refrain from using public Wi-Fi networks.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

5. SQL Injection Attack

A Structured Query Language (SQL) injection attack occurs on a database-driven website
when the hacker manipulates a standard SQL query. It is carried by injecting a malicious code
into a vulnerable website search box, thereby making the server reveal crucial information.
This results in the attacker being able to view, edit, and delete tables in the databases.
Attackers can also get administrative rights through this.
To prevent a SQL injection attack:
• Use an Intrusion detection system, as they design it to detect unauthorized access to a
network.
• Carry out a validation of the user-supplied data. With a validation process, it keeps the
user input in check.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

6. Denial-of-Service Attack
A Denial-of-Service Attack is a significant threat to companies. Here, attackers target
systems, servers, or networks and flood them with traffic to exhaust their resources and
bandwidth.
When this happens, catering to the incoming requests becomes overwhelming for the servers,
resulting in the website it hosts either shut down or slow down. This leaves the legitimate
service requests unattended.
It is also known as a DDoS (Distributed Denial-of-Service) attack when attackers use multiple
compromised systems to launch this attack.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

Let’s now look at how to prevent a DDoS attack :

• Run a traffic analysis to identify malicious traffic.
• Understand the warning signs like network slowdown, intermittent website shutdowns, etc.
At such times, the organization must take the necessary steps without delay.
• Formulate an incident response plan, have a checklist and make sure your team and data
center can handle a DDoS attack.
• Outsource DDoS prevention to cloud-based service providers.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

7. Insider Threat
As the name suggests, an insider threat does not involve a third party but an insider. In such
a case; it could be an individual from within the organization who knows everything about the
organization. Insider threats have the potential to cause tremendous damages.
Insider threats are rampant in small businesses, as the staff there hold access to multiple
accounts with data. Reasons for this form of an attack are many, it can be greed, malice, or
even carelessness. Insider threats are hard to predict and hence tricky.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

To prevent the insider threat attack:

• Organizations should have a good culture of security awareness.
• Companies must limit the IT resources staff can have access to depending on their job
roles.
• Organizations must train employees to spot insider threats. This will help employees
understand when a hacker has manipulated or is attempting to misuse the organization's
data.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

8. Cryptojacking
The term Cryptojacking is closely related to cryptocurrency. Cryptojacking takes place when
attackers access someone else’s computer for mining cryptocurrency.
The access is gained by infecting a website or manipulating the victim to click on a malicious
link. They also use online ads with JavaScript code for this. Victims are unaware of this as the
Crypto mining code works in the background; a delay in the execution is the only sign they
might witness.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

Cryptojacking can be prevented by following the below-mentioned steps:

• Update your software and all the security apps as cryptojacking can infect the most
unprotected systems.
• Have cryptojacking awareness training for the employees; this will help them detect
crypotjacking threats.
• Install an ad blocker as ads are a primary source of cryptojacking scripts. Also have
extensions like MinerBlock, which is used to identify and block crypto mining scripts.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

9. Zero-Day Exploit
A Zero-Day Exploit happens after the announcement of a network vulnerability; there is no
solution for the vulnerability in most cases. Hence the vendor notifies the vulnerability so that
the users are aware; however, this news also reaches the attackers.
Depending on the vulnerability, the vendor or the developer could take any amount of time to
fix the issue. Meanwhile, the attackers target the disclosed vulnerability. They make sure to
exploit the vulnerability even before a patch or solution is implemented for it.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

Zero-day exploits can be prevented by:

• Organizations should have well-communicated patch management processes. Use
management solutions to automate the procedures. Thus, it avoids delays in deployment.
• Have an incident response plan to help you deal with a cyberattack. Keep a strategy
focusing on zero-day attacks. By doing so, the damage can be reduced or completely
avoided.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

10. Watering Hole Attack

The victim here is a particular group of an organization, region, etc. In such an attack, the
attacker targets websites which are frequently used by the targeted group. Websites are
identified either by closely monitoring the group or by guessing.
After this, the attackers infect these websites with malware, which infects the victims'
systems. The malware in such an attack targets the user's personal information. Here, it is
also possible for the hacker to take remote access to the infected computer.
 10 TYPES OF CYBER ATTACKS YOU SHOULD BE AWARE IN 2023

Let's now see how we can prevent the watering hole attack:
• Update your software and reduce the risk of an attacker exploiting vulnerabilities. Make
sure to check for security patches regularly.
• Use your network security tools to spot watering hole attacks. Intrusion prevention
systems(IPS) work well when it comes to detecting such suspicious activities.
• To prevent a watering hole attack, it is advised to conceal your online activities. For this,
use a VPN and also make use of your browser’s private browsing feature. A VPN delivers a
secure connection to another network over the Internet. It acts as a shield for your
browsing activity. NordVPN is a good example of a VPN.
 HOW TO PREVENT CYBER ATTACKS?

Although we had a look at several ways to prevent the different types of cyberattacks we
discussed, let's summarize and look at a few personal tips which you can adopt to avoid a
cyberattack on the whole.
• Change your passwords regularly and use strong alphanumeric passwords which are
difficult to crack. Refrain from using too complicated passwords that you would tend to
forget. Do not use the same password twice.
• Update both your operating system and applications regularly. This is a primary prevention
method for any cyber attack. This will remove vulnerabilities that hackers tend to exploit.
Use trusted and legitimate Anti-virus protection software.
• Use a firewall and other network security tools such as Intrusion prevention systems,
Access control, Application security, etc.
 HOW TO PREVENT CYBER ATTACKS?

• Avoid opening emails from unknown senders. Scrutinize the emails you receive for
loopholes and significant errors.
• Make use of a VPN. This makes sure that it encrypts the traffic between the VPN server
and your device.
• Regularly back up your data. According to many security professionals, it is ideal to have
three copies of your data on two different media types and another copy in an off-site
location (cloud storage). Hence, even in the course of a cyber attack, you can erase your
system’s data and restore it with a recently performed backup.
• Employees should be aware of cybersecurity principles. They must know the various types
of cyberattacks and ways to tackle them.
 HOW TO PREVENT CYBER ATTACKS?

• Use Two-Factor or Multi-Factor Authentication. With two-factor authentication, it requires

users to provide two different authentication factors to verify themselves. When you are
asked for over two additional authentication methods apart from your username and
password, we term it as multi-factor authentication. This proves to be a vital step to secure
your account.
• Secure your Wi-Fi networks and avoid using public Wi-Fi without using a VPN.
• Safeguard your mobile, as mobiles are also a cyberattack target. Install apps from only
legitimate and trusted sources, make sure to keep your device updated.
 OTHER TYPES OF CYBERCRIMES

• Email and internet fraud.

• Identity fraud (where personal information is stolen and used).
• Theft of financial or card payment data.
• Theft and sale of corporate data.
• Cyberextortion (demanding money to prevent a threatened attack).
• Ransomware attacks (a type of cyberextortion).
• Cyberespionage (where hackers access government or company data).
• Interfering with systems in a way that compromises a network.
• Infringing copyright.
• Illegal gambling.
• Selling illegal items online.
• Soliciting, producing, or possessing child pornography.
 CYBERCRIMES IN THE PHILIPPINES AND ASIA PACIFIC

Kroll, an independent provider of global risk and financial advisory solutions, today
announced its report State of Incident Response: Asia Pacific. The report finds that
businesses in Asia Pacific and the Philippines are feeling the impact of cyberattacks, but
many are yet to build appropriate response plans or have regular access to relevant cyber
expertise. One of the notable findings is that 3 out of 4 businesses in the Philippines have
experienced a cyberattack, much higher than the APAC average of 59%.
 CYBERCRIMES IN THE PHILIPPINES AND ASIA PACIFIC

Key Philippine Findings:

• 75% of organizations in the Philippines have experienced a cyber incident, coming second
as most cyber-vulnerable market in the APAC region
• Malware (29%) and phishing (21%) rank top as the most common cause of cyber incidents
in the Philippines.
• The two most cited impacts of a cyber incident in the Philippines were business
interruption (60%) and data loss (59%). Regulatory fines (29%) as a consequence of
cyberattacks was also most cited for the Philippines when compared to the rest of
markets.
• The greatest concern among organizations in the Philippines is data loss (70%). Compared
to other markets across APAC, however, respondents were also much more concerned
about theft of intellectual property (60%).
 CYBERCRIMES IN THE PHILIPPINES AND ASIA PACIFIC

Overall findings of the report include:

• In response to a cyber incident, 36% of organizations in Asia Pacific did not have an
incident response playbook, a plan or policies in place, 38% did not have an appointed
data protection officer or access to cyber security specialists on a retainer in Asia Pacific.
• The two most cited impacts of a cyber incident were data loss (51%) and business
interruption (49%).
• In order to address cybersecurity threats, the majority of organizations were planning to
increase budgets (64%) and were moving to the cloud (65%).
 CYBERCRIMES IN THE PHILIPPINES AND ASIA PACIFIC

Local market variations include:

• Australia was the least likely to have an incident response plan in place, and Hong Kong
was the most likely.
• Malaysia and the Philippines suffered the most incidents, while Hong Kong suffered the
least.
• Data loss was a concern across the board, but those in Indonesia were also more worried
than others about the reputational damage of an incident. Singaporean businesses were
primarily worried about business interruption.

The report was commissioned by Kroll and conducted by Opinium. It surveyed 700 decision-makers in
IT, risk, security and legal professionals evenly split across the following Asia Pacific markets: Hong
Kong, Singapore, Malaysia, Philippines, Australia, Indonesia and Japan.
 SHORT QUIZ

Get 1 whole piece of paper and answer the following questions:

1. Assume you are in a position wherein you will be a victim of an imminent cyber attack and
there is nothing you can do about it but to endure it as it is. The catch, however, is that the
attacker allowed you to choose the kind of cyber attack towards you, what will you choose
and why? 10 points
2. In contrast to question number 1, what will be the kind of cyberattack that you are most
afraid of and will try to avoid at all costs? Explain why. 10 points
3. One day you are browsing the internet and someone anonymous reached out to you and
offered you to be a super hacker for 24 hours. You can hack anyone or anything during that
period of time. Who will you attack and why? What kind of cyberattacks will you choose to
use against your chosen victims? 10 points
SARBANES-OXLEY ACT OF 2002
The Sarbanes-Oxley Act of 2002 is a federal law that
established sweeping auditing and financial regulations
for public companies.
Lawmakers created the legislation to help protect
shareholders, employees and the public from accounting
errors and fraudulent financial practices.
Auditors, accountants and corporate officers became
accountable for the new set of rules. These rules were
amendments and additions to several laws enforced by the
Securities and Exchange Commission (SEC), including the
Securities and Exchange Act of 1934 and the Investment
Advisers Act of 1940. The SEC enforces the Sarbanes-
Oxley Act.
 SARBANES-OXLEY ACT OF 2002

Act is focused on are:

• Increasing criminal punishment
• Accounting regulation
• New protections
• Corporate responsibility
The Act primarily sought to regulate financial reporting, internal audits and other business
practices at publicly traded companies. However, some provisions apply to all enterprises,
including private companies and nonprofit organizations.
Additionally, the Act established penalties for noncompliance with its provisions. Compliance
with the Act is about financial disclosure and corporate governance.
 HISTORY AND WHY THE ACT WAS CREATED

The legislation sought to both improve the reliability of public companies' financial reporting
as well as restore investor confidence in the wake of high-profile cases of corporate crime.
The act was named for its sponsors: U.S. Sen. Paul Sarbanes (D-Md.), and U.S. Rep. Michael
Oxley, (R-Ohio). Former U.S. President George W. Bush, who signed the act into law on July 30,
2002, called the act "the most far-reaching reforms of American business practices since the
time of Franklin Delano Roosevelt.“
Federal lawmakers enacted the Sarbanes-Oxley Act in large part due to corporate scandals at
the start of the 21st century. One such scandal involved energy firm Enron Corp. Enron was
considered one of the largest, most successful and innovative companies in the United
States.
 HISTORY AND WHY THE ACT WAS CREATED

• Around 2000, Enron unraveled in less than two years as both the company's fraudulent
practices and its executives' criminal activities came to light.
• Similarly, the telecommunications giant WorldCom became embroiled in scandal as its own
fraudulent accounting practices made the news. After filing for bankruptcy in 2002, the
company was hit with a $750 million SEC fine. Its chief executive officer (CEO) was
sentenced to 25 years in prison, and the chief financial officer (CFO) received a five-year
jail sentence as a result of criminal charges in the case.
• The financial scandal at Tyco International also preceded the Act. In this case, the
company's former CEO and CFO were convicted of stealing hundreds of millions of dollars
from the company, falsifying business records and violating other business laws. The Act
enhanced accounting compliance regulations to keep such a scandal from occurring again.
 KEY PROVISIONS AND REQUIREMENTS

There are 11 titles to SOX, each of which contains sections detailing their requirements and
responsibilities as well as possible penalties for non-compliance.
• Title I: Public Company Accounting Oversight Board (PCAOB)
• Title II: Auditor Independence
• Title III: Corporate Responsibility
• Title IV: Enhanced Financial Disclosures
• Title V: Analyst Conflicts of Interest
• Title VI: Commission Resources and Authority
• Title VII: Studies and Reports
• Title VIII: Corporate and Criminal Fraud Accountability
• Title IX: White Collar Crime Penalty Enhancement
• Title X: Corporate Tax Returns
• Title XI: Corporate Fraud Accountability
 KEY PROVISIONS AND REQUIREMENTS

Two sections of particular note are Section 302 and Section 404.
• Section 302 pertains to "Corporate Responsibility for Financial Reports." It established, in
part, that CEOs and CFOs must review all financial reports and that the reports are "fairly
presented" and don't contain misrepresentations. This section also established that CEOs
and CFOs are responsible for internal accounting controls. The Act requires year-end
financial disclosure reports and that all financial reports come with an Internal Controls
Report. Financial disclosures must contain reporting of material changes in financial
condition.
• Section 404 deals with "Management Assessment of Internal Controls" and requires
companies to publish details about their internal accounting controls and their procedures
for financial reporting as part of their annual financial reports. Section 404 requires
corporate executives to personally certify the accuracy of their company's financial
statements and makes them individually liable if the SEC finds violations.
 KEY PROVISIONS AND REQUIREMENTS

The Whistleblower Protection Act under the Sarbanes-Oxley Act mandates protection for
whistleblowers, stating that employees and contractors who report fraud and/or testify about
fraud to the Department of Labor are protected against retaliation, including dismissal and
discrimination.
Other key provisions and requirements under the Act include:
• mandated disclosure in periodic reports of transactions and relationships that are off-
balance sheet that could impact financial status;
• near-ubiquitous prohibition of personal loans from a corporation to executives;
• establishment of fines and terms of imprisonment for tampering or destroying documents
in events of investigations or court action; and
• requirements for attorneys who represent public companies before the SEC to report
security violations to the CEO.
 AUDITING UNDER THE SARBANES-OXLEY ACT

The Sarbanes-Oxley Act also created new requirements for corporate auditing practices.
Among its many requirements, the Act requires public corporations to hire independent
auditors to review their accounting practices and defines the rules of engagement for
corporate audit committees and external auditors.
It also created rules for separation of duties by detailing a number of non-audit services that
a company's auditor cannot perform during audits. These rules are designed to further guard
against fraudulent financial practices and conflicts of interest.
Furthermore, the Act led to the creation of the Public Company Accounting Oversight Board
(PCAOB), which sets standards and rules for audit reports. Under the Act, all accounting firms
that audit public companies are required to register with the PCAOB. The PCAOB investigates
and enforces compliance at the registered accounting firms.
 PENALTIES FOR NONCOMPLIANCE WITH SOX

Noncompliance penalties vary according to the section violation and are at their greatest
when information has been deliberately falsified, altered, or destroyed. They range from the
loss of exchange listing and loss of directors and officers liability insurance (D&O) to
multimillion dollar fines and prison sentences for company officers.
If a CEO or CFO knowingly certifies a periodic report that does not satisfy the requirements of
the Act, he or she is subject to fines of up to $1 million and imprisonment for up to 10 years.
If he or she falsifies the certification willfully, the fine may be up to $5,000,000 and
imprisonment up to 20 years.
 CRITICISM OF THE SARBANES-OXLEY ACT

The Act had critics from the start, including many executives who felt they were unfairly
burdened by new regulations due to the dishonest and negligent acts of a few others. In
2008, Newt Gingrich blamed the financial crisis on the Act, citing it as the reason for a low
number of initial public offerings, and asked Congress to repeal the Act.
Critics also charged that the Act was a politically motivated reaction to a few, albeit high-
profile, corporate financial scandals and that the law would hinder competition and business
growth.
Corporate leaders also voiced concerns that meeting the regulations laid out in the Sarbanes-
Oxley Act would take too much executive time and that compliance costs would amount to an
exorbitant amount of money. Many complained about Section 404 in particular and said it
was overly burdensome.
 BENEFITS OF THE SARBANES-OXLEY ACT

On the other hand, some business leaders acknowledged the need for improvements and felt
the Act could spur better financial practices that would benefit companies and their
stakeholders.
Indeed, even some of those skeptical of the Act when it was first passed later acknowledged
its benefits as the law was fully implemented in subsequent years.
Specifically, proponents of the law acknowledged that the Act helped businesses improve
their financial management by strengthening controls, standardizing processes, improving
documentation and creating stronger board oversight.
Studies also have found that the Act increased investor confidence.
 UPDATES SINCE ITS INCEPTION

Despite early and ongoing criticism, the Sarbanes-Oxley Act remains in place, essentially
unchanged from when it was first enacted in 2002, with studies showing that the law
improves financial reporting.
However, many business leaders continue to believe that the resources required to meet the
law's mandates are burdensome, noting that research has found that smaller companies are
disproportionately burdened by the Act.
Although proponents and critics continue to assess the overall impact of the law, it is seen as
the most significant piece of security legislation since the Securities Exchange Act of 1934.
ISO 27001
ISO/IEC 27001:2013 (ISO 27001) is an international
standard that helps organizations manage the security of
their information assets. It provides a management
framework for implementing an ISMS (information security
management system) to ensure the confidentiality,
integrity, and availability of all corporate data (such as
financial information, intellectual property, employee
details or information managed by third parties).
ISO 27001
The ISO 27001 framework was published in 2013 by the
ISO (International Organization for Standardization) and
IEC (International Electrotechnical Commission) and
belongs to the ISO 27000 family of standards. It is the only
internationally recognized certifiable information security
standard.
ISO 27001 is supported by its code of practice for
information security management, ISO/IEC 27002:2013,
which explains how to implement information security
controls for managing information security risks.
 WHAT IS ISO 27001 CERTIFICATION?

ISO 27001 certification demonstrates that your organization has invested in the people,
processes, and technology (e.g., tools and systems) to protect your organization’s data and
provides an independent, expert assessment of whether your data is sufficiently protected.
Certification is achieved through an accredited certification body. It provides evidence to your
consumers, investors, and other interested parties that you are managing information
security according to international best practices.
ISO 27001 compliance is becoming increasingly important as regulatory requirements (such
as the GDPR, HIPAA, and CCPA) pressure organizations to protect their consumer and
personal data.

GDPR - General Data Protection Regulation

HIPAA - Health Insurance Por tability and Accountability Act
CCPA - California Consumer Privacy Act of 2018
 HOW DO ISO 27001 AUDITS WORK?

Certification can be obtained once a certification body has conducted an external audit.
Auditors will review the organization’s practices, policies, and procedures to assess whether
the ISMS meets the requirements of the Standard.
Certification usually lasts for three years, but organizations have to conduct routine internal
audits as a continual improvement process.
Once certified, a certification body will usually conduct an annual assessment to monitor
compliance.
 WHAT IS AN ISMS (INFORMATION SECURITY MANAGEMENT SYSTEM)?

An ISMS is a defined, documented management system that consists of a set of policies,

processes, and systems to manage risks to organizational data to ensure acceptable levels of
information security risk. Ongoing risk assessments help identify security threats and
vulnerabilities that need to be managed through a set of controls.
Having an established ISO 27001-compliant ISMS helps you manage the confidentiality,
integrity, and availability of all corporate data in an optimized and cost-effective way.
Risk management forms the foundations of an ISMS. Routine risk assessments help to
identify specific information security risks. ISO 27001 recommends, a set of controls that can
be applied to manage and reduce information security risks.
 ISO 27001 CONTROLS AND REQUIREMENTS

ISO 27001 consists of 114 controls (included in Annex A and expanded on in ISO 27002) that
provide a framework for identifying, treating, and managing information security risks.
A summary of the ISO/IEC 27001: 2013 controls

• A.5 Information security policies • A.13 Communications security

• A.6 Organization of information security • A.14 System acquisition,

development and maintenance
• A.7 Human resources security
• A.15 Supplier relationships
• A.8 Asset management
• A.16 Information security incident
• A.9 Access control
management
• A.10 Cryptography
• A.17 Information security aspects
• A.11 Physical and environmental security of business continuity management
• A.12 Operational security • A.18 Compliance
 THE MANAGEMENT CLAUSES OF ISO/IEC 27001:2013

In addition to the controls, ISO 27001 compromises ten management system clauses that
guide an ISMS's implementation, management and continual improvement.
1, 2, and 3: Scope, normative references, and terms and definitions
4: Context of the organization
5: Leadership
6: Planning
7: Support
8: Operation
9: Performance evaluation
10: Improvement
 ISO 27001 CONSULTING SERVICES

In addition to training, software and compliance tools, IT Governance provides specialist ISO
27001 consulting services to support compliance with the Standard. This includes an ISO
27001 gap analysis and resource determination, scoping, risk assessments, strategy, and
more.
 SARBANES–OXLEY AND ISO 27001

ISO/IEC 27001 is the ideal solution for businesses that need to ensure that they comply with
Sarbanes–Oxley IT control requirements. The rapidly changing world of corporate governance
makes it essential for listed companies to implement effective IT governance structures.
Organizations with multiple compliance requirements (such as SOX, HIPAA, the PCI DSS, and
the GLBA) often seek registration to ISO 27001, since this international standard can
centralize and simplify disjointed compliance efforts.
 SARBANES–OXLEY AND ISO 27001

ISO 27001 presents a comprehensive and international approach to implementing and

maintaining an information security management system (ISMS), and it is often the case that
companies will achieve compliance with a host of related legislative frameworks simply by
achieving ISO27001 registration. By virtue of its all-inclusive approach, ISO 27001
encapsulates the IT control requirements of SOX by providing an auditable information
security management system designed for continual improvement.
Furthermore, the additional external validation offered by ISO 27001 registration is likely to
improve an organization’s cybersecurity posture while providing a higher level of confidence
to customers and stakeholders—essential for securing certain global and government
contracts.
WHAT IS CODE OF ETHICS?
Ethical code or code of ethics consists of principals and
behavioral expectations established by organizations for
their employees and third parties. The core values of a
company are also implemented.
The code of ethics also outlines core company values that
workers are expected to uphold during business
operations. Code of ethics is actually very similar to code
of conduct. However, code of ethics focuses more on a
company's morals and values at a high-level while code of
conduct focuses more on specific situations. Having an
ethical code is important as it serves as a permanent
reminder of the principals every employee is expected to
uphold everyday.
WHAT IS CODE OF ETHICS?
Employees are often expected to uphold integrity,
responsibility, and professionalism during work. This
includes properly handling confidential information,
maintaining a safe working environment, and avoiding
unlawful conduct such as accepting bribes.
Code of ethics also highlights ethical behaviors towards
others. Workers are often expected to treat others fairly
without engaging in discriminatory and harmful behavior.
CODE OF ETHICS FOR IT PROFESSIONALS
Most IT Professionals, unlike doctors, CPAs, and other
professionals, do not have a general rule making body,
they may have many professional organizations specialized
to specific groups.
• Association of Information Technology Professionals(AITP)
• CyberSecurity Institute (CSI)
• Independent Computer Consultants (ICCA)
• Information Systems Security Association (ISSA)
• Association for Computer Operations Management(AFCOM)
• Computing Technology Industry Association(CompTIA)
• Institute of Internal Auditors (IIA)
CODE OF ETHICS FOR IT PROFESSIONALS
The existence of these bodies is made necessary due to
the lack of respect for ethics in society in general,
requiring not only the validation of this types of bodies but
also their power to enforce sanctions when ethical
violations are made evident.
Something that could be well covered by the state and the
academia.
CODE OF ETHICS FOR IT PROFESSIONALS
It can be argued that these ruling bodies should be in fact
unnecessary, since ethical considerations do not depend
on ones profession, even if very specific considerations
can seem restricted in the function they will be shared by
another profession.
It could also be stated that this is a function of the state
and the legal system, that delegating these functions in
non-governmental, even if public organizations, is
detrimental to the public good, and overall block to
transparency of procedures.
CODE OF ETHICS FOR IT PROFESSIONALS
These bodies will also promote the exertion of corporate
influence toward their specific groups interests, one such
interest is reducing competition by limiting or increasing
the difficulty of access to functions and a general increase
in prices since they permit a coordinated fixing of
payments in a monopolistic way and promote the practice
of obtaining special treatment and recognition for those
that depend on their specific activities.
 RULES OF CONDUCT FOR AUDITORS

Integrity
Auditors:
• Shall perform their work with honesty, diligence, and responsibility.
• Shall observe the law and make disclosures expected by the law and the profession.
• Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.
• Shall respect and contribute to the legitimate and ethical objectives of the organization.
 RULES OF CONDUCT FOR AUDITORS

Objectivity
Auditors:
• Shall not participate in any activity or relationship that may impair or be presumed to
impair their unbiased assessment. This participation includes those activities or
relationships that may be in conflict with the interests of the organization.
• Shall not accept anything that may impair or be presumed to impair their professional
judgment.
• Shall disclose all material facts known to them that, if not disclosed, may distort the
reporting of activities under review.
 RULES OF CONDUCT FOR AUDITORS

Confidentiality
Auditors:
• Shall be prudent in the use and protection of information acquired in the course of their
duties.
• Shall not use information for any personal gain or in any manner that would be contrary to
the law or detrimental to the legitimate and ethical objectives of the organization.
 RULES OF CONDUCT FOR AUDITORS

Competency
Auditors:
• Shall engage only in those services for which they have the necessary knowledge, skills,
and experience.
• Shall perform internal audit services in accordance with the International Standards for
the Professional Practice of Internal Auditing (Standards).
• Shall continually improve their proficiency and the effectiveness and quality of their
services.
 WHAT IS AN ETHICAL ISSUE/DILEMMA

An ethical issue is a circumstance in which a moral conflict arises in the workplace; thus, it is
a situation in which a moral standard is being challenged.
Ethical issues in the workplace occur when a moral dilemma emerges and must be resolved
within a corporation. Many areas of a company's general operating standards can be affected
by ethical issues. Although each ethical dilemma is unique, there are a few commonalities.
In every ethical dilemma, right and incorrect choices exist. When faced with an ethical issue,
one must choose between doing the right thing and doing the wrong thing. There may be no
right or incorrect answer when faced with a common challenge or issue. A person may suffer
harm as a result of a wrong decision in an ethical quandary. Even if the harm is limited to
physical discomfort, it might also include emotional distress. Ethical dilemmas also frequently
deal with legal issues. Ethical behavior is an important component of obeying the law.
 WHAT IS AN ETHICAL ISSUE/DILEMMA

A high ethical standard might lead to increased costs for a corporation. This is because
ethically sourced products tend to be more expensive. As a result, the corporation may fear a
loss in market share and profit margins due to the policy. Individuals and businesses can
both suffer from unethical conduct. Moreover, behavior that harms an organization's
reputation, morale, or production can lead to significant fines and financial losses.
Business ethics raise the bar for acceptable conduct above and beyond what the government
may mandate. Companies use business ethics to maintain the trust of key stakeholders and
the integrity of their employees. This leads to better decision-making and higher morale in the
workplace.
 WHAT IS AN ETHICAL ISSUE/DILEMMA

There are five main types of ethical issues in the workplace:

Unethical accounting — In order to make themselves appear more profitable than they are,
publicly-traded corporations may engage in unethical accounting practices.
Harassment — It creates a hostile work environment and leads to early departures for employees.
Health and safety — Work-related stress can result from a lack of consideration for workers' safety
and physical injuries.
Technology, privacy, and social media — Using social media in an improper manner can have
serious consequences for privacy and security, both online and offline. Outside of the job, it is
easy to abuse power. Managers have the ability to enrich themselves by manipulating reports,
taking credit for others' work, wasting money, and accepting gifts from vendors and clients.
Discrimination — Discrimination is defined as any activity that results in the treatment of a worker
in a less favorable manner.
 FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY

1. Misuse of Personal Information

One of the primary ethical dilemmas in our technologically empowered age revolves around
how businesses use personal information. As we browse internet sites, make online
purchases, enter our information on websites, engage with different businesses online and
participate in social media, we are constantly providing personal details.
Companies often gather information to hyper-personalize our online experiences, but to what
extent is that information actually impeding our right to privacy?
 FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY

1. Misuse of Personal Information

Personal information is the new gold, as the saying goes. We have commoditized data
because of the value it provides to businesses attempting to reach their consumer base. But
when does it go too far?
For businesses, it’s extremely valuable to know what kind of products are being searched for
and what type of content people are consuming the most. For political figures, it’s important
to know what kind of social or legal issues are getting the most attention.
These valuable data points are often exploited so that businesses or entities can make money
or advance their goals. Facebook in particular has come under fire several times over the
years for selling personal data it gathers on its platform.
 FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY

2. Misinformation and Deep Fakes

One thing that became evident during the 2016 and 2020 U.S. presidential elections was the
potential of misinformation to gain a wider support base. The effect created polarization that
has had wide-reaching effects on global economic and political environments.
In contrast to how information was accessed prior to the internet, we are constantly flooded
with real-time events and news as it breaks. Celebrities and political figures can disseminate
opinions on social media without fact checking, which is then aggregated and further spread
despite its accuracy—or inaccuracy. Information no longer undergoes the strenuous validation
process that we formerly used to publish newspapers and books.
 FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY

2. Misinformation and Deep Fakes

Similarly, we used to believe that video told a story that was undeniably rooted in truth. But
deepfake technology now allows such a sophisticated manipulation of digital imagery that
people appear to be saying and doing things that never happened. The potential for privacy
invasion and misuse of identity is very high with the use of this technology.
 FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY

3. Lack of Oversight and Acceptance of Responsibility

Most companies operate with a hybrid stack, comprised of a blend of third-party and owned
technology. As a result, there is often some confusion about where responsibility lies when it
comes to governance, use of big data, cybersecurity concerns and managing personally
identifiable information or PII. Whose responsibility is it really to ensure data is protected? If
you engage a third party for software that processes payments, do you bear any responsibility
if credit card details are breached? The fact is that it’s everyone’s job. Businesses need to
adopt a perspective where all collective parties share responsibility.
Similarly, many experts lobby for a global approach to governance, arguing that local policing
is resulting in fractured policy making and a widespread mismanagement of data. Similar to
climate change, we need to band together if we truly want to see improvement.
 FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY

4. Use of AI
Artificial intelligence certainly offers great business potential. But, at what point do AI
systems cross an ethical line into dangerous territory?
• Facial recognition: Use of software to find individuals can quickly become a less-than-ethical
problem. According to the NY Times, there are various concerns about facial recognition,
such as misuse, racial bias and restriction of personal freedoms. The ability to track
movements and activity quickly morphs into a lack of privacy. Facial recognition also isn’t
foolproof and can create bias in certain situations.
• Replacement of jobs: While this is anticipated to a certain degree, AI is meant to increase
automation of low-level tasks in many situations so that human resources can be used on
more strategic initiatives and complicated job duties. The large-scale elimination of jobs has
many workers concerned about job security, but AI is more likely to lead to job creation.
 FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY

4. Use of AI
• Health tracking: The pandemic brought contact tracing into the mainstream. Is it ethical to
track the health status of people and how will that impact the limitations we place on
them?
• Bias in AI technology: Technology is built by programmers and inherits the bias of its
creators because humans inherently have bias. “Technology is inherently flawed. Does it
even matter who developed the algorithms? AI systems learn to make decisions based on
training and coding data, which can be tainted by human bias or reflect historical or social
inequities,” according to Forbes. Leading AI developer Google has even experienced an
issue where AI software believes male nurses and female historians do not exist.
 FIVE MOST IMPORTANT ETHICAL ISSUES IN TECHNOLOGY

5. Autonomous Technology
• Self-driving cars, robotic weapons and drones for service are no longer a thing of the
future—they’re a thing of the present and they come with ethical dilemmas. Robotic
machines in place of human soldiers is a very real possibility, along with self-driving cars
and package delivery via unmanned drone.
• Autonomous technology packs a punch when it comes to business potential, but there is
significant concern that comes with allowing programmed technology to operate seemingly
without needed oversight. It’s a frequently mentioned ethical concern that we trust our
technology too much without fully understanding it.
 6 QUESTIONS TO ASK YOURSELF WHEN CONFRONTED WITH ETHICAL ISSUES

• Am I breaking any laws?

• Who are the stakeholders?
• What information am I missing?
• What are the short- and long-term consequences?
• Is my decision in line with my company's core values and my personal core values?
• What would my mom think about this decision?
 ETHICAL PRACTICES IN TECHNOLOGY

Unlike business ethics, ethical technology is about ensuring there is a moral relationship that
exists between technology and users.

Respect for Employees and Customers

Businesses that engage in ethical technology have a firm moral sense of employee rights and
customer protections. Data is valuable, but the employees and customers who power your
business are undoubtedly your greatest asset. Take care to always observe responsible
protections for employees and customers to practice ethical technology.
 ETHICAL PRACTICES IN TECHNOLOGY

Moral Use of Data and Resources

Data is undoubtedly something of value for businesses. It allows companies to target their
marketing strategies and refine product offerings, but it can also be an invasive use of
privacy bringing many ethical considerations to the forefront. Data protection measures and
compliance procedures can help ensure that data isn’t leaked or used inappropriately.
 ETHICAL PRACTICES IN TECHNOLOGY

Responsible Adoption of Disruptive Tech

Digital growth is a business reality. Disruptive tech often isn’t just a way to outpace the
competition—it’s the only way to break even. But embracing new technologies doesn’t have to
coincide with an ethical challenge. Do your due diligence to ensure that the technology you
adopt has protections in place and you’ll be well on your way to practicing ethical tech.
 ETHICAL PRACTICES IN TECHNOLOGY

Create a Culture of Responsibility

Ultimately, we need to create a culture of responsibility within technology. If the information
technology workforce and industry giants believe they are responsible for the safe and ethical
usage of technology, then we will see more governance and fair use of data.
 THE DATA PRIVACY ACT OF 2012

It is the policy of the State to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and growth. The
State recognizes the vital role of information and communications technology in nation-
building and its inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are secured and
protected.
 SHORT QUIZ

Get 1 whole piece of paper and answer the following questions:

1. Do you value your privacy? If yes, are you in favor of the SIM Registration Act? Why or why
not? What do you think are the pros and cons of this law? 10 points
2. Please describe that one time you have experienced an ethical dilemma whether in school,
at home, or in public places. What happened? What are the choices you had to choose
from? What did you do? What are the outcomes and repercussions?. 10 points
3. As future accountants and auditors, what do you think you can do now as BSA/BSIA
students to uphold the core values and code of ethics of CPAs and auditors? How can you
apply it now in your college years? 10 points
4. Some people say that the Internet provides people with a lot of valuable information.
Others think access to so much information creates problems. Which view do you agree
with? Use specific reasons and examples to support your opinion. 10 points