If passed into law, draft legislation currently before the US Congress could require publicly traded companies - including Bermuda corporations trading on US stock exchanges - to conduct annual security audits of their information technology systems and to publish those results in their annual reports.

If passed, the measure - which would be another layer of due diligence on top of more stringent corporate governance regulations already imposed on companies under Sarbanes-Oxley legislation - could however be a boon for local IT companies.

At least one local company, QuoVadis - which was set up five years ago in the then e-Venture Centre to help companies with protection of data - said it has already seen "significant interest" from some local corporations for information systems security audits.

Known as the Corporate Information Security Accountability Act of 2003, the legislation, if enacted, would amend the Securities Exchange Act of 1934 in requiring each publicly traded company to conduct annual assessments of its computer information security.

As part of that assessment, companies would be required "to assess the risk and magnitude of the harm that could result from the unauthorised access, use, disclosure, disruption, modification or destruction of such information." The assessments would have to be carried out by an independent party.

Legislators behind the draft bill sponsored by Florida Congressman Adam Putnam said the intent of the act was designed to do several things, including protect shareholders investments, to provide effective oversight of information security risks in networked corporate computer systems and to provide a consistent standard for maintenance of necessary controls to protect privately maintained information systems.

Although the bill is currently before the House, legislation would also have to be approved by the US Senate before it could be passed into law by president George W. Bush.

The bill also does not spell out exactly what would be required in an IT audit or what measures would be put in place to ensure the company retained to do the assessment was an "independent party".

That is one of the drawbacks to the bill, according to the senior vice-president of marketing and business development at QuoVadis.

Stephen Davidson told The Royal Gazette that critics of the draft bill had cited it as being "non-specific, they haven't drilled down to any level of detail," he said.

But Mr. Davidson added that the bill would formalise an expectation already put on public companies following stricter corporate governance legislation. He said the integrity of company records was demanding the highest level of security over computer systems.

"When Sarbanes-Oxley came in it was all about the integrity of financial records. In the corporate world it is difficult to talk about the integrity of computer systems without talking about security,"

Mr. Davidson said the spin off from the heightened awareness of putting out correct information to investors and stakeholders, and protecting that information, was behind a surge in demand for IT security audits.

"We have seen significant local interest (in this kind of service) already. Under Sarbanes-Oxley, senior executives have to attest to the accuracy of financial data. They are personally responsible in ensuring that information is presented accurately," he said.

Mr. Davidson added that computer security was now not only the concern of I.T. departments, but was now on the radar of top management: "This moves security (of systems) very high on the corporate agenda."

He said QuoVadis was getting more and more calls to work with independent auditors to provide the IT audit when they were doing an overall review of a corporation's systems.

"If looking closely at the IT area is part of the audit process, we are often called in."

Mr. Davidson added that there were already a number of security management frameworks - including ISO 17799 and NIST 800-37 - that could be used when doing a computer security assessment. He said those frameworks went through various elements of a company's computer system including its business continuity plan, systems access control and compliance.

QuoVadis used elements of ISO 17799 as well as other applicable I.T. security standards last year when it did a Certified Service Provider (CSP) audit for the Bermuda Government.