Although a US draft bill calling for compulsory annual security audits to be carried out by publicly listed companies has been delayed until early next year, security experts said regulations of this kind are inevitable, both for US and UK firms.

The draft Corporate Information Security Accountability Bill of 2003 calls for publicly listed US firms to adhere to minimum IT security standards, to be set by the Securities and Exchange Commission.

Under the proposals, compliance would be checked by an annual audit, carried out by an independent auditor. The results would then be submitted alongside annual reports and Sarbanes-Oxley (Sox) submissions.

UK firms publicly listed in the US would need to comply with the security regulations, just as they must with the Sox Act, which sets accounting and data archiving rules for US firms.

However, the draft bill, recently released by Adam Putnam of the US House of Representatives, has met difficulties. A working group including US Chamber of Commerce representatives and the Business Software Alliance met last week to discuss an alternative to Putnam's proposal, which they plan to release in early 2004.

Whatever the outcome of the Putnam bill, new IT security laws are likely to be enforced both in the US and the UK, experts warned. "Reliance on IT systems is now so enormous that it's reasonable to say that somewhere in the near future we'll need more enforced regulations to monitor how firms look after them," said John Holland, vice president of international operations at security specialist TruSecure. "It's inevitable that in the UK there will be similar initiatives [to the Putnam bill]."