The Securities and Exchange Commission issued an investigative report last week cautioning public companies to consider cyber incidents and threats when implementing internal accounting controls. The report details the SEC Enforcement Division’s investigations of nine public companies that were victims of cyber-related fraud schemes to determine whether the companies may have violated the federal securities laws by failing to maintain a sufficient system of internal accounting controls. Based on the investigations, the report concludes that public companies’ internal accounting controls may need to be reassessed in light of emerging risks in the cybersecurity arena to avoid running afoul of Section 13 of the Securities Exchange Act of 1934.
Section 13(b)(2)(B)(i) and (iii) require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s authorization. In the report, the SEC considered whether these provisions were violated by nine companies who fell victim to schemes in which company personnel received electronic communications disguised as internal emails or emails from a vendor, which caused the personnel to transfer company funds to accounts controlled by the perpetrators of the fraudulent schemes. Each of the nine companies lost at least $1 million as a result of the schemes, two lost more than $30 million, and the group in total lost nearly $100 million to the third-party criminals. According to the report, these schemes – referred to by the SEC as “business email compromises” – have become commonplace and are estimated to have caused a record high of $675 million in adjusted losses in 2017.
Notably, the Commission has decided not to pursue enforcement action against the nine companies. However, the report cautions that despite the evolving cybersecurity risk landscape, the SEC’s expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated “is not [new].” The report further emphasizes that the frauds which penetrated the nine companies were not particularly sophisticated in design or the use of technology, but rather, relied on weaknesses in policies and procedures, and human vulnerabilities, that rendered the companies’ control environments ineffective. After the frauds, each of the nine companies sought to enhance their payment authorization procedures and verification requirements, as well as reconciliation and payment notification processes. The report also comments on the importance of company personnel to implement, maintain and follow internal accounting controls, due to the role of human error in the success of the fraudulent schemes. To this end, the nine companies enhanced their personnel training on relevant threats and policies and procedures after the frauds took place.
Though the full implications are not yet known, the SEC’s release of the investigative report demonstrates a widening in the SEC’s focus to include internal control obligations for accounting, whereas its previous commentary was focused primarily on disclosure obligations and cybersecurity preparedness more generally. Because the SEC opted not to take action against the nine subjects of the report, the SEC may be signaling that it may pursue only the more egregious cases of cyber-enabled fraud as potential violations of Section 13(b) internal control provisions. In any event, executive officers, boards of directors, and Audit Committees for public companies should consider whether their company’s internal controls should be revisited in the context of cybersecurity fraud schemes like the ones highlighted in the investigative report.