SEC Report Cautions Public Companies on Internal Controls and Cybersecurity Risks

Takeaways for Public Companies

The Report emphasizes that public companies may need to reassess and revise their internal accounting controls in light of emerging risks, including risks that arise from cyber-related fraud and “today’s ever expanding digital interconnectedness.” Specifically, companies must “devise and maintain internal accounting controls that provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.”

The Report speaks generally about appropriate steps in the design and operation of internal accounting controls that are reasonably appropriate to deal with cyber-related fraud and comply with the requirements of the federal securities laws. The Commission recognizes that “[u]ltimately, [companies] themselves are in the best position to develop internal accounting controls that account for their particular operational needs and risks in complying with” the requirements of the federal securities laws, and therefore does not provide any specific guidance. In general terms, the Report cites two aspects of internal accounting controls for companies to consider:

• controls relating to procedures such as payment authorization, account reconciliation and verification of vendor data changes should be designed and operated in ways that will assist the company in detecting payments resulting from fraud; and

   

• training about the company’s controls and information technology controls and procedures should include training about relevant cyber-related threats.

The Report also notes that the effectiveness of internal accounting controls is necessarily dependent on the companies and their employees implementing, maintaining, and following the companies’ internal accounting controls.

Companies should be aware that the fraudulent payment scams that are the subject of the Commission investigation are not the only cyber-related risk, nor are fraudulent payments the only risk that can result in violations of federal securities laws. As the Commission stated earlier in 2018, “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.”

Public Company Cyber Fraud Losses

While public companies are not strangers to cybersecurity and cyber-risk in general, the explosion of electronic financial fraud by way of spoofing and other types of social engineering over the last two years has caught many companies by surprise. In these attacks, which usually result from business email compromises allowing unauthorized access to the email inboxes of one or more company employees, fraudsters remotely take control of an email account and use it to get in the middle of transactions and fraudulently divert moneys intended for a legitimate recipient to a bank account under the bad actor’s control. While these fraudulent payments are sometimes stopped before they are made or reversed promptly after discovery, they are often not discovered for weeks or even months, long after most transfers stand any chance of clawback. According to the FBI’s Internet Crime Complaint Center, since 2013, losses from these types of compromises now total at least $3 billion in the United States alone, and over $12 billion worldwide. 

The Report is based on an investigation of losses suffered by nine public companies as a result of business email compromises by the Commission’s Division of Enforcement, in consultation with the Division of Corporation Finance and the Office of the Chief Accountant. The Commission considered whether this group of nine companies spanning a broad range of industries including technology, machinery, real estate, energy, financial services and consumer goods, had violated the internal accounting controls requirements of the Securities Exchange Act of 1934. The cyber-related frauds involved business email compromises in which electronic communications purported to come from either a fake company executive or a fake vendor. Each of these nine companies lost at least $1 million, and two companies lost more than $30 million; in total, the nine companies lost nearly $100 million. Some of the frauds involved multiple payments over a period of several weeks or months.

The Report emphasizes the prevalence and magnitude of these and similar losses. The Report is also a reminder that Commission enforcement action remains a possibility in similar cases. As noted above, public companies should consider reviewing and reassessing their internal accounting controls, as well as other policies and procedures potentially that are subject to cyber-related risks. Companies should also continue to review their disclosures for compliance with the disclosure requirements of the federal securities laws. In doing so, companies should also review prior guidance on cyber-related matters, including the Commission Statement and Guidance on Public Company Cybersecurity Disclosures  (February 26, 2018) and CF Disclosure Guidance: Topic No. 2, “Cybersecurity” (October 13, 2011).