On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls. The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934. The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment. By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures.
The SEC’s investigation concerned the sufficiency of the internal accounting controls of nine issuers that had collectively lost nearly $100 million to fraudulent cyber schemes. Each issuer had been defrauded into wiring funds overseas to bank accounts controlled by the perpetrator of the scheme after receiving instructions from spoofed or compromised emails purporting to be from company executives or third-party vendors. The issuers only learned that they were victimized after being notified by law enforcement or another third party.
The report of investigation cautions that compliance with federal securities laws requires public companies to consider cybersecurity risks when developing their internal accounting controls. Among other requirements, Section 13(b)(2)(B) of the Exchange Act imposes an obligation to maintain controls that reasonably safeguard company funds. For example, it requires that issuers create and implement controls sufficient to reasonably assure that transactions are executed with, and assets are only accessed with, management’s general or specific authorization. The report underscores that compliance with these rules requires that internal accounting controls be calibrated to the current risk environment involving cyber-related frauds.
The SEC did not bring enforcement actions against any of the investigated companies. Indeed, the report acknowledges that not every issuer victimized by a cyber-fraud scheme is in violation of the Exchange Act. However, it highlights that internal controls may be an area of focus for the Commission’s enforcement efforts in the future, beyond public companies’ disclosures of cybersecurity risks or incidents. This is consistent with the Commission’s recent emphasis on the importance of robust controls and procedures to guard against cybersecurity risks. The report also reinforces the SEC’s February 2018 guidance on public company cybersecurity disclosures, including that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.”
The report does not prescribe specific controls as being necessary for compliance. Instead it recognizes that “issuers themselves are in the best position to develop internal accounting controls that account for their particular operational needs and risks.” Nonetheless, the report’s descriptions of the investigated companies’ remedial actions provides useful guidance about areas that companies may wish to consider when evaluating the sufficiency of their internal accounting controls. Since the issuers’ prior controls did not prevent the spoofed messages from triggering large wire transfers and/or changes to vendor payment information, the issuers enhanced their payment authorization procedures and/or verification requirements for vendor information changes. The companies also bolstered their account reconciliation procedures and outgoing payment notification processes in order “to aid detection of payments resulting from fraud.” Finally, issuers increased their training of responsible personnel concerning cyber-threats and pertinent policies and procedures.
Finally, the report signals that companies must periodically reassess their internal controls as cybersecurity risks change and new threats emerge. The SEC noted that the particular frauds at issue in the investigation “relied on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” As a result, the report recommends that “internal accounting controls may need to be reassessed in light of emerging risks.”