• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

SEC Investigative Report Cautions Public Companies to Consider Cyber Threats When Implementing Internal Accounting Controls

October 22, 2018 By Kate Hanniford and Privacy, Cyber & Data Strategy Team

The Securities and Exchange Commission issued an investigative report last week cautioning public companies to consider cyber incidents and threats when implementing internal accounting controls.  The report details the SEC Enforcement Division’s investigations of nine public companies that were victims of cyber-related fraud schemes to determine whether the companies may have violated the federal securities laws by failing to maintain a sufficient system of internal accounting controls.  Based on the investigations, the report concludes that public companies’ internal accounting controls may need to be reassessed in light of emerging risks in the cybersecurity arena to avoid running afoul of Section 13 of the Securities Exchange Act of 1934.

Section 13(b)(2)(B)(i) and (iii) require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s authorization.   In the report, the SEC considered whether these provisions were violated by nine companies who fell victim to schemes in which company personnel received electronic communications disguised as internal emails or emails from a vendor, which caused the personnel to transfer company funds to accounts controlled by the perpetrators of the fraudulent schemes.  Each of the nine companies lost at least $1 million as a result of the schemes, two lost more than $30 million, and the group in total lost nearly $100 million to the third-party criminals.  According to the report, these schemes – referred to by the SEC as “business email compromises” – have become commonplace and are estimated to have caused a record high of $675 million in adjusted losses in 2017.

Notably, the Commission has decided not to pursue enforcement action against the nine companies.  However, the report cautions that despite the evolving cybersecurity risk landscape, the SEC’s expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated “is not [new].”  The report further emphasizes that the frauds which penetrated the nine companies were not particularly sophisticated in design or the use of technology, but rather, relied on weaknesses in policies and procedures, and human vulnerabilities, that rendered the companies’ control environments ineffective.  After the frauds, each of the nine companies sought to enhance their payment authorization procedures and verification requirements, as well as reconciliation and payment notification processes.  The report also comments on the importance of company personnel to implement, maintain and follow internal accounting controls, due to the role of human error in the success of the fraudulent schemes.  To this end, the nine companies enhanced their personnel training on relevant threats and policies and procedures after the frauds took place.

Though the full implications are not yet known, the SEC’s release of the investigative report demonstrates a widening in the SEC’s focus to include internal control obligations for accounting, whereas its previous commentary was focused primarily on disclosure obligations and cybersecurity preparedness more generally.  Because the SEC opted not to take action against the nine subjects of the report, the SEC may be signaling that it may pursue only the more egregious cases of cyber-enabled fraud as potential violations of Section 13(b) internal control provisions.  In any event, executive officers, boards of directors, and Audit Committees for public companies should consider whether their company’s internal controls should be revisited in the context of cybersecurity fraud schemes like the ones highlighted in the investigative report.

Filed Under: Cyber Risk, Cybersecurity, Data Security Tagged With: Securities and Exchange Commission

About Kate Hanniford

Kate Hanniford is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team. . She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.