Prompted by an investigation of nine public companies (across industries) that collectively lost nearly $100 million as a result of fairly rudimentary cyber-related frauds involving their payment of large sums of money in response to spoofed or otherwise compromised business emails from fake executives or fake vendors, and citing the SEC's 2018 cybersecurity guidance, the SEC issued this Report of Investigation today to remind companies to consider cyber threats and associated "human vulnerabilities" in devising and maintaining their internal accounting controls.
The Report's concluding remarks are noteworthy:
By this report, the Commission is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds. Public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.
Ultimately, issuers themselves are in the best position to develop internal accounting controls that account for their particular operational needs and risks in complying with Section 13(b)(2)(B). In performing this analysis, issuers should evaluate to what extent they should consider cyber-related threats when devising and maintaining their internal accounting control systems. Given the prevalence and continued expansion of these attacks, issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from these risks.
SEC Chair Clayton commented: "Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies. Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats."