The SEC said public companies should examine their internal accounting controls in light of threats to cybersecurity. The SEC investigated nine companies victimized by computer crimes to determine whether they were susceptible to enforcement actions because of flaws in their internal control systems that were never addressed.
The SEC issued a report on October 16, 2018, that said public companies should examine their internal accounting controls in light of threats to cybersecurity.
“Issuers should evaluate to what extent they should consider cyber-related threats when devising and maintaining their internal accounting control systems,” the SEC said in Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.” Given the prevalence and continued expansion of these attacks, issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from these risks.”
The report resulted from an investigation by the SEC into nine public companies victimized by phony emails from hackers pretending to be either company executives or suppliers. The companies each lost at least $1 million, with one company losing $45 million in 14 unauthorized payments over several weeks. Another company paid eight false invoices for $1.5 million over the course of several months. Together the companies lost nearly $100 million, very little of which has been recovered, the SEC said.
The frauds tended to fall into two categories. Some scammers pretended to be company executives and emailed midlevel employees who had authorization to transmit funds. The emails typically involved urgent requests that had to be kept secret from other employees for payments to a law firm’s foreign bank account to facilitate a merger. In another group of frauds, hackers raided a vendor’s computer records and falsified invoices or requests for payment. The hackers got information about the vendors’ products and services and then had employees at the targeted companies alter bank account information to route the payments to accounts controlled by impersonators.
“Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies,” SEC Chairman Jay Clayton said in a statement. “Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats.”
The SEC said it conducted the investigation to determine whether the companies, while victims of criminal behavior, were themselves subject to enforcement actions because of flaws in their internal control systems that were unaddressed. The investigation was carried out to determine if the companies were complying with Section 13(b)(2)(B)(i) and Section 13(b)(2)(B)(iii) of the Securities Exchange Act of 1934. The provisions require companies to assure that their internal controls protect them from making unauthorized transactions.
Stephanie Avakian, codirector of the SEC’s Enforcement Division, said, the SEC’s decision not to pursue enforcement actions against the nine companies that were attacked should not be read as a sign that the agency will not pursue other companies that may be victims.
“Our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations,” Avakian said.
In February the SEC published interpretive guidance in Release No. 33-10459, Commission Statement on Guidance and Public Company Cybersecurity Disclosures. The release updated the 2011 guidance in Disclosure Guidance: Topic No. 2, Cybersecurity, and, in part, addressed concerns that the 2011 document had become outdated because of the technology sector’s rapid change. Much of the reports’ focus involved the disclosure requirements for public companies as they relate to cybersecurity. Neither document set requirements that public companies have policies in place to protect themselves from digital threats.
In the Cyber-Related Fraud Report, the SEC said that given the threats companies face, it wants companies to pay close attention to the internal control requirements in Section 13(b)(2)(B)(i) of the Exchange Act.
The report’s lack of detailed requirements for cybersecurity and protective measures against computerized threats may be in keeping with the SEC’s standard practice to avoid detailed, prescriptive rules with specific requirements.
“They’re more likely to say you must have policies in place to protect this and that,” said Mark Flannery, a finance professor at the University of Florida, who was the SEC’s chief economist from 2014 through 2016. “They’re not going to be so prescriptive about the exact mechanism, partly because the world changes.”
While it is far from certain what the SEC will specifically do following the report’s release, the agency may be paving the way for future action.
“It’s clear that they’re going to go further out than they’ve been before,” said Tyler Gellasch, founder of Myrtle Mykena LLC, a policy and regulatory consulting firm. “They are clearly laying out a framework here that could give rise to future actions.”