On 16 October 2018, the U.S. Securities and Exchange Commission (SEC) issued a report on an investigation conducted by the SEC's Division of Enforcement related to the internal accounting controls at nine public companies that were the victims of cyber fraud. The report draws attention to the growing issue of cyber fraud, highlights what it believes are necessary and best practices in this area and, importantly, cautions all public companies that failure to strengthen internal controls in the face of the growing risk of cyber fraud could result in an enforcement action in the future.

The SEC considered whether the nine companies that were victims of cyber-related frauds violated federal securities laws by failing to have sufficient internal accounting controls as required under the U.S. Securities Exchange Act, which requires companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management's general or specific authorization.

The SEC advises that public companies subject to the internal accounting controls requirements of the U.S. Securities Exchange Act "must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly." It also directly indicated its position that cybersecurity falls squarely within the internal control framework, stating "our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations."

The report expressly includes the objective of making "issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws." Moreover, the report concludes that the SEC "is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds."

Companies may wish to consider the following:

  • Cybersecurity Considerations are a Fundamental Part of Internal Controls. The report is a reminder to all companies of the necessity of considering cybersecurity risks when establishing internal control processes and procedures.
  • One Size Does Not Fit All. The cybersecurity measures that companies implement as part of their internal control framework should be tailored to the unique nature of cybersecurity risks as compared to other control risks, and such measures should be appropriate to their type of business and the type of cybersecurity risk to which they are vulnerable.
  • Train, Test and Train Again. As described in the report, even the most robust internal control processes cannot be effective if those required to follow them do not understand them or ignore them. On an ongoing basis, education, training and testing of the relevant personnel on internal control procedures is critical.
  • Keep Track of What Happens. Companies should document the types of cybersecurity schemes for which they become subject and how the existing internal control processes worked in the face of these schemes. This information should be regularly reported to management and used as part of each internal control review.
  • Do Not Set It and Forget It. Just as the type and sophistication of cybersecurity schemes expand, companies should assess and reassess the adequacy of internal control procedures as they learn about new threats and vulnerabilities.

Our related client publication is available here

The SEC's report is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.