ARTICLE
5 February 2019

SEC Report Urges Public Companies To Consider Cyber Threats In Internal Accounting Controls

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
On 16 October 2018, the U.S. Securities and Exchange Commission (SEC) issued a report on an investigation conducted by the SEC's Division of Enforcement ...
United States Corporate/Commercial Law
A&O Shearman
Your Author LinkedIn Connections

On 16 October 2018, the U.S. Securities and Exchange Commission (SEC) issued a report on an investigation conducted by the SEC's Division of Enforcement related to the internal accounting controls at nine public companies that were the victims of cyber fraud. The report draws attention to the growing issue of cyber fraud, highlights what it believes are necessary and best practices in this area and, importantly, cautions all public companies that failure to strengthen internal controls in the face of the growing risk of cyber fraud could result in an enforcement action in the future.

The SEC considered whether the nine companies that were victims of cyber-related frauds violated federal securities laws by failing to have sufficient internal accounting controls as required under the U.S. Securities Exchange Act, which requires companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management's general or specific authorization.

The SEC advises that public companies subject to the internal accounting controls requirements of the U.S. Securities Exchange Act "must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly." It also directly indicated its position that cybersecurity falls squarely within the internal control framework, stating "our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations."

The report expressly includes the objective of making "issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws." Moreover, the report concludes that the SEC "is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds."

Companies may wish to consider the following:

  • Cybersecurity Considerations are a Fundamental Part of Internal Controls. The report is a reminder to all companies of the necessity of considering cybersecurity risks when establishing internal control processes and procedures.
  • One Size Does Not Fit All. The cybersecurity measures that companies implement as part of their internal control framework should be tailored to the unique nature of cybersecurity risks as compared to other control risks, and such measures should be appropriate to their type of business and the type of cybersecurity risk to which they are vulnerable.
  • Train, Test and Train Again. As described in the report, even the most robust internal control processes cannot be effective if those required to follow them do not understand them or ignore them. On an ongoing basis, education, training and testing of the relevant personnel on internal control procedures is critical.
  • Keep Track of What Happens. Companies should document the types of cybersecurity schemes for which they become subject and how the existing internal control processes worked in the face of these schemes. This information should be regularly reported to management and used as part of each internal control review.
  • Do Not Set It and Forget It. Just as the type and sophistication of cybersecurity schemes expand, companies should assess and reassess the adequacy of internal control procedures as they learn about new threats and vulnerabilities.

Our related client publication is available here

The SEC's report is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of A&O Shearman
A&O Shearman
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More