The SEC Issues Investigative Report Cautioning Public Companies To Consider Cyber Threats When Implementing Internal Accounting Controls

The United States Securities and Exchange Commission (“SEC”) issued an investigative report on Tuesday, October 16, 2018 cautioning public companies to consider cyber threats when implementing internal accounting controls.  See Press Release.

The SEC’s investigation focused on the internal accounting controls of nine issuers in a variety of industries who each lost at least $1 million due to “business email compromises” (“BECs”).  See id.  The BECs at issue involved scammers who sent emails purportedly from company executives or vendors convincing company personnel to send large sums of money to perpetrator-controlled bank accounts.  Id.  Some of the scams lasted months, and were only uncovered by law enforcement or other third parties.  Id. The Federal Bureau of Investigation “estimates that fraud involving BECs has cost companies more than $5 billion since 2013.”  Id.

In connection with its investigation, the SEC considered whether the issuers complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934.  Investigative Report at 1-2.  According to the SEC, “[t]hose provisions require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.”  Id. at 2-3.

Although the SEC declined to pursue enforcement actions against these issuers, the SEC cautioned that public companies subject to Section 13(b)(2)(B)’s requirements “should pay particular attention to” that section’s obligations and “devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.”  Id. at 2, 4.