Public Companies Advised to Review Internal Controls for Cybersecurity

October 25, 2018

An October 16 report from the Securities and Exchange Commission (“SEC”) asks public companies to reassess their internal accounting control systems to safeguard against potential cyber-attacks. The SEC wants issuers to evaluate the degree to which cyber-related threats should be considered when developing and maintaining their internal controls. Issuers are also asked to determine whether their internal controls can provide reasonable assurances in protecting company assets from cyber-related risks.

Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements is the result of an SEC-led investigation of nine public companies falling victim to cyber scams. One scam involved hackers posing as company executives who emailed employees who could authorize fund transfers and submitted urgent confidential requests for payments to a law firm’s foreign bank account for a pending merger. Another scam involved hacking a vendor’s computer records and falsifying invoices for payment. Hackers retrieved information regarding the vendors’ products and services and then asked employees at the companies to change the banking account information to send payments to other accounts.

As a result of the cyber-attacks, each affected company lost at least $1 million. One company reported losing $45 million from 14 unauthorized payments, while another company paid $1.5 million in false invoices. Collectively the companies lost almost $100 million; so far, they have recovered only a small amount of the money.

While the companies were victims of criminal misconduct, the SEC performed the investigation to determine whether the companies faced enforcement actions due to unaddressed flaws in their internal controls. The SEC sought to conclude if the companies complied with the Securities Exchange Act of 1934. Sections 13(b)(2)(B)(i) and 13(b)(2)(B)(iii) of the Exchange Act require companies to ensure that their internal control systems protect against making unauthorized transactions.

Ultimately, the SEC Enforcement Division declined to pursue enforcement actions against the attacked companies. Co-director Stephanie Avakian said the decision should not be indicative that the SEC will forgo pursuing other companies that could be victims. She noted the report stresses how public companies are obligated to uphold appropriate internal accounting control systems and should prioritize cyber threats when meeting such obligations.

If your company needs guidance on cybersecurity or improving your internal system controls, reach out to Cherry Bekaert’s Information Assurance & Cybersecurity practice.