As U.S. public companies brace for wide-ranging changes to accounting standards, the U.S. Securities and Exchange Commission (SEC) wants corporate accountants and financial executives to have something else on their minds: cybersecurity.
Experts described the SEC's recent Report of Investigation as "unusual," as the regulator urged public companies to consider cybersecurity as they develop their internal accounting controls. In its report, published earlier this month, the SEC said it had explored the possibility that companies that feel subject to "cyber-related frauds" may have actually violated federal law.
The consideration by the SEC is that public companies hit by a cyberattack failed to adequately develop their internal accounting controls, pointing to the millions of dollars lost by firms as a result of a cyberattack. The Business Email Compromise (BEC) and related scams — in which an attacker tricks an employee into believing they are a legitimate executive, business partner or vendor requesting an invoice payment — remain an increasing threat to corporates large and small, and highlight the risk exposure that companies face in their B2B payment operations.
"Cyber frauds are a pervasive, significant and growing threat to all companies, including our public companies," said SEC Chairman Jay Clayton in a statement announcing the report. "Investors rely on our public issuers to put in place, monitor and update internal accounting controls that appropriately address these threats."
Pointing to Federal Bureau of Investigation (FBI) data, the SEC said U.S. companies have lost more than $5 billion as a result of BEC scams since 2013. As a result, the SEC looked at whether those scams also represent a failure among public companies to remain compliant with the Securities Exchange Act of 1934, which requires firms to develop internal accounting controls to assure "that transactions are executed with, or that access to company assets is permitted only with, management's general or specific authorization."
No Enforcement Action
As part of its investigation, the SEC ultimately decided not to pursue enforcement action against companies that had fallen victim to the BEC scam. However, that doesn't mean public companies should continue to operate without any changes to their internal accounting controls in light of heightening cyber fraud.
"In light of the risks associated with today's ever-expanding digital interconnectedness, public companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that [reasonably] safeguard company and, ultimately, investor assets from cyber-related fraud," the SEC stated.
The SEC added that the legislation requires public companies to ensure that any executed transactions occur with the authorization of management. As organizations continue to digitize and embrace digital transacting, the SEC warned that risk of cyber-related fraud is going to rise, and internal accounting controls must take this into account. This is particularly true considering that the BEC scam, while not necessarily technologically sophisticated, exploits weaknesses in organizations' internal controls.
"Having internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets," the SEC concluded.
While the SEC emphasized that it does not believe every public company that has fallen victim to a cyber scam is in violation of federal securities law, it is urging companies to keep cybersecurity as a top focus when developing internal accounting controls.
As reports in Mondaq noted, the SEC's report follows the development of its Cyber Unit last year, as the agency takes greater interest in corporate cybersecurity — and in potential enforcement action against companies hit by fraud and other cyberattacks.