On October 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued an investigative report advising public companies that internal accounting controls should “reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” The report was based on the SEC Enforcement Division’s investigations of nine companies that fell victim to cyber fraud due to “business email compromises” (“BECs”). The frauds involved emails from fake executives or fake vendors who duped company personnel into sending large sums of money to bank accounts controlled by the perpetrators, costing those companies millions of dollars.

In some instances, the BEC schemes lasted months and were only detected after intervention by law enforcement or third parties. The SEC report indicated that each of the nine companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million. Most of those funds were unrecoverable.

The SEC typically issues investigative reports like this one—in lieu of enforcement actions against the companies or individuals involved—to signal the Commission’s views in areas that may be new or previously unclear.

According to a statement issued by the SEC in connection with its report: “Public issuers subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly. The FBI estimates fraud involving BECs has cost companies more than $5 billion since 2013.” Co-Director of the Enforcement Division Stephanie Avakian added: “[O]ur report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”

Much of the SEC’s prior enforcement activity related to cybersecurity has focused on regulated entities (broker-dealers, investment advisers, and investment companies), such as in actions pursuing violations of the SEC’s Safeguards Rule and, for the first time in September 2018, violations of the Identity Theft Red Flags Rule, which are designed to safeguard confidential consumer information and to protect customers from identity theft.

The SEC rarely has brought actions against publicly-traded companies that were themselves victims of a cybersecurity incident. Earlier this year, on April 24, Altaba, Inc. (f/d/b/a Yahoo! Inc.) settled charges that it violated Section 17(a)(2) and (3) as well as the disclosure controls provisions of the Exchange Act in connection with its failure to disclose a material data breach for nearly two years. The company paid a $35 million penalty to resolve these charges, which ranked as one of the largest SEC penalties during the past year.

The SEC’s October 16 investigative report further underscores the need for public companies—as well as regulated entities—to consider cybersecurity risk when designing, maintaining, and implementing effective internal accounting controls.