Consider Cyber Threats When Implementing Internal Accounting Control
On October 16, 2018, the SEC issued an investigative report of nine public companies that fell victim to cyber fraud, losing millions of dollars in the process. In those frauds, company personnel received spoofed or otherwise compromised electronic communications purporting to be from a company executive or vendor, causing personnel to wire large sums or pay invoices to accounts controlled by the perpetrators of the scheme. The frauds in some instances lasted months and often were detected only after intervention by law enforcement or other third parties.
Spoofed or manipulated electronic communications are an increasingly familiar and pervasive problem, exposing individuals and companies, including public companies, particularly those that engage in transactions with foreign customers or suppliers, to significant risks and financial losses. The SEC cautions that public companies should consider cyber threats when devising and maintaining their systems of internal accounting controls as required by the federal securities laws.
Public issuers subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly. Systems of internal accounting controls, by their nature, depend on the personnel that implement, maintain and follow them. The investigative report also underscores the critical role training plays in implementing controls that protect assets in compliance with the federal securities laws.