Last week, the Securities and Exchange Commission published an investigative report. The report discusses the Commission’s investigation of nine public companies that were subject to cyber breaches. The breaches involved email compromises that directed the companies to send money to third parties.
The Commission found that in many instances the recipients at the companies failed to follow or did not understand their companies’ controls and processes.
The Commission notes that public companies are required to have internal accounting controls in place that provide reasonable assurance that transactions are executed with, or that access to company assets is permitted only with, management’s authorization. Companies should reassess their internal accounting controls in light of the risks associated with cyber incidents and consider whether their controls are effective. In addition, companies should conduct appropriate training for employees. Although the Commission did not pursue enforcement action against the companies that are the subject of the report, it is clear that Commission may in the future review the sufficiency of internal accounting controls in connection with cyber breaches and may take enforcement action for internal control failings.