US SEC report calls for better internal accounting controls for cyber-related threats

Abstract

Purpose To summarize and explain the US Securities and Exchange Commission’s (Commission) recent report of investigation cautioning public companies to consider cyber-related threats when designing and implementing internal accounting controls. Design/methodology/approach Explains that the Commission’s report arose out of a Commission enforcement investigation into the internal accounting controls of nine unidentified public companies that were victims of email scams, explains that the Commission issued the report to emphasize that cybersecurity remains a high priority for the Commission and the report should serve as a reminder that all public companies need to consider cyber-related threats when devising and maintaining internal accounting controls and provides practical considerations for public companies to consider in light of the Commission’s report. Findings Public companies should assume that the Commission is actively monitoring all areas related to cybersecurity, including corporate disclosures of cyber-related incidents and also whether companies have established policies, procedures, and internal controls in place to ensure cyber-related incidents are prevented. Given that assumption, public companies should take prompt steps to assess and, if appropriate, improve internal accounting controls, disclosure controls, and cyber-related policies and procedures to address the risk of cyber-related incidents. Originality/value Practical guidance from experienced securities lawyers.