Cyber Risk and Internal Accounting Controls: How Should Boards Respond?
The SEC warns public companies that lax cybersecurity practices could violate rules governing internal accounting controls, and offer nine scams as cautionary tales.
The SEC has become increasingly active when it comes to cybersecurity. Last month, it issued an investigative report about Business Email Compromises (BCEs) involving nine public companies that lost nearly $100 million when they wired funds to thieves impersonating corporate executives or vendors. While the SEC did not take action against the companies, it noted that policies and procedures that allowed for the thefts, accomplished via simple means of email and wire transfers, could leave a company in violation of accounting rules requiring that public companies safeguard corporate assets. The report makes a strong case that all companies, not just the boards of public companies, need to be aware of and protect against scams of these sorts.
The Commission considered whether the victimized companies complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934. Those provisions require certain issuers to devise and maintain a system of internal accounting controls that provide reasonable assurances that management authorizes corporate transactions and access to company assets. “While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the report stated.
The Commission chose to issue the report as guidance and declined to bring charges against the companies. While these companies dodged a second bullet, all companies should take this opportunity to benefit from the SEC’s analysis, and how important it is that board members understand the multiple aspects of cybersecurity, cyber risk, and related compliance.
Some directors may still assume that a cybersecurity breach is one that involves hackers infiltrating a company’s computer systems and stealing the customer data. With this preconception, an enterprise will focus on hardware, software, and firewalls and other technical solutions, which can lull management into thinking that increasing the data security budget is enough to address security threats. But almost all breaches have a human element – these losses cited in the SEC report were based on social engineering,” which we’ve written about – exploiting human weakness, not technological failures. The only thing “hacked” was what should have been the proper level of suspicion of the employee targeted, and lax internal controls. So how should companies respond, and what do board members and top executives need to do to avoid problems?
- Review Internal Accounting Controls. First, as the SEC stated, “Ultimately, issuers themselves are in the best position to develop internal accounting controls that account for their particular operational needs and risks in complying with Section 13(b)(2)(B). In performing this analysis, issuers should evaluate to what extent they should consider cyber-related threats when devising and maintaining their internal accounting control systems.” This report makes it clear that internal controls – policies and procedures – must be a priority. Wise companies will take action now and provide their boards sufficient information to assess the landscape.
- Ensure a Holistic, Company-Wide Approach. Business Email Compromises (BCEs) highlighted in the Report show the importance of the “human factor” in cybersecurity. The SEC noted that the scams preyed on “weaknesses in policies and procedures and human vulnerabilities.” Cybersecurity requires not just hardened hardware and software, but a culture of security, and that culture starts at the top. Board members and top executives set the standard for the safety mindset of all employees. The SEC calls it “enterprise-wide risk management.” Boards need to highlight this approach, and create an enterprise that values privacy and security.
- Include the Board in Cybersecurity Reviews. This SEC report shows that when it comes to cybersecurity, the Commission believes strongly that all company assets are to be protected, not just customer or personally identifiable information. Rather than give a board a finalized cybersecurity plan, board members should adopt the language and framework for analysis needed to thoughtfully evaluate whether current corporate efforts are sufficient. Boards should address cyber policies the same way they address other key business decisions – challenge the adequacy of safeguards and take a broad look at controls and response plans.
- An Educated and Informed Board. The company’s chief security executive – the CIO, CSO or CTO – should have a place at the table at board meetings. He or she can be available to address questions and offer insights. While board members are adept at analyzing other forms of risk, few have a background in cybersecurity.
- Consider Expanding the Board. Diversity on a board is vital. It may be worth expanding the board to include a member with a background in cybersecurity. This sends a strong message that the company takes security seriously.
The SEC is unambiguous that it expects a “mindful” approach to cybersecurity and internal controls. The report concluded, “Given the prevalence and continued expansion of these attacks, issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from these risks.” It shows once again that cybersecurity needs to be a corporate mission that moves well beyond IT to all corporate departments.
—
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.