On October 16th, the US Securities and Exchange Commission published Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.
This is an important report that risk and audit professionals should read and consider. They should also consider bringing it to the attention of the board and its audit committee.
The SEC investigated cyber-related frauds against “nine issuers that were victims of one of two variants of schemes involving spoofed or compromised electronic communications from persons purporting to be company executives or vendors”.
They said that:
“Each of the nine issuers lost at least $1 million; two lost more than $30 million. In total, the nine issuers lost nearly $100 million to the perpetrators, almost all of which was never recovered. Some of the investigated issuers were victims of protracted schemes that were only uncovered as a result of third-party actions, such as through detection by a foreign bank or law enforcement agency. Indeed, one company made 14 wire payments requested by the fake executive over the course of several weeks—resulting in over $45 million in losses—before the fraud was uncovered by an alert from a foreign bank. Another of the issuers paid eight invoices totaling $1.5 million over several months in response to a vendor’s manipulated electronic documentation for a banking change; the fraud was only discovered when the real vendor complained about past due invoices.”
The report described the schemes used, generally the result of spoofs that fooled company management and staff.
The SEC had previously issued guidance related to the disclosure of cyber-related risks and incidents. Commission Statement and Guidance on Public Company Cybersecurity Disclosures should be read and understood for its implications for risk management and on a company’s disclosure controls and procedures (the adequacy of which the CEO and CFO are required to attest in their quarterly and annual filings by s302 of the Sarbanes-Oxley Act of 2002).
In this report, the SEC states:
“In light of the risks associated with today’s ever expanding digital interconnectedness, public companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds. More specifically, Section 13(b)(2)(B)(i) and (iii) require certain issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.” As the Senate underscored when these provisions were passed, “[t]he expected benefits from the conscientious discharge of these responsibilities are of basic importance to investors and the maintenance of the integrity of our capital market system.”
Please note that the legal requirement to have internal controls that prevent and, if necessary, detect frauds is not new. The guidance in this new report by the SEC simply points out that the system of internal control should address the risk of fraud due to cyber-related activities. Those should include not only the spoofs discussed in the SEC report, but also any losses due to hackers breaching cyber defenses.
THIS IS NOT A NEW SARBANES-OXLEY s404 REQUIREMENT.
SOX s404 still requires a top-down and risk-based approach that will prevent or detect, on a timely basis, a material misstatement (error or omission) of the financial statements that are filed with the SEC.
- Internal Control over Financial Reporting for SOX s404 only needs to address frauds that might be material (in amount or based on a qualitative factor, in rare cases) to the prudent investor.
- Even those only need to be covered by the s404 scope if they would result in a misstatement of the financials filed with the regulator. If the fraud loss is correctly recorded and reported as an operating expense, the financials are not This is expressly stated in Auditing Standard No. 5.
- However, it is appropriate to have controls that will prevent or detect lower levels of cyber-related fraud when doing so makes good business sense – in other words when justified by the level of risk to the business. The controls that address the lower levels of risk should not be included in scope for SOX.
So, read the report (and the earlier guidance on disclosures) and discuss what it means to your organization. But don’t rush to add non-material cyber-related fraud to your scope for SOX.
I welcome your comments.