SEC Links Cyberthreats to Internal ControlsBy
The Securities & Exchange Commission (SEC) issued an investigative report in October 2018 cautioning that public companies should consider cyberthreats when implementing internal accounting controls. The report detailed how nine public companies fell victim to fraud by responding to illegitimate business emails and losing millions of dollars in the process.
In February 2018, the SEC issued a statement and interpretative guidance to assist public companies in preparing disclosures about cybersecurity. But that guidance may be insufficient in light of the SEC investigative report. Sen. Jack Reed (D.-R.I.) introduced a bill in March 2017 called the Cybersecurity Disclosure Act of 2017, which would require that publicly traded companies disclose in annual filings with the SEC whether any member of their governing body, such as their board of directors or general partner, possess expertise or experience in cybersecurity. The bill was discussed in a Senate Banking Committee hearing in June 2018 but was never voted on. It’s supported by the North American Securities Administrators Association.