On October 16, 2018 the SEC issued a Report of Investigation dealing with cyber threats and ICFR.  These are unusual reports from the Division of Enforcement.  They generally result from a formal investigation that identifies a significant concern on the part of the SEC but in their judgment does not warrant enforcement against a company.

As an example, you might remember this Report of Investigation that dealt with the use of social media by Netflix’s CEO.

The new Report of Investigation deals with one of the current environment’s hot topics, cyber-crime, focusing specifically in email related frauds.  The SEC investigated frauds at nine companies, each of which was victimized in an email related cyber-attack.  In total the companies lost almost $100 million.

In light of all the surrounding facts and circumstances (the companies were the victims also), the SEC did not enforce against the companies.  But as this type of crime becomes more and more common, ICFR should change and evolve to be appropriately designed to protect assets from such cybercrimes.  In the words of the SEC:

 “these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws”.

You can read the report here.

As always, your thoughts and comments are welcome!