On Tuesday, the Securities and Exchange Commission issued a Section 21(a) report of investigation emphasizing the importance of assessing the likelihood of cyberattacks when designing internal accounting controls and conducting training for personnel responsible for their implementation. The SEC’s enforcement division examined incidents at nine unnamed public companies that had been victims of cyber fraud comprised of “business email compromise” or “phishing” schemes in which employees were tricked into wiring money to accounts controlled by bad actors posing as company executives or vendors. The SEC investigated the companies’ compliance with provisions of the Securities Exchange Act of 1934 requiring maintenance of a system of internal accounting controls. While the SEC concluded that enforcement action was not warranted, the report thus effectively serves as notice that in the future, a company experiencing a cyber event could later find itself in the SEC’s crosshairs.

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual Davis Polk contact.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.

Related materials

Read the full update
Copy link to share post