Adding Insult to Injury: SEC Warns That Cyber Incidents May Lead to Enforcement Action
Client Memorandum

Created date


On Tuesday, the Securities and Exchange Commission issued a Section 21(a) report of investigation emphasizing the importance of assessing the likelihood of cyberattacks when designing internal accounting controls and conducting training for personnel responsible for their implementation. The SEC’s enforcement division examined incidents at nine unnamed public companies that had been victims of cyber fraud comprised of “business email compromise” or “phishing” schemes in which employees were tricked into wiring money to accounts controlled by bad actors posing as company executives or vendors. The SEC investigated the companies’ compliance with provisions of the Securities Exchange Act of 1934 requiring maintenance of a system of internal accounting controls. While the SEC concluded that enforcement action was not warranted, the report thus effectively serves as notice that in the future, a company experiencing a cyber event could later find itself in the SEC’s crosshairs.