SEC Issues Report of Investigation on Cyber-Related Frauds Perpetrated Against Public Companies: Public Companies Should Implement Sufficient Internal Controls to Avoid Becoming Victims of Cyber-Related Frauds and to Comply With the Exchange Act

Sullivan & Cromwell LLP - October 17, 2018
Read More

On October 16, the SEC issued a report on an investigation into whether nine public issuers that were victims of cyber-related frauds may have violated Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act by failing to have a sufficient system of internal accounting controls to provide reasonable assurances that those frauds were detected and prevented.  The issuers, which the SEC stated represent a variety of industries, were victims of two types of “business email compromise” scams that resulted in mostly unrecovered losses ranging from $1 million to over $45 million.  While the SEC determined not to pursue enforcement actions against the issuers under investigation, it issued its report of investigation to make issuers aware that the cyber-related threats exist and concluded that all companies should re-assess the sufficiency not only of existing internal controls, but also of policies and procedures that ensure employee compliance with controls.