On Oct. 16, 2018, the U.S. Securities and Exchange Commission (SEC) issued a report stating that inadequate prevention of cyber-related fraud risk may violate the internal accounting control provisions of the Exchange Act of 1934. This report summarized the SEC’s investigation of nine issuers that lost millions of dollars due to cyberfraud. The report reminded companies of their control requirements and left open the potential for enforcement actions.
The SEC made it clear that public companies subject to section 13(b)(2)(B) of the Securities Exchange Act—the federal securities law provision covering internal controls—have an obligation to assess and calibrate internal accounting controls for the risk of cyberfrauds and adjust policies and procedures accordingly.
Given the comments made by the SEC, what should a public company be doing?
RSM has compiled a list of the key areas to focus on for prevention and detection of cyberfraud and to mitigate potential reputational harm, financial loss or potential enforcement actions.
To combat a cyberattack like the one described within the SEC’s report, an organization needs to ensure specific prevention measures relating to internal controls are in place. These general preventative measures range from creation of a fraud risk management program to mandating all employees receive security awareness training.
In addition, there are preventative measures that should be considered around payroll and disbursements to mitigate the occurrence of fraud.
Although these cyberattacks begin with computer skills and social engineering techniques, having the proper internal controls in place can limit the financial damage and reputational concerns that a company may face. By staying aware of emerging fraud techniques—and their impact on the company—you can better prepare yourself to avoid such issues in the future.
