SEC Cautions Public Companies to Consider Cyber Threats When Implementing Internal Accounting Controls

The Securities and Exchange Commission ("SEC") has issued a press release and an investigative report, which caution public companies to consider cyber threats when implementing internal accounting controls. The report is based on the SEC's investigation into whether nine public companies who were victims of cyber-related frauds, had violated the Securities Exchange Act of 1934 due to insufficient systems with respect to their internal accounting controls.

The investigations focused on business email compromises ("email phishing"), which involved fake emails from persons purporting to be company executives or vendors, prompting their personnel to transfer large sums to bank accounts controlled by the perpetrators.

Although the SEC decided not to pursue enforcement actions against those public companies, the report emphasises the risks and threats under which the capital market and companies operate, and to which all industries are subject, due to cyber-attacks. The report states that public companies should pay more attention to the obligations under the Act, which require them to maintain internal accounting controls that reasonably safeguard the company from cyber-related frauds. According to the SEC, having sufficient internal accounting controls is an important role in a company's risk-management approach to external cyber-related threats, and, ultimately, in order to protect investors.

The Israeli Securities Authority Requires Companies to Include Cyber Threats in Filings

The Israeli Securities Authorities ("ISA") has published a new Staff Position concerning cyber-related disclosures. In its Staff Position, the ISA stated that cyber-attacks are a significant threat to the ability of companies to evolve, as well as causing loss of income, potentially leading to significant loss from which the company might be unable to recover.

Accordingly, the ISA now requires relevant companies to include information regarding cyber-attacks and potential cyber threats potentially affecting the company's performance in their fillings to the Stock Exchange, shareholders and their board of directors..

The document does not create new discovery obligations under the Israeli securities regulations but rather, emphasises the requisite attention against cyber-threats and defines conceivable threats or events under the law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.