SEC report seen as warning to get tough on cyber crimeReprints
A U.S. Securities and Exchange Commission report issued last week, which warns that publicly held companies whose lax internal accounting controls lead to cyber-related fraud may be violating federal law, could signal future SEC fines, experts warn.
Experts point out the report issued earlier this month follows a $1 million settlement the agency announced over an investment firm’s handling of a cyber breach, which also emphasized the SEC’s view of the importance of following good cyber security procedures.
In its latest report, the agency focused on two types of criminal cyber schemes: emails from fake executives and emails from fake vendors. The report offered examples from nine unidentified public companies, stating it has determined not to pursue enforcement action against them.
But it states the commission “deems it appropriate” to make issuers “aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities law.”
Thomas O. Gorman, a partner at Dorsey & Whitney LLP in Washington, said the report’s implication is that it’s not enough to have a “nice set of policies and procedures. You’ve got to really train your people and create an environment where they’re actively monitoring these things all the time and updating them all the time.”
Experts say publicly held firms should take the SEC report as a warning of future fines over this issue. Joseph P. Facciponti, a partner with Murphy & McGonigle P.C. in New York and a former federal prosecutor who handled a wide range of financial and computer crimes, said the Voya fine and this latest report show the SEC “does intend to get aggressive with respect to cyber security.”
“It shows the SEC is examining the cyber threat from a wide range of perspectives, and will seek to use enforcement and investigative tools at its disposal to ensure companies take the right steps” in response to cyber threats, he said.
Tim Monahan, Washington-based vice president in Lockton Cos. LLC’s claims consulting group, said, “It certainly seems like they are trying” to issue “fair warnings to companies about what it is they’re expecting, and at some point, in the near or distant future, they’re going to start issuing fines to companies.”
Experts say whether there is coverage for SEC fines will depend upon the particular cyber policy.
“With the proper cyber policy, the cost for responding to the investigation, as well as the fines and penalties — that may be covered by insurance,” said Mr. Monahan. “I would say there is coverage available in the cyber marketplace, but it’s not in every policy.”
“Most insurers are offering this as one of the coverage parts in a cyber policy,” he said. The questions, he said, are whether companies are buying the coverage and whether “it is being offered in adequate amounts.”
He added that there may also be coverage under firms’ crime policies for fraudulent payments paid in connection with cyber scams.