SEC issues Section 21(a) investigative report regarding the implications of cyberscams for internal controls
Today, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
Here’s a reminder from the SEC: interim financial statements included in Forms 10-Q are required to be “reviewed” by outside auditors. On Friday, in a first enforcement proceeding of its kind, the SEC announced charges against five companies that had filed their 10-Qs with their quarterly financial statements prior to review by their independent external auditors.
SEC enforcement action for materially misleading projections in the face of red flags and other actions
In case anyone needed a reminder from the SEC, this case against Sonus Networks, its CFO and VP of Sales may well serve as one: per the SEC’s Associate Director of Enforcement, a company needs to have a “reasonable basis” if it makes public projections or estimates about future financial results: “The investing community expects that when companies choose to provide public financial projections, there is a reasonable basis underpinning those projections….When a company ignores red flags or takes steps to make public financial projections inaccurate we will take appropriate action.”
This SEC Order, In the Matter of The Dow Chemical Company, is a great refresher—at Dow’s expense, unfortunately for Dow—on the analysis required to determine whether or not certain expenses and benefits are perquisites or personal benefits that must be disclosed in the Summary Comp Table in the proxy statement. As you probably know, the analysis for determining whether an item is a disclosable “perk” can be very tricky to apply, especially when it involves the use of corporate jets by executives and their friends and families. The SEC claims that Dow applied the wrong standard altogether in its analysis, failing to disclose over a five-year period $3M in CEO perks and understating the CEO’s disclosed perks by an average of 59%. Dow settled the charges for a fine of $1.75M and also undertook to engage an independent consultant that would perform a review of Dow’s policies, procedures and controls and conduct training related to the determination of perks.
In this recent Cooley Alert, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we wrote that the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents and asked whether an enforcement action might just be on the horizon? In that regard, we noted that, in 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances. Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: today, the SEC announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”
In light of the recent fraud charges against audit firm partners and the PCAOB, what questions should audit committees ask their outside auditors?
Recent civil and criminal fraud charges against partners at KPMG and staffers at the PCAOB, arising out of “their participation in a scheme to misappropriate and use confidential information relating to the PCAOB’s planned inspections of KPMG,” have led some managements and audit committee members to consider whether there is more they should be doing to ensure that their outside audit firms are not plagued by similar concerns. This article from Compliance Week sifts through a speech by Helen Munter, PCAOB director of inspections and registration, to assemble a series of questions that, in light of these recent charges, may be appropriate for audit committee members to pose to their outside audit firms.
Yesterday, the SEC filed charges against six CPAs, including former staffers at the PCAOB and former partners of KPMG, arising out of “their participation in a scheme to misappropriate and use confidential information relating to the PCAOB’s planned inspections of KPMG.” All have now been separated from KPMG or the PCAOB, and the U.S. Attorney’s Office for the SDNY has filed criminal charges. Here is the press release, which advises that the “SEC stands ready to work with issuers to ensure that collateral effects, if any, to issuers and, in particular, their shareholders are minimized.”