Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges | Compliance and Enforcement

The settlement marks a striking expansion of the SEC’s view of its oversight authority relating to public company cybersecurity policies and procedures. In particular, the SEC Enforcement Division’s “expansive interpretation” of Section 13(b)(2)(B)—the internal accounting controls provision added to the Securities Exchange Act of 1934 (the “Exchange Act”) by the Foreign Corrupt Practices Act of 1977 (the “FCPA”)—as covering incident response policies is in clear tension with the Director of the SEC’s Division of Corporation Finance’s (“Corp Fin”) recent statement disclaiming any intent on the part of the Commission to prescribe particular cybersecurity risk management policies and procedures. The RRD settlement also troublingly suggests that, in the wake of a successful cyberattack, public companies can expect the Enforcement Division to pursue any substantial intrusion as evidence of an underlying per se internal controls violation.

Source: Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges | Compliance and Enforcement