CFO Raises Alarm on Cybersecurity as Internal Control Issue
- The SEC has classified IT systems as 'assets' under Section 13(b)(2)(B) of the Exchange Act, expanding the scope of internal accounting controls.
- RRD was fined $2.1 million for failing to maintain adequate cybersecurity measures, which the SEC deemed necessary for protecting these assets.
- This shift in regulatory interpretation suggests that companies must now consider cybersecurity as a critical aspect of their internal controls to avoid potential violations.
The SEC has recently expanded its interpretation of internal accounting controls to include cybersecurity practices, classifying IT systems as 'assets' under Section 13(b)(2)(B) of the Exchange Act. This shift was highlighted in the case of RRD, which faced scrutiny for inadequate cybersecurity measures that led to a cyber breach. The SEC imposed a $2.1 million fine on RRD, asserting that the company failed to maintain sufficient internal controls to protect its IT assets from unauthorized access. Traditionally, internal accounting controls focused on financial transactions and safeguarding against errors and fraud. However, the SEC's new stance suggests that cybersecurity is now a critical component of these controls. The dissenting commissioners argued that this interpretation could lead to significant implications for companies, as any cybersecurity lapse could be classified as an internal controls violation. This development follows similar cases involving Charter Communications and Andeavor LLC, where the SEC also broadened the definition of assets in relation to internal controls. The implications of this ruling are profound, as it raises questions about the responsibilities of companies in safeguarding their IT systems and the potential for regulatory action in the event of a cyber incident. As organizations navigate the complexities of cybersecurity, they must prioritize strengthening their defenses to avoid legal repercussions and financial penalties. The SEC's evolving perspective underscores the importance of integrating cybersecurity into the framework of internal accounting controls, prompting companies to reassess their risk management strategies.