CFO Raises Alarm on Cybersecurity as Internal Control Issue

The SEC has recently expanded its interpretation of internal accounting controls to include cybersecurity practices, classifying IT systems as 'assets' under Section 13(b)(2)(B) of the Exchange Act. This shift was highlighted in the case of RRD, which faced scrutiny for inadequate cybersecurity measures that led to a cyber breach. The SEC imposed a $2.1 million fine on RRD, asserting that the company failed to maintain sufficient internal controls to protect its IT assets from unauthorized access. Traditionally, internal accounting controls focused on financial transactions and safeguarding against errors and fraud. However, the SEC's new stance suggests that cybersecurity is now a critical component of these controls. The dissenting commissioners argued that this interpretation could lead to significant implications for companies, as any cybersecurity lapse could be classified as an internal controls violation. This development follows similar cases involving Charter Communications and Andeavor LLC, where the SEC also broadened the definition of assets in relation to internal controls. The implications of this ruling are profound, as it raises questions about the responsibilities of companies in safeguarding their IT systems and the potential for regulatory action in the event of a cyber incident. As organizations navigate the complexities of cybersecurity, they must prioritize strengthening their defenses to avoid legal repercussions and financial penalties. The SEC's evolving perspective underscores the importance of integrating cybersecurity into the framework of internal accounting controls, prompting companies to reassess their risk management strategies.