U.S. SEC warns corporate cyber weakness could violate federal law

By Katanga Johnson

WASHINGTON (Reuters) - Public companies that fail to tighten their cyber security controls could be violating federal law, the U.S. Securities and Exchange Commission (SEC) said on Tuesday.

The regulator's warning came in the form of a report on its investigation to assess whether nine companies that had been victims of cyber-related frauds had sufficient internal accounting controls in place as required by law.

It focussed on so-called "business email compromises" in which cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The Federal Bureau of Investigation estimates such scams had led to $5 billion in losses since 2013, the SEC said.

The fraud did not include any sophisticated design, but rather used technology to detect the human vulnerabilities in the control system, the report said.

"We did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations," Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a statement.

The SEC did not identify the companies but said the failings of internal controls were only discovered when vendors told authorities of nonpayment on a number of outstanding invoices.

Regulators and lawmakers are increasingly focussed on the risks cyber criminals pose to companies and their customers following a series of high-profile incidents. They included the theft by hackers last year at credit reference company Equifax of personal information of more than 145 million people.

Last week, Facebook Inc said hackers stole data from 29 million Facebook accounts, adding to concerns among users and investors about the company that has been through a series of cyber scandals.

Following the Equifax breach, the SEC issued updated guidance on how and when companies should disclose cyber security risks and breaches, including potential weaknesses that have not yet been targeted by hackers but could constitute inside information.

(Reporting by Katanga Johnson; Editing by Michelle Price and Grant McCool)