Nine unnamed public companies found themselves the target of an SEC investigation after they fell victim to “business email compromises,” a type of cyber fraud that cost them nearly $100 million combined. While the SEC did not initiate enforcement actions against any of these companies, the resulting Report signals the Commission’s intent to pursue companies for internal accounting controls violations, adding another tool (in addition to the Safeguards Rule, the Red Flags Rule, disclosure rules and others) to its enforcement arsenal. In this article, we review the Report’s findings with insight from Davis Polk partner Avi Gesser on SEC enforcement and how to avoid BEC scams. See also “SEC Confirms Cyber Disclosure Expectations in New Guidance” (Feb. 28, 2018).