Globally, internal control is a hot issue for financial companies on several fronts, including environmental, social and governance -- or ESG -- issues as well as cybersecurity. This is because internal control is the process implemented by companies to ensure compliance with the law and the reliability of its information and financial reporting, therefore it is an area of law that must adapt to the changing legal and business environments. Accordingly, as the world focuses on a sustainable future and faces an ever-growing number of online transactions, particularly in the wake of COVID-19, these areas have emerged as areas of focus for internal control.

Historically, changes to internal control regulations have been proposed in response to financial crises.

For example, the 2008 mortgage-backed securities crisis in the US resulted in systematically important financial institutions being subject to additional regulations, among other measures. In Korea, internal control regulations are now being reconsidered on the heels of the recent financial crisis caused by Lime, Optimus and the companies that sold derivative-linked funds. Accordingly, this juncture in history is somewhat unique in that current internal control trends such as ESG are largely being driven by, in addition to regulators, other stakeholders such as shareholders investing in the future.

In the case of sustainability-related internal control, many financial companies are adapting their compliance programs to new sustainability-related disclosures being mandated by regulators.

For example, in the UK climate change-related disclosures will be required starting in April consistent with the well-known climate change disclosure recommendations from the Task Force on Climate-Related Financial Disclosures. Likewise, the United States Securities and Exchange Commission is expected to propose new climate-related disclosure requirements by year-end consistent with TCFD and other such frameworks. And, according to certain remarks by current SEC Chair Gary Gensler, the SEC appears to be headed in the direction of proposing mandatory climate change disclosure requirements in annual reports that comprise quantitative disclosures such as greenhouse gas emission metrics as well as qualitative disclosures, such as how such emissions and other climate change risks are managed internally.

Although these new ESG disclosure requirements would apply to public companies generally, the recent regulatory changes are pushing financial companies to establish new ESG internal control measures related to governance, such as forming sustainability committees to oversee the new information gathering and external reporting functions.

Furthermore, to identify, manage and mitigate ESG risks, financial companies are undertaking control activities such as generating internal and external ESG reports to collect, monitor and report reliable information. To effectively collect and disseminate reliable ESG information, many boards are reestablishing company objectives to structure the control environment in which such ESG data can be identified and collected. As a result, the audit process, which is a key internal control function relating to the governance of a company, is being extended to managing and ensuring the quality of ESG information in some cases.

In addition to sustainability-related disclosures, overseas regulators are increasingly penalizing lax cybersecurity control in financial companies.

Larger percentages of transactions have been occurring online, with a spike in the past year due to the COVID-19 crisis shutting down the physical operations of many companies around the world. A correlated increase in digital crimes has been taking place, and attempted data breaches and ransomware attacks occur on an ongoing basis. Consequently, regulators abroad such as the SEC and Financial Industry Regulatory Authority are placing additional focus on internal control pertaining to maintaining healthy cybersecurity systems within companies, and are taking enforcement actions against companies that fail to properly implement, maintain or disclose such cybersecurity systems.

Financial companies are especially at risk for these types of cybersecurity issues due to the number of digital transactions such companies execute on a daily basis and, for the very same reason, financial companies also make attractive targets for hackers. Therefore, financial companies must be especially vigilant of changing internal control requirements pertaining to cybersecurity.

For example, in August 2021, the SEC charged Cetera Financial Group in the US for having lax cybersecurity control and for using misleading information in breach disclosures. Lately, US regulators have begun to crack down with larger civil penalties of $1 million or more on public companies that fail to properly disclose cybersecurity risks by watering down their disclosures concerning data breaches.

Because internal control systems must adapt to changing legal and business environments to ensure companies comply with applicable laws and have adequate processes in place to produce reliable information, it is advisable for financial companies to review and update their internal control systems in accordance with these changing ESG and cybersecurity-related disclosure requirements, as these considerations will continue to be an undeniable part of the global political landscape for the foreseeable future.

Je Ok-pyeong and S. Janet Lee
Je Ok-pyeong is a partner at Yoon & Yang, with expertise in general finance, financial regulations and compliance, government investigations and financial and capital market disputes. S. Janet Lee is a US-qualified attorney at Yoon & Yang, with expertise in mergers and acquisitions, private equity transactions, foreign investments and general corporate law. -- Ed.