The Securities and Exchange Commission (SEC) this week issued an investigative report that outlined cyber incidents that nine public companies had experienced, causing fraudulent losses totaling more than $100 million. The conclusion of the report is that public companies “should consider cyber threats when implementing internal controls.”

The investigations focused on business email compromises where intruders posed as company executives or vendors and used emails (usually through phishing and spear phishing campaigns) to trick employees into sending large amounts of money to bank accounts controlled by the fraudsters. According to the report, these campaigns lasted months on end, and the funds were largely not recoverable. The report cited an FBI statistic that business email compromise has cost U.S. companies more than $5 billion since 2013.

The companies were from different industries, including technology, machinery, real estate, energy , financial and consumer goods. This is instructive for all companies to see that victim companies are in every industry and no industry is immune. SEC Chairman Jay Clayton stated “Cyber frauds are a pervasive, significant, and growing threat to all companies including our public companies. Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats.”

Although none of the companies were fined as a result of the security incidents, the SEC stated “…our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”