Oct 252018

SEC Cautions Public Companies to Address Cyber Threats as Part of Internal Accounting Controls

Ike Adams, Thomas J. Kim and Stephen L. Cohen
, , , , , ,

On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.

The Enforcement Division’s investigation reviewed controls at nine companies that had been victims of two variants of cyber schemes, both having to do with wire transfers.  Both schemes involved fraudulent or spoofed emails, or what is known as “business email compromise.” In one variant, cyber criminals impersonated company executives by spoofing or mimicking email addresses of top executives and, using those fake addresses, instructed the company’s finance personnel to transfer large amounts of money to accounts controlled by the criminals. The other involved hacking the systems of a company’s vendor and creating fake or doctored invoices that directed the company to pay the fraudulent invoice by sending funds to an account controlled by the criminals.

Some of the fraudulent emails apparently contained what the SEC sees as clear red flags such as purported emails from company executives. Each issuer also had procedures that required “certain levels of authorizations for payment requests, management approval for outgoing wires, and verification of any changes to vendor data.” Nevertheless, the schemes “succeeded, at least in part, because the responsible personnel did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability.” As a result of these schemes, each company lost at least $1 million, and, together, the companies lost nearly $100 million.

The SEC chose not to take action against the nine companies, but the Enforcement Division’s findings are a reminder that effective cybersecurity includes training employees to follow policies and procedures and to apply common sense and skepticism in the face of red flags. As the Commission noted, “these frauds were not sophisticated in design or the use of technology; instead, they relied on technology to search for both weaknesses in policies and practices and human vulnerabilities that rendered the control environment ineffective.” Although a firm does not necessarily violate the internal controls provisions of the Exchange Act merely because it is the victim of a cyber-related fraud, it is clear that the SEC is looking more closely and with a more questionable eye at the cybersecurity practices of public companies.

As a result, public companies should take a fresh look at their policies and procedures and ensure that their policies and procedures are appropriately tailored to the cyber threats they face, and the related human vulnerabilities of their workforce. As the report makes clear, policies and procedures are not themselves sufficient to meet companies’ obligations under the federal securities laws to have effective internal controls. These policies and procedures must be adapted to the particular enterprise. Public companies must also train their employees on these policies and procedures and, equally important, monitor and test the extent of their understanding of and compliance with such policies and procedures. Companies may also benefit from enhanced technical controls that assist in identifying fraud, such as systems that mark emails as being from external senders and aggressively filter against rogue sites.

Ike Adams

Washington, D.C.

iadams@sidley.com

Thomas J. Kim

tkim@sidley.com

Stephen L. Cohen

Washington, D.C., Boston, ...

scohen@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.