On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.
The Enforcement Division’s investigation reviewed controls at nine companies that had been victims of two variants of cyber schemes, both having to do with wire transfers. Both schemes involved fraudulent or spoofed emails, or what is known as “business email compromise.” In one variant, cyber criminals impersonated company executives by spoofing or mimicking email addresses of top executives and, using those fake addresses, instructed the company’s finance personnel to transfer large amounts of money to accounts controlled by the criminals. The other involved hacking the systems of a company’s vendor and creating fake or doctored invoices that directed the company to pay the fraudulent invoice by sending funds to an account controlled by the criminals.
Some of the fraudulent emails apparently contained what the SEC sees as clear red flags such as purported emails from company executives. Each issuer also had procedures that required “certain levels of authorizations for payment requests, management approval for outgoing wires, and verification of any changes to vendor data.” Nevertheless, the schemes “succeeded, at least in part, because the responsible personnel did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability.” As a result of these schemes, each company lost at least $1 million, and, together, the companies lost nearly $100 million.
The SEC chose not to take action against the nine companies, but the Enforcement Division’s findings are a reminder that effective cybersecurity includes training employees to follow policies and procedures and to apply common sense and skepticism in the face of red flags. As the Commission noted, “these frauds were not sophisticated in design or the use of technology; instead, they relied on technology to search for both weaknesses in policies and practices and human vulnerabilities that rendered the control environment ineffective.” Although a firm does not necessarily violate the internal controls provisions of the Exchange Act merely because it is the victim of a cyber-related fraud, it is clear that the SEC is looking more closely and with a more questionable eye at the cybersecurity practices of public companies.
As a result, public companies should take a fresh look at their policies and procedures and ensure that their policies and procedures are appropriately tailored to the cyber threats they face, and the related human vulnerabilities of their workforce. As the report makes clear, policies and procedures are not themselves sufficient to meet companies’ obligations under the federal securities laws to have effective internal controls. These policies and procedures must be adapted to the particular enterprise. Public companies must also train their employees on these policies and procedures and, equally important, monitor and test the extent of their understanding of and compliance with such policies and procedures. Companies may also benefit from enhanced technical controls that assist in identifying fraud, such as systems that mark emails as being from external senders and aggressively filter against rogue sites.