On October 16, the US Securities and Exchange Commission (SEC) issued an investigative report highlighting issues for public companies related to spoofing cyber-frauds. The SEC's report focuses on "business email compromises" in which a person successfully masquerading as either a corporate executive or a vendor directs a corporate employee to transfer funds to an account controlled by the perpetrators of the scheme.
The SEC's report urges issuers to consider whether their current internal accounting controls are sufficient to provide "reasonable assurances" that corporate assets are safeguarded from cyber-related threats. While the SEC did not bring enforcement cases against any of the companies it investigated, future companies victimized by such schemes may not be so fortunate unless they can show that they've acted to implement internal accounting controls that minimize the risk of falling prey to these frauds.
The report is the latest in a series of SEC actions during 2018 designed to highlight the importance of addressing cybersecurity risks. The agency's warnings began with its February 2018 interpretive release which updated the agency's October 2011 guidance on disclosure obligations for cybersecurity risks and incidents and which highlighted the importance of cybersecurity policies related to disclosure controls and procedures, insider trading and selective disclosures. Next, in April, 2018, the agency sued and imposed a $35 million penalty on an issuer whom the SEC claimed failed to disclose adequately and timely a "massive" data breach. Most recently, in September 2018, the SEC brought its first enforcement action against a firm for inadequate cybersecurity policies and procedures which, according to the SEC, resulted in security breaches and the disclosure of confidential information.
Now, with this report, the SEC has expanded its February guidance and the issues addressed in its prior enforcement actions to remind those regulated by the SEC that cybersecurity risks implicate internal accounting controls as well as the policies and procedures referenced in the February guidance.
The SEC investigated the internal accounting controls of nine companies in a wide range of industries. Each of the companies was victimized by spoofed or compromised emails from individuals purporting to be company executives or vendors, and all suffered monetary losses to a varying degree.
There were two types of schemes: emails from impersonated executives and emails from impersonated vendors. The first scheme, according to the SEC, presented red flags that were missed; employee failures impacted the success of both schemes.
Impersonated executives: In this common scheme, an employee, often mid-level, receives an email purportedly sent by a corporate executive. The email appears legitimate and directs the employee to take various steps ultimately resulting in the transfer of corporate funds to bank accounts controlled by the perpetrator of the fraud. Common elements of this type of scheme included:
- A purported time-sensitive transaction, generally foreign
- A claimed need for secrecy
- Claims of government oversight
- Lack of transaction details
Impersonated vendors: This scheme typically involved infiltration of the email accounts of the issuers' foreign vendors. Using the infiltrated accounts, the perpetrators sent illegitimate payment requests and revised payment details. Generally the requests were sent to issuer procurement personnel who were involved with the actual purchase orders and invoices. The procurement employees then provided the payment requests to the finance department. The issuers then sent payment to the accounts controlled by the impersonator.
Red flags and employee mistakes
The investigative report highlighted certain red flags that were missed as well as employee mistakes. These errors enabled the perpetrators to succeed in their theft of corporate assets.
As issuers consider the SEC's report, they should assess whether their internal accounting controls currently address the following risks and if not what steps the company can take to minimize these risks:
- Failure to raise questions about emails containing red flags such as:
- Claimed time-sensitivity for an unspecified transaction
- Claimed need for secrecy
- Assertion that the funds were needed for foreign transactions with minimal details regarding those transactions
- Direction to send funds to offshore accounts and
- Spelling and grammatical errors.
- Among the employee mistakes noted in the report were:
- Failure to follow dual-authorization wire payment requirements
- Misinterpretation of the company's payment authorization payment matrix and
- Failure to ask questions about transactions that were not within the employee's typical area of responsibility
The stakes for public companies
Per the SEC's investigative report, the Securities Exchange Act of 1934 requires public companies to establish and maintain internal accounting controls that safeguard corporate (and ultimately investor) assets from cyber-related frauds. The SEC is focusing on specific requirements that issuers devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with general or specific management authorization and (ii) access to assets is permitted only in accordance with managements general or specific authorization.
The SEC's report pointed out that the issuers victimized by these schemes came from a wide range of industries, and the report used that point to emphasize that every type of business is a potential target. In other words, every issuer is subject to these risks and should evaluate its internal accounting controls appropriately and make enhancements if necessary. Failure to do raises the specter of an enforcement action and possible monetary sanctions for the next public company victimized by these all-too-common schemes.
Corporations should consider whether to enhance their internal accounting controls as part of a broader cybersecurity program. The SEC's report describes at a high level some of the steps taken by the companies after falling victim to the spoofing frauds as well as some of situations where employees did not follow controls. Companies should assess whether policy and procedure enhancements are needed in at least the following areas:
- payment authorization
- verification of for vendor information changes
- account reconciliation processes and
- payment notification processes.
Most importantly, and as stressed by the SEC's report, companies should increase training related to cyber-fraud and should conduct that training at all levels of the company. To reduce risk, training should be periodic and should include information regarding the types of cyber-threats employees may encounter, typical red flags and education regarding the company's policies and procedures related to payments.
Companies should also consider providing a method by which employees can ask questions regarding payment requests that include red flags. While an employee may not feel comfortable asking a higher-level employee whether his or her email is legitimate, establishing a mechanism that allows an employee to seek neutral guidance about a suspicious email will increase the likelihood that companies identify cyber-frauds earlier.
Finally, while the report is silent on whether any of the investigated companies disclosed their cybersecurity issues, companies should bear in mind the SEC's February 2018 guidance and assess disclosure obligations as well as related disclosure controls and procedures.
Cyber-threats are real and constantly evolving. The SEC's investigative report reminds companies that the securities laws require that them to pay attention and proactively address such threats by implementing an effective system of internal accounting controls coupled with effective employee training.
Find out more about the implications of the investigative report by contacting Deborah Meshulam.
An earlier version of this article appeared in the New York Law Journal on October 23, 2018.