Paul RosenDaniel ZelenkoKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/GPaul Mathis

Concluding its investigation into the internal accounting controls of nine public issuers who were recent cyber fraud victims, the Securities and Exchange Commission (“SEC”), Division of Enforcement explicitly reminded issuers to consider cyber-related threats in developing and deploying their Section 13(b)(2)(B) internal accounting controls.

The SEC emphasized the importance of tailoring internal accounting controls to cyber-related threats, noting that cyber frauds like those carried out in the nine cases it investigated have caused “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017.”

Among the first set of frauds known as “business email compromises,” perpetrators sent “spoofed” emails to finance personnel, meaning the sender’s information was deliberately masked to look like it came from a company executive’s email address.  The spoofed emails then instructed the personnel to wire funds to foreign bank accounts.  In addition, the perpetrators compromised vendor email systems to actually send surreptitious requests directly from the compromised system.  Several issuers only became aware of the frauds when legitimate vendors complained of unpaid or outstanding invoices or when flagged by banks or law enforcement.   Nearly $100 million was lost between all nine issuers, most of which was unrecoverable.

As the SEC explained, these frauds were, in general, technologically unsophisticated.  They relied primarily on “weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.”  Misinterpretation of existing controls and procedures led company personnel to conclude that the fraudulent communications were “sufficient to process significant wire transfers or changes to vendor banking data.”  

Moving forward, the SEC said issuers should take affirmative steps to strengthen their “account reconciliation procedures and outgoing payment notification” processes to detect and prevent cyber-based fraud.  Moreover, SEC also focused on training, advising that personnel should be trained to “implement, maintain, and follow” these updated procedures so as to properly identify cyber frauds.  Relevant training may focus on identifying “indicators” of unreliability in emails and other messages.  As the SEC detailed, among the nine investigations, “there were numerous examples where the recipients of the fraudulent communications asked no questions about the nature of the supposed transactions, even where such transactions were clearly outside of the recipient employee’s domain.”

The agency did make clear that simply because an issuer “is the victim of a cyber-related scam” does not necessarily indicate the issuer is “in violation of the internal accounting controls requirements.”  However, the SEC concluded that “issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly” (emphasis added).