Concluding its investigation into the internal accounting controls of nine public issuers who were recent cyber fraud victims, the Securities and Exchange Commission (“SEC”), Division of Enforcement explicitly reminded issuers to consider cyber-related threats in developing and deploying their Section 13(b)(2)(B) internal accounting controls.

The SEC emphasized the importance of tailoring internal accounting controls to cyber-related threats, noting that cyber frauds like those carried out in the nine cases it investigated have caused “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017.”

Among the first set of frauds known as “business email compromises,” perpetrators sent “spoofed” emails to finance personnel, meaning the sender’s information was deliberately masked to look like it came from a company executive’s email address.  The spoofed emails then instructed the personnel to wire funds to foreign bank accounts.  In addition, the perpetrators compromised vendor email systems to actually send surreptitious requests directly from the compromised system.  Several issuers only became aware of the frauds when legitimate vendors complained of unpaid or outstanding invoices or when flagged by banks or law enforcement.   Nearly $100 million was lost between all nine issuers, most of which was unrecoverable.

As the SEC explained, these frauds were, in general, technologically unsophisticated.  They relied primarily on “weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.”  Misinterpretation of existing controls and procedures led company personnel to conclude that the fraudulent communications were “sufficient to process significant wire transfers or changes to vendor banking data.”  

Moving forward, the SEC said issuers should take affirmative steps to strengthen their “account reconciliation procedures and outgoing payment notification” processes to detect and prevent cyber-based fraud.  Moreover, SEC also focused on training, advising that personnel should be trained to “implement, maintain, and follow” these updated procedures so as to properly identify cyber frauds.  Relevant training may focus on identifying “indicators” of unreliability in emails and other messages.  As the SEC detailed, among the nine investigations, “there were numerous examples where the recipients of the fraudulent communications asked no questions about the nature of the supposed transactions, even where such transactions were clearly outside of the recipient employee’s domain.”

The agency did make clear that simply because an issuer “is the victim of a cyber-related scam” does not necessarily indicate the issuer is “in violation of the internal accounting controls requirements.”  However, the SEC concluded that “issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly” (emphasis added).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Paul Mathis Paul Mathis

Paul C. Mathis is an associate in Crowell & Moring’s Washington, D.C. office. He is a member of the firm’s Privacy & Cybersecurity and International Dispute Resolution groups.

Paul represents a diverse set of clients on a wide range of counseling, regulatory, litigation…

Paul C. Mathis is an associate in Crowell & Moring’s Washington, D.C. office. He is a member of the firm’s Privacy & Cybersecurity and International Dispute Resolution groups.

Paul represents a diverse set of clients on a wide range of counseling, regulatory, litigation, and arbitration matters, most often involving high technology industries or sectors. Paul’s experience in privacy and cybersecurity law includes data incident response, compliance reviews, and the representation of clients in incident-based litigation. He also has experience counseling technology and media companies on broad regulatory compliance and litigation matters, both in nascent markets, such as that for autonomous vehicles, and mature markets, such as that for satellite and cable broadcasting.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Photo of Daniel Zelenko Daniel Zelenko

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S.

Daniel L. Zelenko is a partner in the New York office of Crowell & Moring and serves as co-chair of the firm’s nationally recognized White Collar & Regulatory Enforcement Group. Dan is a former federal prosecutor and senior enforcement lawyer at the U.S. Securities and Exchange Commission (SEC). He has been recognized as a leader in the white collar and regulatory enforcement bar by Chambers USA since 2016 and is held in high regard for his U.S. Department of Justice (DOJ) and SEC experience and his antitrust and securities enforcement experience. Chambers USA described Dan as a “tremendous talent” who “tries cases really impressively before the government,” noting that he “is a very effective advocate who sees the whole picture,” is “thoroughly knowledgeable about the legal and regulatory landscape,” and that “he knows his way around the street, and knows how to work with people in difficult situations.” Dan has been quoted as a leading authority on white collar defense and government investigations in numerous media outlets including The Wall Street Journal, The New York Times, Bloomberg and Reuters and has appeared on CNN.