SEC Report Warns of Potential Internal Controls Enforcement Actions Against Cyber Fraud Victims

On Oct. 16, the Securities and Exchange Commission (SEC) issued an investigative report warning that public companies victimized by cyber fraud could also face enforcement action for violating federal securities laws by failing to maintain sufficient internal accounting controls. While the SEC earlier this year issued interpretive guidance for public companies concerning the disclosure of cybersecurity risks and incidents, last week’s report stresses the importance of companies having a sufficient system of  internal controls to prevent cyber fraud.

The report, which the SEC issued pursuant to 21(a) of the Securities Exchange Act of 1934 (Exchange Act), specifically cites Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act. Those provisions require certain issuers to devise and maintain internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, and that access to company assets is permitted only with, “management’s general or specific authorization.”

Cyber-related fraud is a prevalent threat to businesses. The SEC report cites an FBI estimate that “business email compromises” alone have caused more than $5 billion in losses since 2013. The report discusses the SEC’s investigation of nine issuers across various business sectors — including real estate, technology, energy and consumer goods — that fell victim to cyber fraud. Each company suffered losses ranging from $1 million to $45 million as a result of business email compromises. The SEC investigated whether the companies’ controls were sufficient to comply with their obligations under Section 13 of the Exchange Act.   

Each of the nine companies investigated by the SEC were victims of one of two variants of business email compromises:

• Emails from fake executives: The first email scam involved persons purporting to be company executives. Using email domains and addresses that spoofed company executives (typically the CEO), the perpetrators emailed company finance personnel to direct them to work with a purported outside attorney identified in the email. Though the perpetrators identified real law firm and attorney names and used legal services-sounding domains like “consultant.com,” the purported outside attorney was actually an impersonator. The finance personnel were directed to wire funds to foreign banks and beneficiaries in order to complete supposed “time sensitive” transactions that were, in fact, invented by the perpetrators. In general, these frauds were not sophisticated in design or the use of technology. The scams typically targeted mid-level personnel who were not generally involved in the purported transactions and who rarely communicated with the company executives being spoofed, and often included spelling and grammatical errors.
  
  
• Emails from fake vendors: The second email scam involved persons impersonating existing vendors of the victim companies. This form of fraud was more technologically sophisticated — and harder to detect — because it involved intrusions into the email accounts of the company’s existing third-party vendors. After hacking the vendors’ email accounts, the perpetrators falsified invoices and payment requests that appeared to be for otherwise legitimate transactions. The perpetrators also communicated with the companies’ procurement personnel in order to obtain details about actual purchase orders and invoices and subsequently request that the personnel change the vendors’ banking information. After the fraudulent banking information was relayed to accounting personnel responsible for maintaining vendor data, the companies then made payments on outstanding invoices to foreign accounts controlled by the impersonator.  

The SEC report stresses that personnel at the victim issuers failed to follow company protocols. For example, several employees at the companies, including two at the executive level, disregarded or misinterpreted established procedures for authorizing payment requests, approving outgoing wires and verifying vendor data changes. While the SEC concluded that it would not pursue enforcement actions against the nine issuers that it investigated, the report serves as a clear warning to all public companies. The SEC refers to its “expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant.” Public companies “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” 

Though the SEC’s report only refers directly to issuers’ Section 13(b) obligations, the failure to prevent business email compromises and other cyber-related scams can trigger other significant risks for public companies. For example, the Sarbanes-Oxley Act of 2002 (SOX) requires certain high-level executives to attest in annual and quarterly SEC filings that the issuer maintains adequate internal controls for public disclosure. If a company’s executives knowingly or recklessly certify that its controls are adequate and the company then experiences a cyber intrusion, the executives may be at risk of sanction for those certifications. Thus, cybersecurity should be an important part of an issuer’s diligence and SOX controls process.

In light of the SEC report, public companies and their advisers should regularly reassess all elements of the company’s existing internal controls for preventing and addressing the ever-evolving risks of cyber-related fraud, including whether enhancements to relevant policies, procedures and employee training are warranted.