The SEC has released a new report on cyber fraud, suggesting that public companies that fail to implement appropriate preventative measures risk violating the internal accounting control provisions of the Exchange Act. Companies should review their fraud prevention procedures accordingly and consider whether to conduct a comprehensive cybersecurity assessment under attorney-client privilege.
The Enforcement Division of the Securities and Exchange Commission (SEC) recently warned public companies that inadequate cybersecurity fraud prevention may violate the internal accounting control provisions of the Exchange Act. Following Commission guidance issued earlier this year, the most recent report reflects the agency’s continued emphasis on cybersecurity. Given this more expansive view of cybersecurity practices, public companies should ensure that internal accounting controls adequately address cybersecurity risk.
The SEC’s investigative report describes two types of cybersecurity scams that victimized nine public companies, which collectively lost nearly $100 million.
In the first scam, the perpetrators used fake email accounts to request wire transfers from fake email accounts purportedly held by company executives. The emails, sent primarily to midlevel personnel, emphasized the time-sensitive nature of the request and the secretive nature of the transactions. These scams were relatively unsophisticated, and included spelling and grammatical errors. The email nevertheless fooled employees and caused losses.
The second type of scam was more refined. In this scam, fraudsters posed as bona fide foreign vendors demanding payment. Originating from compromised vendor email addresses, the messages attached doctored invoices that contained accurate purchase order and account balance information. The attackers often were able to repeat the scams against the same victims by exploiting the vendors’ delayed action on delinquent payments.
The SEC declined to take action against the companies in the nine instances mentioned in the report. However, the Division emphasized that the failure to prevent such frauds could run afoul of Sections 13(b)(2)(B)(i) and (iii) of the Exchanges Act. Those provisions require public companies to devise and maintain internal accounting controls sufficient to provide reasonable assurance that transactions are executed with, or that access to company assets is permitted only with, management’s authorization.
Previous Cybersecurity Efforts
The report reinforces the SEC’s increased emphasis on cybersecurity. The Commission recently formed a Cyber Unit within the Enforcement Division focused on these issues. In February 2018, the SEC issued guidance on cybersecurity disclosures for public companies focused on SEC reporting requirements and disclosure controls. (Our detailed analysis of the February guidance is available here.) Not long after the guidance, the SEC announced a settled action against Altaba (formerly Yahoo!) over the failure to disclose a large data breach to investors. As part of the settlement, Altaba agreed to pay a substantial $35 million penalty.
The SEC Enforcement Division has a history of using “21A” reports like the one recently issued as warnings to public companies in advance of actual enforcement actions. As the report emphasizes, “issuers themselves are in the best position to develop internal accounting controls that account for their particular operational needs and risks.” That said, two specific compliance takeaways emerge from the report:
- Transaction Authorization Procedures. The report highlights the importance of internal procedures for authorizing and approving wire transfers. Companies should consider multiple-authorization requirements, as well as creating or bolstering verification procedures for vendor information changes.
- Personnel Training. Companies also should train personnel on internal procedures, emphasizing the response to red flags. Companies that already implemented phishing training may be able to adapt this training for cyber fraud, and could test the effectiveness of the training through mock emails or “phish tests.” This training should extend beyond easy-to-spot requests for wire transfers and include suspicious information requests and other suspicious behavior. The SEC noted that scammers often corresponded with unwitting company personnel to collect facts about the vendor relationship in order to change banking information and generate fake invoices. Effective data handling procedures and training could prevent such information leakage and reduce the probability of successful cyberattacks.
Companies that update procedures and adequately train employees will have taken important steps to minimize SEC enforcement risk.
Of course, investing in reasonable cybersecurity controls and risk management also protects public companies from misappropriation and other harm. For example, public companies can protect themselves from losses in the second type of scam—where fraudsters leverage compromised vendor email addresses to request payment—by contractually requiring vendors to indemnify them for losses resulting from compromises of vendor systems and by requiring vendors to provide prompt notification of system compromises. Public companies also should consider whether their cybersecurity risk management program is sufficiently robust to cover the range of relevant risks and vulnerabilities and whether aspects of the program, such as periodic cybersecurity assessments, need to be conducted under privilege.
The SEC’s increased focus on cybersecurity coincides with a global trend toward increased regulatory attention. As cyber-related incidents and scandals continue to dominate the headlines, domestic and international regulators rush to keep pace and demonstrate vigilance. To survive in this regulatory environment, it is essential that companies design and implement a robust cybersecurity strategy.