On October 16, the SEC issued a report on an investigation into whether nine public issuers that were victims of cyber-related frauds may have violated Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act by failing to have a sufficient system of internal accounting controls to provide reasonable assurances that those frauds were detected and prevented.
The issuers, which the SEC stated represent a variety of industries, were victims of two types of “business email compromise” scams that resulted in mostly unrecovered losses ranging from $1 million to over $45 million.
While the SEC determined not to pursue enforcement actions against the issuers under investigation, it issued its report of investigation to make issuers aware that the cyber-related threats exist and concluded that all companies should reassess the sufficiency not only of existing internal controls, but also of policies and procedures that ensure employee compliance with controls.
The Securities Exchange Act of 1934 (the “Exchange Act”) requires public companies to maintain internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with and access to company assets is only permitted with “management’s general or specific authorization.” In the course of its investigation, the Securities and Exchange Commission (the “SEC”) sought to determine whether the controls of nine public issuers were sufficient to comply with these obligations.
Each issuer was the victim of one of two types of scams known as “business email compromises.” The first type involved perpetrators who used spoofed email addresses to pose as company executives in emails sent to company finance personnel. In the emails, the perpetrators directed the finance personnel to work with a purported outside attorney identified in the email, who then directed them to cause large sums of money to be transferred to foreign bank accounts controlled by the perpetrators. The emails generally used real law firm and attorney names, but the contact details in fact connected the personnel with an impersonator and co-conspirator. The emails also described purported time-sensitive requests, mentioned the need for confidentiality of the transfers, provided minimal details, and sometimes falsely implied that the transactions involved government oversight, including the coordination or supervision of the SEC. Even though all of the issuers did business internationally, the emails often described foreign transactions that were out of the ordinary for the particular issuer. The email recipients were typically mid-level employees who ordinarily would have had no involvement in the purported transactions, and rarely communicated with the executives being spoofed.
The second type of scam involved perpetrators who hacked into the email accounts of issuers’ vendors. Posing as a vendor, these perpetrators inserted illegitimate payment requests and payment processing details into electronic communications for otherwise legitimate transaction requests. The perpetrators corresponded with issuers’ unsuspecting procurement personnel to obtain information about purchase orders and invoices. The perpetrators then requested that the procurement personnel initiate changes to the vendors’ banking information, attaching doctored invoices reflecting the new, fraudulent account information, and the procurement personnel relayed that information to accounting personnel responsible for maintaining vendor data. As a result, the issuers made payments on outstanding invoices to foreign accounts controlled by the perpetrators.
Many issuers remained unaware of these schemes, some of which continued over significant periods of time, until the schemes were uncovered as a result of third-party actions, including detection by a foreign bank or law enforcement agency, or by a vendor who complained of non-payment of invoices. The SEC noted that the schemes were often successful largely because employees either did not understand or did not follow the issuers’ internal control procedures. As a result, the issuers as a group lost and did not recover nearly $100 million, even though they had specific information about the foreign bank accounts that received the wired funds.
Notably, even with the relevant wire transfer confirmations, money transferred in these schemes may be difficult or impossible to recover by U.S. issuers or law enforcement. The money is typically transferred and dissipated quickly through foreign accounts in the names of shell corporations or false identities created by the perpetrators. Further, the perpetrators often transfer the funds to foreign jurisdictions that are unlikely to cooperate with U.S. law enforcement requests for evidence or asset recovery.
OBSERVATIONS AND IMPLICATIONS
The SEC noted that email scams like the ones investigated here have caused business losses of over $5 billion since 2013, which according to the Federal Bureau of Investigation (“FBI”) is greater than losses caused by any other type of cyber-related crime. The FBI has also found that the threat of email scam losses has grown over time. As such, the SEC strongly emphasized the importance of maintaining internal accounting controls that are sufficient to provide reasonable assurances that financial transactions are authorized by management. Although the SEC determined not to pursue enforcement action in these matters, the report of investigation makes it clear that the SEC expects issuers to calibrate their internal controls to address the risks of cyber-related frauds. Because the scams commonly targeted “human vulnerabilities that rendered the control environment ineffective,” the SEC also instructed companies to view employee training as a critical aspect of control implementation. All companies are advised to re-assess the sufficiency of internal accounting controls, especially those relating to foreign transactions, as well as the completeness of employee education protocols.