The Securities and Exchange Commission issued a report of investigation by the staff (typically referred to as a Section 21(a) Report) of email frauds perpetrated against nine public companies to determine whether those companies may have violated federal securities laws by failing to have a sufficient system of internal accounting controls. Company personnel received spoofed or otherwise compromised emails and, in response, the employees wired large amounts to (usually foreign) bank accounts controlled by the perpetrators. Little of the funds lost — nearly $100 million according to the Section 21(a) Report — were recovered. The October 16, 2018, report also noted that the Federal Bureau of Investigation has estimated total losses from these types of frauds since 2013 to exceed $5 billion.
In one form of fraud, an employee would receive a spoofed email, purportedly from a company executive, directing the employee to make a payment to a specified account. In another ruse, the perpetrator would hack into a target company’s vendor email system and send false invoices to targeted employees, directing payment to the perpetrators’ accounts. Perpetrators at time would also direct targeted employees to change vendor payment information in the target company’s accounting databases so that payments on legitimate invoices were made to the perpetrators, rather than to the appropriate vendors.
Although the SEC declined to take enforcement action, it noted in the Section 21(a) Report that each public company is required “to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or access to company assets is permitted only with, management’s general or specific authorization.” The SEC considered neither of the frauds to be terribly sophisticated, noting that, in some cases, employees ignored or circumvented the controls that were in place. Companies must continually assess the adequacy of their internal controls in light of emerging risks, including cyber-fraud risks, and ensure that personnel who implement the controls understand and comply with them.
In a separate announcement, the SEC unveiled its Strategic Hub for Innovation and Financial Technology — to be known as the FinHub — a public platform on issues, information and SEC initiatives related to FinTech, including distributed ledger technology and cybercurrency, automated investment advice, digital marketplace financing, and artificial intelligence and machine learning.
According to the announcement, the FinHub will:
- Provide a portal for industry and the public to engage directly with SEC staff on innovative ideas and technological developments.
- Publicize information regarding the SEC’s activities and initiatives involving FinTech.
- Engage with the public through publications and events, including a FinTech Forum on distributed ledger technology and digital assets, which is planned for 2019.
- Act as a platform and clearinghouse for SEC staff to acquire and disseminate FinTech-related information and knowledge within the agency.
- Serve as a liaison to other domestic and international regulators regarding emerging technologies in financial, regulatory and supervisory systems.