Today, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”

Enforcement conducted investigations of nine listed public companies in a range of industries that experienced cyber fraud in the form of “business email compromises,” which involve perps—rare occasion that we get to write the word “perps”— sending spoofed or otherwise compromised electronic communications that purport to be from company executives or vendors. The perps then deceive company personnel into wiring substantial sums into the perps’ own bank accounts. This type of criminal activity is increasingly pervasive: the FBI recently estimated that BECs “had caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.” In these instances, each company lost at least $1 million, and two lost more than $30 million for an aggregate (mostly unrecovered) loss of almost $100 million. And these weren’t one-time only scams: in one case, the company made 14 wire payments over several weeks for an aggregate loss of over $45 million, and another company paid eight invoices totaling $1.5 million over several months.

The report indicates that there were two types of scams. One type involved spoofed emails that purported to be from company executives directing finance personnel (generally midlevel) to quickly and secretly transfer large sums to foreign banks to complete certain unusual foreign transactions. The personnel were directed to work with outside attorneys who were real but were identified with contact information that directed the personnel back to the perps. Of course, there were grammar and spelling errors, often a giveaway.

The second type of scam involved emails purporting to be from the company’s vendors. In these more sophisticated schemes, the perps hacked into the vendors’ email accounts and

“inserted illegitimate requests for payments (and payment processing details) into electronic communications for otherwise legitimate transaction requests. The perpetrators of these scams also corresponded with unwitting issuer personnel responsible for procuring goods from the vendors so that they could gain access to information about actual purchase orders and invoices. The perpetrators then requested that the issuer personnel initiate changes to the vendors’ banking information, and attached doctored invoices reflecting the new, fraudulent account information. The issuer personnel responsible for procurement relayed that information to accounting personnel responsible for maintaining vendor data. As a result, the issuers made payments on outstanding invoices to foreign accounts controlled by the impersonator rather than the accounts of the real vendors.”

Apparently, in some instances, the game was over only when the real vendor complained that the company was past due.

The report refers to the SEC’s earlier guidance on cybersecurity disclosure, which advised companies to implement cyber-related risk management policies and procedures. (See this PubCo post and this Cooley Alert.) Given our expanding reliance on electronic communications and digital technology for economic activity, the report advises companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” In particular, the report focused on the requirements of Section 13(b)(2)(B)(i) and (iii) to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.”

The report cautions that these cyber-related threats are a “growing global problem” that might be mitigated by internal controls that take cyber threats into account, as well as by appropriate training. In these specific cases, the companies ultimately bolstered their already-existing payment authorization procedures and verification requirements for vendor information changes, as well as their account reconciliation procedures and outgoing payment notification processes to aid detection of payments resulting from fraud. Notably, in several of these cases, personnel (including two chief accounting officers) did not understand and/or follow the controls that were in place. To make internal accounting controls effective, employees must be trained to understand and follow the requirements and to ask appropriate questions. The report concludes that, although not all victims of cyber-related fraud will have necessarily violated the internal control requirements, companies should reassess their internal accounting controls and “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.