Subscription Center  

Cybersecurity Alert

On October 16, 2018, the Securities and Exchange Commission released an investigative report cautioning public companies to consider cyber threats when implementing internal accounting controls. The SEC has previously brought enforcement actions against companies for failure to safeguard customer information, typically in the wake of a cybersecurity incident involving the loss or exposure of personal customer information, and has issued guidance relating to disclosures of cybersecurity incidents and risks.1 This investigative report, however, focused on the internal accounting controls of nine issuers that were the subject of a series of cybersecurity incidents that collectively led to millions of dollars in company losses. Specifically, the report addresses business email compromises (BECs), a common form of cybersecurity fraud where company personnel receive "spoofed" emails in which a perpetrator poses as a company executive or vendor and directs the receiving company personnel to send money to a third party. Although the SEC chose not to bring an enforcement action against any of the nine issuers, the report cautions public companies to reassess their internal controls, thus signaling that a failure to adequately assess this cyber risk in the future could lead to future enforcement actions.

The SEC's Investigations

The report focused on the SEC's investigation of nine unnamed public companies that suffered losses totaling nearly $100 million from the email compromises. The BEC schemes involved two types.

Emails from Fake Executives

In these schemes, the perpetrators spoofed email domains and addresses of company executives and directed the companies' finance personnel to send large wire transfers to foreign bank accounts controlled by the perpetrators. Key facts the SEC described regarding the incidents:
  • The perpetrators used real law firm and attorney names with legitimate-sounding email domains.
  • The emails described time-sensitive transactions and emphasized secrecy from other company employees. They sometimes claimed some level of government oversight or involvement.
  • The emails stated that the funds were necessary for foreign transactions, and while the issuers had some foreign operations, these transactions would have been unusual for them. The emails also did not include many details about the transactions.
  • The emails were sent to midlevel personnel who were not generally responsible for these transactions and often contained spelling and grammatical errors.

Emails from Fake Vendors

The SEC noted that these schemes were more technologically sophisticated, as they involved intrusions into the email accounts of the issuers' foreign vendors. Key facts the SEC described relating to these frauds:

  • The perpetrators inserted illegitimate payment requests and payment processing details into electronic communications for otherwise legitimate transaction requests.
  • The perpetrators also corresponded with issuer personnel to gain information about actual purchase orders and invoices, then requested changes to the vendors' banking information and sent doctored invoices.
  • These schemes caused issuers to make payments on illegitimate outstanding invoices to foreign accounts controlled by the perpetrators.
  • Because these schemes had fewer red flags and indicia of illegitimacy, several victims did not learn of the scams until the real vendors complained of outstanding invoices and the scams had been in existence for extended periods of time.

Failure to Sufficiently Follow or Understand Company Policies and Controls

Overall, the SEC noted that an important factor contributing to the success of these schemes was that company personnel did not sufficiently follow or understand existing controls and processes. For example, in one matter, the employee who received the fraudulent email did not follow the issuer's dual-authorization requirement for wire payments. In another, the employee incorrectly believed that he had approval authority at the level of the CFO. In addition, there were numerous examples of employees failing to ask questions about the nature of the transactions, even where they were clearly outside the employees' normal domains and the employee was being asked to make multiple payments over a series of days or weeks.

The SEC's Guidance

The SEC warned that because nearly all economic activities take place through digital technology and electronic communication, public company assets and business transactions are susceptible to cyber-related threats. The SEC indicated that when a company falls prey to such a scheme, it could indicate a failure on the issuer's part to have proper internal accounting controls in place as required under Section 13(b)(2)(B) of the Securities Exchange Act. Section 13(b)(2)(B) requires issuers to "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management's general or specific authorization." While the report conceded that falling victim to similar schemes does not automatically constitute a violation of Section 13(b)(2)(B), the SEC added that it is clear that "internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds." In reassessing company controls, the SEC noted that accounting control systems should take into account these cyber-related threats as well as "the critical role training plays in implementing controls."

Key Takeaways

Although the SEC decided not to pursue enforcement action against the issuers in question, the report is a clear warning to issuers that cyber threats are not just limited to security incidents in which personal information has been accessed or acquired. The SEC considers adequate efforts to protect a company from cyber fraud such as BEC schemes to be a legitimate area of examination with regard to internal accounting controls. Failure to have such controls in place, which includes enhanced training of employees, could lead a company to the doubled pain of losing money to a cyber fraud and being the subject of an SEC enforcement action for failing to have proper measures in place to avoid the fraud. As the SEC warned in the report, these threats "should be considered when devising and maintaining a system of internal accounting controls as required by federal securities laws."

Reading between the lines, the SEC evidently is not yet ready to make an example of an issuer that the Commission feels has already been victimized by a BEC scheme. But public companies are on notice that the SEC increasingly considers effective cybersecurity programs, including risk management assessments and implementation of appropriate safeguards, to be part of an effective internal accounting program. Public companies thus should reassess their internal accounting controls, which should include processes to address these threats, training employees on those controls, and, on an ongoing basis, continual reevaluation of those controls.

Venable LLP has extensive experience in securities enforcement, cybersecurity, compliance policies and procedures, and employee training. Venable attorneys are available to review existing internal accounting controls, assist in drafting or revising policies and procedures, evaluate cybersecurity safeguards and processes for adequacy, and conduct employee training at all levels of corporate responsibility.

[1] SEC Guidance: February 21, 2018 SEC Cybersecurity Guidance and Statement by Chairman Clayton, available at; October 13, 2011 Cybersecurity Guidance for Public Companies, available at SEC Enforcement Actions: Press Release, SEC Charges Firm with Deficient Cybersecurity Procedures, SEC (Sept. 26, 2018), available at; Press Release, SEC: Morgan Stanley Failed to Safeguard Customer Data, SEC (June 8, 2016), available at; Press Release, SEC Charges Investment Advisor with Failing to Adopt Proper Cybersecurity Policies and Procedures Prior to Breach, SEC (Sept. 22, 2015), available at