Stronger Internal Accounting Controls Needed to Fight Cyber Threats

The Securities and Exchange Commission (“SEC”) recently issued an investigative report cautioning that public companies should consider cyber threats when implementing internal accounting controls, especially where the movement of assets is involved.  The report is based on the SEC Enforcement Division’s investigations of the internal accounting controls of nine public companies that fell victim to cyber fraud, focused on “business email compromises” (“BECs”)in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators.  The frauds in some instances lasted months and often were detected only after intervention by law enforcement or other third parties.  Each of the companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million. In total, the nine companies wired nearly $100 million as a result of the frauds, most of which was unrecoverable.  No charges were brought against the companies or their personnel.

In the frauds reviewed, company personnel received spoofed or otherwise compromised electronic communications purporting to be from a company executive or vendor, causing the personnel to wire large sums or pay invoices to accounts controlled by the perpetrators of the scheme. These spoofed or manipulated electronic communications are an increasingly familiar and pervasive problem, exposing individuals and companies, including public companies, particularly those that engage in transactions with foreign customers or suppliers, to significant risks and financial losses.

Essentially, there were two common frauds, emails from fake executives and e-mails from fake vendors. The first type of business emails compromised involved emails from persons not affiliated with the company purporting to be company executives. In these situations, the perpetrators of the scheme emailed company finance personnel, using spoofed email domains and addresses of an executive (typically the CEO) so that it appeared, at least superficially, as if the email were legitimate. In all of the frauds, the spoofed email directed the companies’ finance personnel to work with a purported outside attorney identified in the email, who then directed the companies’ finance personnel to cause large wire transfers to foreign bank accounts controlled by the perpetrators. Some common elements included in the spoofed emails described time-sensitive transactions or “deals” that needed to be completed within days, and emphasized the need for secrecy from other company employees.  Moreover, sometimes the spoofed emails implied some level of government oversight, such as one fraudulent email claiming the purported transaction was “in coordination with and under the supervision of the SEC,” and the spoofed emails stated that the funds requested were necessary for foreign transactions or acquisitions, and directed the wire transfers to foreign banks and beneficiaries.  Finally, the spoofed emails typically were sent to midlevel personnel, who were not generally responsible or involved in the purported transactions (and who rarely communicated with the executives being spoofed). The emails also often included spelling and grammatical errors.

The second type of cyber-related fraud involved electronic communications impersonating the issuers’ vendors. This form of scam was more technologically sophisticated than the spoofed executive emails because, in the instances the SEC reviewed, the schemes involved intrusions into the email accounts of issuers’ foreign vendors. After hacking the existing vendors’ email accounts, the perpetrators inserted illegitimate requests for payments (and payment processing details) into electronic communications for otherwise legitimate transaction requests.  The perpetrators of these scams also corresponded with unwitting issuer personnel responsible for procuring goods from the vendors so that they could gain access to information about actual purchase orders and invoices. The perpetrators then requested that the issuer personnel initiate changes to the vendors’ banking information, and attached doctored invoices reflecting the new, fraudulent account information.

Unlike the fake executive scams, the spoofed vendor emails had fewer indicia of illegitimacy or red flags.  In fact, several victims only learned of the scam when the real vendor raised concerns about nonpayment on outstanding invoices.  Because vendors often afford issuers months before considering a payment delinquent, the scams, in certain circumstances, were able to continue for an extended period of time.

The companies, which each had securities listed on a national stock exchange, covered a range of sectors including technology, machinery, real estate, energy, financial, and consumer goods.  The FBI estimates fraud involving BECs has cost companies more than $5 billion since 2013, with an additional $675 million in adjusted losses in 2017 – the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

“Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies,” said SEC Chairman Jay Clayton.  “Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats.”

Ultimately, the SEC emphasized that “cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.” Accordingly, the Commission’s Statement and Guidance on Public Company Cybersecurity Disclosures advised such public companies that “cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.”

The report is of note to the financial industry, as the internal controls put in place to protect the movement of public company assets are also applicable to broker-dealers and investment advisers.  Strong internal controls are the backbone of the risk management that should be in place to prevent both customer account takeover and the illegal movement of company assets for broker-dealers and financial advisers.