On October 16, 2018, the SEC released a “Report of Investigation” calling for public companies to reassess their internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds.” In particular, the report focuses on certain types of “business email compromises” (BECs), in which a bad actor uses spoofed or compromised email accounts to trick an organization’s personnel into effectuating wire transfers to financial accounts controlled by fraudsters.
The report was prompted by the SEC’s investigation into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of business email compromises targeting their personnel. The nine companies were victimized by one of two variants of the BEC scheme—involving spoofed or compromised emails from a person purporting to be either a company executive or a vendor.
Emails from Fake Executives – A person purporting to be a company executive used a spoofed email domain and address to direct mid-level finance personnel to work with a purported outside attorney (copied on the email) to effectuate large wire transfers to foreign bank accounts controlled by the perpetrators. The perpetrators used real attorney and law firm names and emphasized the need for secrecy and time sensitivity in completing the wire transfers that were purportedly related to foreign transactions or acquisitions. The SEC characterized the emails as “not sophisticated frauds,” requiring only the creation of a spoofed email address.
Emails from Fake Vendors – Perpetrators hacked into and took over the email accounts of actual employees of foreign vendors of the company. They then communicated with company personnel via the compromised vendor email accounts, redirecting wire transfers for actual transactions to accounts under the perpetrators’ control.
The nine companies were members of various sectors, including technology, machinery, real estate, energy, financial services, and consumer goods. Each of the nine companies lost at least $1 million; two lost more than $30 million. One company made more than 14 wire payments requested by a fraudster impersonating a company executive—resulting in more than $45 million in losses. Virtually none of the funds were recovered in any of the cases.
The SEC investigated whether these companies violated Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934. Although declining to pursue enforcement actions against the companies, the SEC emphasized its recent cybersecurity guidance, advising public companies that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.”
The SEC advised companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” Under Section 13(b)(2)(B)(i) and (iii), these internal controls must reasonably assure that:
- transactions are executed in accordance with management’s general or specific authorization;
- and access to assets is permitted only in accordance with management’s general or specific authorization.
The SEC emphasized that these fraud schemes were not particularly sophisticated. They were widely successful, though, because they used “technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” The victimized issuers had policies and procedures requiring different authorization levels for payments; management approval of outgoing wires; and verification of changes to vendor data. The critical flaw was in employee interpretation of these controls as capable of being satisfied solely through electronic communications—along with their failure to recognize obvious indications of fraud in the emails.
The message from this report is remarkably explicit—that internal controls are not static and public companies should continuously refresh their internal control environment to take into consideration known threats. Going forward, public companies must have in place internal controls that are geared toward detecting BECs and by extension other types of cybersecurity frauds. The failure to have such controls likely will be deemed a violation of the Exchange Act subjecting companies to the full panoply of possible SEC sanctions including fines, supervision, and debarment of responsible officers from holding public company officer or director positions.
Although the SEC gave no indication what the severity of any possible future punitive actions might be, it stressed that the nine companies it looked into had lost $100 million and that the FBI estimated that such fraud cost companies more than $5 billion since 2013. It further emphasized that investors rely on public issuers to implement internal controls to appropriately address these issues. Additionally, public companies should expect that their auditors will take seriously the SEC’s investigative report (similar to what occurred with respect to the SEC’s Netflix 21(a) report on social media and Regulation FD) and closely scrutinize whether proper internal controls are in place to stop BEC cyber fraud and other types of cyber fraud as well. Failure to have such controls may require a report of material weakness in internal controls and/or a refusal by accounting firms to sign off on financial statements. Finally, it can also be expected that the absence of such controls will lead to both private securities fraud lawsuits under Section 11 of the Securities Act and Section 10(b) of the Exchange Act, as well as a spate of derivative lawsuits. The SEC’s report makes clear that this is not only a consumer fraud issue but one of the integrity of the public markets, as well.
This report follows on the heels of a July 2018 FBI Public Service Announcement that it had tracked more than 78,000 BECs—totaling more than $12.5 billion in fraud losses—since October 2013. The FBI has identified more than 41,000 BEC victims in the United States—with more than $3 billion in fraud losses since 2013, and $1.6 billion in fraud losses since May 2016.
The FBI has published a checklist of steps that organizations can take to prevent and respond to BECs.
An earlier version of this article was originally published on Ballard Spahr’s Privacy and Data Security blog, CyberAdviser.
John C. Grugan (LAW ‘98) is a Partner at Ballard Spahr. He concentrates his practice on government enforcement defense, and he has significant experience directing corporate internal investigations.
M. Norman Goldberger, a Partner at Ballard Spahr, is the Practice Leader of the firm’s Securities Enforcement and Corporate Governance Litigation Group. He focuses his practice on complex commercial litigation.
Edward J. McAndrew, a Partner at Ballard Spahr, is the Co-Practice Leader of the firm’s Privacy and Data Security Group and the Leader of its national Cyber Incident Response Team.
Peter W. Hennessey is a Partner at Ballard Spahr. He represents both public and private companies, investment banks, and venture capital firms in a range of capital market transactions.