Savvy companies know that one of the most effective ways to protect themselves against cyber-related fraud is to train employees to recognize signs of cyber scams and avoid falling prey to them. The Securities and Exchange Commission (“SEC”) has added one more reason highlighting the importance of this training: because failing to do so could mean that public companies have failed to provide and maintain an adequate system of internal accounting controls as required by Section 13(b)(2)(B) of the Securities and Exchange Act of 1934, thus exposing the companies to SEC enforcement actions.
The SEC’s warning came in its October 16, 2018 release (here) reporting on its investigation into nine publicly traded companies victimized by cyber-related fraud. Although the SEC declined to pursue enforcement actions against these companies, the SEC nevertheless alerted companies to common cyber scams and reminded companies of their obligation to provide and maintain adequate systems of internal accounting controls as part of their risk management program and investor protection efforts required by Section 13(b)(2)(B).
The SEC’s Report
The SEC investigated whether nine unnamed public companies violated federal securities laws by failing to have sufficient systems of internal accounting controls. The companies lost a total of nearly $100 million; each company lost at least $1 million, and two companies lost over $30 million. The targeted companies spanned a broad range of industries (including technology, machinery, real estate, energy, financial and consumer goods), reflecting the reality that every type of business is a potential target of cyber-related fraud. According to the FBI, these cyber-related fraud scams (called “business email compromise” or “BEC” scams) caused over $5 billion in losses since 2013 — the highest estimated out-of-pocket losses from any type of cyber-facilitated crime during this period. The BEC scams generally followed two patterns.
- Emails from Fake Executives: Perpetrators emailed company finance personnel, using spoofed email domains and addresses of high-level executives, so that it appeared as though the emails were legitimate. The perpetrators directed the companies’ finance personnel to initiate large wire transfers to foreign bank accounts controlled by the perpetrators, often with instructions that the transfers were urgent and must be kept secret.
- Emails from Fake Vendors: Perpetrators first hacked into an existing vendor’s email account to intercept information about unpaid invoices. Then, posing as the vendor, perpetrators instructed the targeted company to change the vendors’ banking information and to make payments to the new, fraudulent banking account. Often the defrauded company did not learn about the scam until the real vendor complained about the unpaid invoices.
The SEC’s Enforcement Role
In light of these scams, the SEC reminds companies that Section 13(b)(2)(B) of the Securities and Exchange Act of 1934 requires companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that […] (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.” Critically, each of the companies in the SEC’s report had procedures that required certain levels of authorization for payment requests, management approval for outgoing wires, and verification of any changes to vendor data. Yet the companies still became victims of cyber scams because company personnel either misinterpreted existing controls or did not recognize indications that the e-mailed transfer instructions lacked reliability. Given that virtually all economic activities now take place through digital technology and electronic communications, the SEC’s report urges companies to reassess and recalibrate their internal accounting controls to address emerging risks arising from cyber-related fraud.
Regardless of how robust a company’s internal accounting control system is, fraudsters can and will target human vulnerability. It is therefore imperative that companies train employees, especially financial personnel, in tell-tale signs of scams. Some common red flags are:
- High-level executive impersonation: Correspondence from high-level executives (e.g. CEO or CFO), requesting fund transfers;
- Urgency and secrecy: Emails describing time-sensitive transactions that need to be completed within days, and also demanding secrecy about the transaction;
- Foreign transactions: Requests for wire transfers into foreign banks can be indicative of fraud;
- Look-a-like domains: The sender’s domain does not match the company’s actual same, e.g. email@example.com vs. firstname.lastname@example.org (the letter “l” is replaced with the number “1”); and
- Changing vendor information: Vendor requests to change their recipient bank account information.
This list is by no means exhaustive. Fraudsters are creative, and their scams are constantly changing, which is another reason companies must be vigilant in their training.
Although the SEC’s report technically applies only to publicly traded companies, its standard often sets the bar for private companies that are subject to other regulators. The Federal Trade Commission, for instance, has authority to pursue administrative actions where it determines that companies have an “unfair act or practice” prohibited by Section 5(a) of the Federal Trade Commission Act. The FTC has brought a number of administrative actions under this provision against companies alleging that their cybersecurity controls were deficient.
Cyber-related fraud is real. Not only are companies vulnerable to being defrauded out of millions of dollars (most of which will never be recovered from the thieves), standard cyber insurance policies typically do not cover losses resulting from BEC scams (although some companies offer crime and social engineering coverage, which may apply, depending on policy language). The possibility of administrative or enforcement actions against companies who are victims of cyber-fraud adds yet another dimension to this already challenging area and points out the need for companies maintain and update their accounting controls, cybersecurity programs and employee training.
– Keesal, Young & Logan Privacy and Data Security Group
– Keesal, Young & Logan Securities Group
This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.