The U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud.
Cybersecurity – Cyber-Fraud
On October 6, 2018, the SEC issued a report on cyber-fraud that affected nine publicly traded companies (securities issuers) that collectively lost almost $100 million to the malicious actors. The SEC elected to issue the report, which did not name the affected companies, rather than pursue an enforcement action at the time. The SEC instead published the report to “make issuers and other market participants aware that these cyber-related threats of spoofed and manipulated electronic communications exist and should be considered when devising and maintaining system of internal accounting controls as required by the federal securities laws.”
The SEC report describes two forms of cyber-fraud that affected the companies. The first, less sophisticated type involved fake emails designed to appear as if they were from the company’s CEO. The email would direct mid-level finance personnel to send large wire transfers to foreign bank accounts, claiming time-sensitive transactions. The bank accounts were controlled by the fraudsters.
The second, more sophisticated cyber-fraud involved fraudsters hacking email accounts of a company’s foreign vendors. The fraudsters would learn of legitimate transactions—sometimes from the U.S. company’s procurement personnel—and then send altered invoices and new bank account information to the U.S. company. The affected companies frequently learned of the fraud only when the legitimate vendor contacted the company to complain of non-payment. The amounts had instead gone to the fraudsters.
After learning of the fraud, each company enhanced its payment authorization procedures sand verification requirements for vendor information changes. They also took steps to bolster account reconciliation procedures and outgoing payment notification procedures, in order to increase fraud detection.
So what was the regulatory basis for the SEC’s report? For those readers who thought “SOX 404” (15 USC § 7262) and its requirements relating to internal controls, that answer is in the correct area, but the SEC went further back in time to the 1970s (well before Sarbanes-Oxley). The SEC looked to the reporting requirements referenced by SOX 404 that appear in 15 USC § 78m(b)(2)(B):
Every issuer which has a class of securities registered pursuant to section 78l of this title and every issuer which is required to file reports pursuant to section 78o(d) of this title shall—
* * * *
(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that
(i) transactions are executed in accordance with management’s general or specific authorization;
* * * *
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; . . .
The SEC concluded the report by stating:
The Commission is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds. Public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.
Any company subject to the SEC’s jurisdiction should already have in place written privacy and security policies that include administrative, physical and technical controls. As part of those controls, companies should consider:
- Conducting periodic risk assessments, and update controls accordingly.
- Reviewing procedures for dealing with vendors, including (a) issuance and changes to credentials; and (b) bank account changes.
- Testing security measures and conducting training where needed.
- Discussing security procedures with the company’s bank(s).