The Securities and Exchange Commission's October 16, 2018 Section 21(a) report focusing on public companies victimized by cyber-related attacks underscores the importance of devising and implementing proper internal accounting controls with an eye on addressing such cyber threats. The report, after detailing the SEC Enforcement Division's investigations of nine public companies that had lost millions of dollars as victims of cyber fraud, did not announce any action against the victims of the cyberattacks, but makes clear the Enforcement Division will continue to scrutinize how public companies create and implement internal controls relating to cybersecurity.1 Indeed, the SEC's press release announcing the report specifically cautioned public companies that they "should consider cyber threats when implementing internal accounting controls."2
Section 21(a) reports are not enforcement actions, but the SEC often utilizes such reports to signal an area of emphasis in its enforcement program, with enforcement actions relating to the same subject matter likely to follow. For example, the SEC's July 25, 2017 Section 21(a) report known as the "DAO Report," which reminded readers of the federal securities laws' registration requirements and their application to sales of certain "tokens," heralded the SEC's recent spate of enforcement actions relating to crypto-currency transactions. Companies would be wise, therefore, to read the SEC's latest Section 21(a) report as a reminder to revisit their internal accounting controls to ensure compliance with the federal securities laws.
The SEC has previously provided guidance on cybersecurity disclosures, cybersecurity risk management, and the insider-trading implications of cybersecurity incidents,3 and it has pursued enforcement actions against regulated firms for failure to safeguard customer information in the wake of cybersecurity incidents and companies for alleged delays in the disclosure of a material data breach. The Section 21(a) report focuses on a different dimension of cybersecurity, specifically, cyber fraud schemes targeting public company personnel, and provides a window into how the SEC Enforcement Division would look at whether a company's vulnerabilities to cyber fraud could signal an underlying failure in its internal accounting controls.
Although the SEC ultimately did not pursue enforcement actions against any of the nine companies, its decision to publish a Section 21(a) report demonstrates the SEC's interest in financial cyber fraud and its prevalence and widespread applicability to issuers across industries. The SEC's investigations focused on "business email compromises" in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large payments to bank accounts controlled by the perpetrators. Each of the nine companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million in frauds that in some instances lasted for months. The scams fell into two general types:
- Perpetrators emailed company finance personnel using spoofed email domains and addresses of an executive, typically the CEO, and directed the companies' finance personnel to work with a purported outside attorney to wire large sums to a foreign bank account. The perpetrators often claimed the payments were to be made in connection with time-sensitive transactions or deals that were to be kept secret from other company employees, and the emails typically targeted midlevel personnel who might not otherwise be responsible for or involved in transactions or deals of a similar nature.
- Perpetrators impersonated the company's vendors, often by hacking an existing foreign vendor's email account, and inserted illegitimate requests for payment and payment details into legitimate transaction requests. The perpetrators also corresponded with company personnel responsible for procuring goods from such vendors to learn about actual purchase orders and invoices. The perpetrators would then request that the company personnel initiate changes to the vendors' banking information, and the company personnel responsible for procurement would relay the new, fraudulent account information to accounting personnel responsible for maintaining vendor data.
Unlike in other areas of cybersecurity that have received attention from the SEC, the cyber fraud incidents described in the Section 21(a) report were not technologically sophisticated and did not involve a compromised network or other intrusion at the applicable public company. Instead, the cyber-related scams exploited weaknesses in common company policies and procedures (such as procedures governing outgoing wire transfers), relied on human vulnerabilities to render the company's control environment ineffective, and targeted members of the company's finance team. Some fraud incidents were successful due to company personnel taking action to circumvent existing controls or acting beyond their authority. In other cases, company personnel misinterpreted or did not sufficiently understand the company's existing controls. For example, in one case an accounting employee misinterpreted the company's authorization matrix and believed that it gave the employee sufficient approval authority for a transaction. In another case, company personnel interpreted existing controls to mean that an (ultimately compromised) electronic communication was, standing alone, sufficient to process a significant wire transfer or to change vendor banking data.
The SEC's decision not to pursue an enforcement action was based on the conduct and activities of each of the nine public companies, and the Section 21(a) report describes certain steps taken by the companies to bolster their processes and procedures to aid in the detection and prevention of payments from fraud.
What Companies Should Do
In the press release announcing the Section 21(a) report, the SEC emphasized that internal accounting controls must be dynamic in light of evolving conditions, and public companies "must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly." The SEC further emphasized in the Section 21(a) report "the importance of devising and maintaining a system of internal accounting controls attuned to this kind of cyber-related fraud, as well as the critical role training plays in implementing controls that serve their purpose and protect assets in compliance with the federal securities laws." While each company is best positioned to tailor its internal accounting control policies and procedures to address its particular operational needs and risks, some examples of measures that can be taken to reduce the risk of falling victim to a business email compromise scam include:
- Reviewing procedures for initiating wires or changing wire transfer instructions or vendor information (for example, requiring two-factor authentication, verification of instructions through a communication channel other than email, and use of known phone numbers for verification);
- Training, re-training, and testing employees regarding common phishing and spoofing scams (for example, checking for "red flags" such as spelling or grammatical errors or other indications that the emailed instructions lack reliability, exercising particular caution when transactions are outside of the recipient employee's domain and require secrecy and immediate response);
- Ensuring the company's policies and procedures are clear and widely distributed;
- Training, re-training, and testing employees both within and outside of the finance department regarding the company's internal accounting controls policies and procedures; and
- Periodically re-assessing the company's policies and procedures for new or emerging cyber-scam threats.
Companies should also review, or consider obtaining, insurance coverage for these types of scams to mitigate the potential financial impact of falling victim to such scams.
The above mentioned and other prudent steps will help ensure that companies are not the next victims of cyber fraud, and will demonstrate compliance with their obligation under the federal securities laws to maintain appropriate internal accounting controls.
1 SEC Release No. 84429 (Oct. 16, 2008), available at https://www.sec.gov/litigation/investreport/34-84429.pdf.
2 October 16, 2018 SEC Press Release, available at https://www.sec.gov/news/press-release/2018-236.
3 See MoFo Client Alert, February 22, 2018, SEC Publishes New Guidance on Cybersecurity Disclosures and Compliance Practices.
Morrison & Foerster associate Hae Cheong Chang contributed to the writing of this alert.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved