SEC issues investigative report on impact of cyber-fraud on internal controls

by: Gabriel A. Peixoto

On October 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued a report (“Report”) describing its investigation into the internal accounting controls of nine public companies that fell victim to “business email compromises” (“BECs”), a type of cyber-fraud.  The SEC published its report to make issuers and other market participants aware that cyber-threats are on the SEC’s radar and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws.

The Report analyzed two kinds of BECs:  (1) e-mails from fake executives, and (2) e-mails from fake vendors.  Both BEC variants involve spoofed or compromised e-mails sent by impostors (posing as either company executives or vendors) that direct company finance personnel to wire money to foreign banks.  As a result, the nine public companies—that cover a range of different industries, including technology, finance, and consumer goods—lost a total of nearly $100 million. Each of the issuers lost at least $1 million, two lost more than $30 million, and one lost over $45 million.

The SEC’s investigation analyzed whether each of the nine issuers violated Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 by failing to maintain an adequate system of internal accounting controls.  Specifically, Section 13(b)(2)(B)(i) and (iii) require that certain issuers “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.”

While the SEC did not to charge any of the issuers with violations, the Report cautions that public companies subject to Section 13(b)(2)(B) “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” Furthermore, the Report emphasizes that: (1) every type of business is a potential target for cyber-crime and (2) public companies should routinely review and update their internal controls in order to account for the rapidly evolving nature of cyber-threats.

BECs pose substantial risks to businesses, having caused more than $5 billion in losses since 2013.  In light of these risks, the SEC Enforcement Division is increasingly focused on policing the cybersecurity of public companies, including through the newly-created “Cyber Unit” (announced in September 2017).  In conjunction with its enforcement activities, earlier this year the SEC also released updated guidance regarding the disclosure of cybersecurity risks and incidents to investors.  In short, the Report signals the SEC’s continued focus on cyber threats and one would expect enforcement actions under these provisions in connection with cyber-fraud in the future.