Just when you thought the hazards of cyberfraud couldn’t get worse, the SEC recently issued a Report of Investigation (more on that later) stating that nine recent corporate victims of cyberfraud may have compounded their problems by having insufficient internal accounting controls. Specifically, the SEC focused on Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act, which it summarized as requiring companies to:
“devise and maintain a system of internal accounting sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.”
A Report of Investigation pursuant to Section 21(a) of the Exchange Act is a means by which the SEC communicates general policy-level information to the market following its investigation into specific potential wrongdoing, particularly when it decides not to bring an enforcement action despite apparent legal missteps. For example, a high-profile Section 21(a) report issued last year addressed whether tokens issued by certain “virtual organizations” as an “initial coin offering” were securities and, therefore, were subject to the federal securities laws. (See this Doug’s Note.)
In this particular report, the SEC was concerned about specific instances of cyber-related spoofing and compromised electronic communications at nine separate companies. The general circumstances of the breaches at issue are familiar to most companies by now, though the details are not important for purposes of the report’s overall message. Highlights include:
- One company making 14 separate wire payments over the course of several weeks totaling more than $45 million in order to comply with the request of a fake executive.
- Perpetrators hacking a vendor’s account and then impersonating the vendor in emails that submitted eight fake invoices totaling $1.5 million and provided illegitimate payment processing details, which the company dutifully paid.
The report reminds readers that the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures advised public companies that:
“[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.”
It goes on to posit that:
“these frauds were not sophisticated in design or the use of technology; instead, they relied on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective. Having internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.”
Therefore, says the report, companies must devise and maintain internal accounting controls attuned to this kind of cyberfraud, as well as provide training designed to implement effective controls and protect assets in accordance with the securities laws.
The SEC generously acknowledges that not every company that is a victim of cyberfraud is also in violation of the internal control requirements of the securities laws. Nevertheless, the report states that it is “clear” that internal controls may need to be reassessed in light of emerging cyberfraud risks. This, in turn, requires calibrating internal controls to the current risk environment and assessing and adjusting policies and procedures accordingly.
That seems like good advice to me.