Measures to Consider Taking to Mitigate Risk
The Securities and Exchange Commission’s October 16, 2018 Section 21(a) report focusing on public companies victimized by cyber-related attacks underscores the importance of devising and implementing proper internal accounting controls with an eye on addressing such cyber threats. The report, after detailing the SEC Enforcement Division’s investigations of nine public companies that had lost millions of dollars as victims of cyber fraud, did not announce any action against the victims of the cyberattacks, but makes clear the Enforcement Division will continue to scrutinize how public companies create and implement internal controls relating to cybersecurity. Indeed, the SEC’s press release announcing the report specifically cautioned public companies that they “should consider cyber threats when implementing internal accounting controls.”
Section 21(a) reports are not enforcement actions, but the SEC often utilizes such reports to signal an area of emphasis in its enforcement program, with enforcement actions relating to the same subject matter likely to follow. For example, the SEC’s July 25, 2017 Section 21(a) report known as the “DAO Report,” which reminded readers of the federal securities laws’ registration requirements and their application to sales of certain “tokens,” heralded the SEC’s recent spate of enforcement actions relating to crypto-currency transactions. Companies would be wise, therefore, to read the SEC’s latest Section 21(a) report as a reminder to revisit their internal accounting controls to ensure compliance with the federal securities laws.
The SEC has previously provided guidance on cybersecurity disclosures, cybersecurity risk management, and the insider-trading implications of cybersecurity incidents, and it has pursued enforcement actions against regulated firms for failure to safeguard customer information in the wake of cybersecurity incidents and companies for alleged delays in the disclosure of a material data breach. The Section 21(a) report focuses on a different dimension of cybersecurity, specifically, cyber fraud schemes targeting public company personnel, and provides a window into how the SEC Enforcement Division would look at whether a company’s vulnerabilities to cyber fraud could signal an underlying failure in its internal accounting controls.
Although the SEC ultimately did not pursue enforcement actions against any of the nine companies, its decision to publish a Section 21(a) report demonstrates the SEC’s interest in financial cyber fraud and its prevalence and widespread applicability to issuers across industries. The SEC’s investigations focused on “business email compromises” in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large payments to bank accounts controlled by the perpetrators. Each of the nine companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million in frauds that in some instances lasted for months. The scams fell into two general types:
Unlike in other areas of cybersecurity that have received attention from the SEC, the cyber fraud incidents described in the Section 21(a) report were not technologically sophisticated and did not involve a compromised network or other intrusion at the applicable public company. Instead, the cyber-related scams exploited weaknesses in common company policies and procedures (such as procedures governing outgoing wire transfers), relied on human vulnerabilities to render the company’s control environment ineffective, and targeted members of the company’s finance team. Some fraud incidents were successful due to company personnel taking action to circumvent existing controls or acting beyond their authority. In other cases, company personnel misinterpreted or did not sufficiently understand the company’s existing controls. For example, in one case an accounting employee misinterpreted the company’s authorization matrix and believed that it gave the employee sufficient approval authority for a transaction. In another case, company personnel interpreted existing controls to mean that an (ultimately compromised) electronic communication was, standing alone, sufficient to process a significant wire transfer or to change vendor banking data.
The SEC’s decision not to pursue an enforcement action was based on the conduct and activities of each of the nine public companies, and the Section 21(a) report describes certain steps taken by the companies to bolster their processes and procedures to aid in the detection and prevention of payments from fraud.
What Companies Should Do
In the press release announcing the Section 21(a) report, the SEC emphasized that internal accounting controls must be dynamic in light of evolving conditions, and public companies “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” The SEC further emphasized in the Section 21(a) report “the importance of devising and maintaining a system of internal accounting controls attuned to this kind of cyber-related fraud, as well as the critical role training plays in implementing controls that serve their purpose and protect assets in compliance with the federal securities laws.” While each company is best positioned to tailor its internal accounting control policies and procedures to address its particular operational needs and risks, some examples of measures that can be taken to reduce the risk of falling victim to a business email compromise scam include:
Companies should also review, or consider obtaining, insurance coverage for these types of scams to mitigate the potential financial impact of falling victim to such scams.
The above mentioned and other prudent steps will help ensure that companies are not the next victims of cyber fraud, and will demonstrate compliance with their obligation under the federal securities laws to maintain appropriate internal accounting controls.
 SEC Release No. 84429 (Oct. 16, 2008), available at https://www.sec.gov/litigation/investreport/34-84429.pdf.
 See MoFo Client Alert, February 22, 2018, SEC Publishes New Guidance on Cybersecurity Disclosures and Compliance Practices.
Morrison & Foerster associate Hae Cheong Chang contributed to the writing of this alert.