SEC Issues Report on Cyber-Security Investigations, Internal Controls

Cyber-security has become — or perhaps should be – a key area of concern for every enterprise. The risks are substantial for the firm, its shareholders, executives and customers as recent cases illustrate. Every enterprise large or small is a potential victim. The losses can and often are substantial not just in dollars but also in trust, customers and more. The Commission has issued guidance. The agency has also brought enforcement actions.

Now, however, the Commission has issued a report based on nine investigations of firms involved in a variety of industries, cautioning about cyber risks in the context of the firm’s obligations to maintain proper internal controls. Report of Investigation Pursuant to Section 21(a) of the Exchange Act Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies, October 16, 2018.

The Report involved investigations of issuers in lines of business that ranged from technology, machinery, real estate and energy to financial and consumer goods. Each intrusion centered on the use of email. Each intrusion succeeded in part because of a human component – a lack of training, failure to understand controls or properly apply them. Collectively the companies lost millions of dollars.

The schemes were not sophisticated. The intruders generally employed one of two methods. The first centered on the use of emails from non-affiliates of the firm to company executives using spoofed email domains and addresses. Typically the email went to finance personnel who were directed to coordinate with outside counsel to complete a deal or transaction. The law firm and attorney names were real. Eventually the intruder would claim that there was a time-sensitive deal or that funds were required for a foreign transaction and request a transfer of funds. The emails in these cases often contained simple errors.

The second centered on impersonating an issuer’s vendors. This scheme usually began with identifying venders of the firm, penetrating their system and then forwarding emails to the company. The intruders would typically correspondent with issuer personal responsible for procuring goods from vendors. They would be requested to initiate changes to the vendor’s banking information. The requests included fraudulent account information. As in the first variation, eventually funds would be wired. Overall the nine issuers involved here lost millions of dollars, most of which has not been recovered.

None of the issuers involved in the underlying investigations were charged. Rather, the investigations are being used to emphasize the fact that cyber-security “presents ongoing risks and threats to our capital markets and to companies operating in all industries. . .” Cyber security risks and management are thus crucial to every issuer. This is particularly true in view of their obligations under Exchange Act section 13(b)(2)(B).

The internal controls provisions of the Exchange Act require that the firm implement a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accord with management’s authorization and that access to assets is only permitted as authorized. Accordingly, when assessing the adequacy of internal controls, it is imperative to consider cyber-security risks. Those risks are well illustrated by the nine investigations here where the “frauds were not sophisticated. . . [and relied] on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” Having systems which factor in cyber-related threats and the related human vulnerabilities, its thus critical, the Report notes.

The Report concludes by noting that “the Commission is not suggesting that every issuer that is the victim of a cyber-related scam is . . . in violation of . . .” the securities laws. Rather, the lesson to be drawn from the Report and the underlying investigations is that “internal accounting controls may need to be reassessed in light of the emerging risks, including risks arising from cyber-related frauds.”

Print Friendly, PDF & Email
Tagged with: ,

DOJ Charges Three Traders with Spoofing

Spoofing is a form of market manipulation in the commodity markets in which the trader bids or places orders with no intent of executing them. Later they are cancelled. The practice can distort the pricing in the markets and cause injury to other traders who are deceived. The Dodd-Frank Act, in view of this, gave the CFTC additional enforcement authority in this area. Since then the agency, at times in conjunction with the DOJ, has brought “spoofing cases.” The most recent centers on three traders and two markets.

Charged in the actions are three traders from a New York based financial services firm: Yuchum Mao, a citizen of the Peoples Republic of China; Kamaldeep Gandhi, a resident of Chicago; and Krishna Mohan of New York.

The indictment as to Mr. Mao alleges that he was the co-head of a trading team at an unidentified Trading Firm working in Chicago and New York. Over a three year period, beginning in early 2012, Mr. Mao and others are alleged to have conspired to mislead the markets for E-Minni S&P 500 and E-Minni NASDAQ 100 futures contracts traded on the Chicago Mercantile Exchange or CME. Mr. Mao and others also conspired to deceive market participants for the E-Mini Dow futures contracts traded on the Chicago Board of Trade or CBOT, according to the charges.

The indictment alleges that the conspirators placed thousands of false trades that they did not intend to execute. The purpose was to create the false and misleading appearance of increased supply or demand. Those participating in the markets at the time these orders were placed suffered losses of over $60 million. The traders placed the orders for their personal benefit.

A criminal information as to Mr. Gandhi alleges in count one that he conspired with Defendant Mao and others as to the trading offenses while employed at the Trading Firm. Count two alleges that from about May 2014 through October 2014 Mr. Gandhi, while employed at Second Trading Firm based in Chicago, conspired with others to mislead the markets for E-Mini S&P 500 futures contracts on the CME. He agreed, according to the charges, to place spoof orders in those contracts in order to create the false appearance of increased supply or demand. Mr. Gandhi has agreed to plead guilty to the charges in the information. U.S. v. Gandhi, No. 4:18-cr-00609 (S.D. Tx. Filed Oct. 11, 2018). Mr. Gandhi was also named in a civil action by the CFTC and is cooperating. In the Matter of Kamaldeep Gandhi, CFTC Docket No. 19-01 (Oct. 11, 2018).

Mr. Mao was indicted on one count of conspiracy to commit commodities fraud, two counts of commodities fraud and two counts of spoofing. U.S. v. Mao, No. 18 cr 606 (S.D. Tx. Filed Oct. 10, 2018). Mr. Mohan was charged in a criminal information with one count of conspiracy to engage in wire fraud, commodities fraud, and spoofing. The charges are pending. U.S. v. Mohan, No. 4:18 – cr – 00610 (S.D. Tx. Filed Oct. 10, 2018).

Print Friendly, PDF & Email
Tagged with: , ,
Top