SEC Issues Report on Cyber-Security Investigations, Internal Controls

Cyber-security has become — or perhaps should be – a key area of concern for every enterprise. The risks are substantial for the firm, its shareholders, executives and customers as recent cases illustrate. Every enterprise large or small is a potential victim. The losses can and often are substantial not just in dollars but also in trust, customers and more. The Commission has issued guidance. The agency has also brought enforcement actions.

Now, however, the Commission has issued a report based on nine investigations of firms involved in a variety of industries, cautioning about cyber risks in the context of the firm’s obligations to maintain proper internal controls. Report of Investigation Pursuant to Section 21(a) of the Exchange Act Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies, October 16, 2018.

The Report involved investigations of issuers in lines of business that ranged from technology, machinery, real estate and energy to financial and consumer goods. Each intrusion centered on the use of email. Each intrusion succeeded in part because of a human component – a lack of training, failure to understand controls or properly apply them. Collectively the companies lost millions of dollars.

The schemes were not sophisticated. The intruders generally employed one of two methods. The first centered on the use of emails from non-affiliates of the firm to company executives using spoofed email domains and addresses. Typically the email went to finance personnel who were directed to coordinate with outside counsel to complete a deal or transaction. The law firm and attorney names were real. Eventually the intruder would claim that there was a time-sensitive deal or that funds were required for a foreign transaction and request a transfer of funds. The emails in these cases often contained simple errors.

The second centered on impersonating an issuer’s vendors. This scheme usually began with identifying venders of the firm, penetrating their system and then forwarding emails to the company. The intruders would typically correspondent with issuer personal responsible for procuring goods from vendors. They would be requested to initiate changes to the vendor’s banking information. The requests included fraudulent account information. As in the first variation, eventually funds would be wired. Overall the nine issuers involved here lost millions of dollars, most of which has not been recovered.

None of the issuers involved in the underlying investigations were charged. Rather, the investigations are being used to emphasize the fact that cyber-security “presents ongoing risks and threats to our capital markets and to companies operating in all industries. . .” Cyber security risks and management are thus crucial to every issuer. This is particularly true in view of their obligations under Exchange Act section 13(b)(2)(B).

The internal controls provisions of the Exchange Act require that the firm implement a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accord with management’s authorization and that access to assets is only permitted as authorized. Accordingly, when assessing the adequacy of internal controls, it is imperative to consider cyber-security risks. Those risks are well illustrated by the nine investigations here where the “frauds were not sophisticated. . . [and relied] on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” Having systems which factor in cyber-related threats and the related human vulnerabilities, its thus critical, the Report notes.

The Report concludes by noting that “the Commission is not suggesting that every issuer that is the victim of a cyber-related scam is . . . in violation of . . .” the securities laws. Rather, the lesson to be drawn from the Report and the underlying investigations is that “internal accounting controls may need to be reassessed in light of the emerging risks, including risks arising from cyber-related frauds.”