by Robert W. Downes, John Evangelakos, Nader A. Mousavi, Nicole Friedlander, and Sarah M. Cravens

Public Companies Should Implement Sufficient Internal Controls to Avoid Becoming Victims of Cyber-Related Frauds and to Comply With the Exchange Act

Summary

On October 16, the SEC issued a report on an investigation into whether nine public issuers that were victims of cyber-related frauds may have violated Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act by failing to have a sufficient system of internal accounting controls to provide reasonable assurances that those frauds were detected and prevented.

The issuers, which the SEC stated represent a variety of industries, were victims of two types of “business email compromise” scams that resulted in mostly unrecovered losses ranging from $1 million to over $45 million.

While the SEC determined not to pursue enforcement actions against the issuers under investigation, it issued its report of investigation to make issuers aware that the cyber-related threats exist and concluded that all companies should reassess the sufficiency not only of existing internal controls, but also of policies and procedures that ensure employee compliance with controls.

Discussion

The Securities Exchange Act of 1934 (the “Exchange Act”) requires public companies to maintain internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with and access to company assets is only permitted with “management’s general or specific authorization.”[1]  In the course of its investigation, the Securities and Exchange Commission (the “SEC”) sought to determine whether the controls of nine public issuers were sufficient to comply with these obligations.[2]

Each issuer was the victim of one of two types of scams known as “business email compromises.”  The first type involved perpetrators who used spoofed email addresses to pose as company executives in emails sent to company finance personnel.  In the emails, the perpetrators directed the finance personnel to work with a purported outside attorney identified in the email, who then directed them to cause large sums of money to be transferred to foreign bank accounts controlled by the perpetrators.  The emails generally used real law firm and attorney names, but the contact details in fact connected the personnel with an impersonator and co-conspirator.  The emails also described purported time-sensitive requests, mentioned the need for confidentiality of the transfers, provided minimal details, and sometimes falsely implied that the transactions involved government oversight, including the coordination or supervision of  the SEC.  Even though all of the issuers did business internationally, the emails often described foreign transactions that were out of the ordinary for the particular issuer.  The email recipients were typically mid-level employees who ordinarily would have had no involvement in the purported transactions, and rarely communicated with the executives being spoofed.

The second type of scam involved perpetrators who hacked into the email accounts of issuers’ vendors.  Posing as a vendor, these perpetrators inserted illegitimate payment requests and payment processing details into electronic communications for otherwise legitimate transaction requests.  The perpetrators corresponded with issuers’ unsuspecting procurement personnel to obtain information about purchase orders and invoices.  The perpetrators then requested that the procurement personnel initiate changes to the vendors’ banking information, attaching doctored invoices reflecting the new, fraudulent account information, and the procurement personnel relayed that information to accounting personnel responsible for maintaining vendor data.  As a result, the issuers made payments on outstanding invoices to foreign accounts controlled by the perpetrators. 

Many issuers remained unaware of these schemes, some of which continued over significant periods of time, until the schemes were uncovered as a result of third-party actions, including detection by a foreign bank or law enforcement agency, or by a vendor who complained of non-payment of invoices.  The SEC noted that the schemes were often successful largely because employees either did not understand or did not follow the issuers’ internal control procedures. As a result, the issuers as a group lost and did not recover nearly $100 million, even though they had specific information about the foreign bank accounts that received the wired funds. 

Notably, even with the relevant wire transfer confirmations, money transferred in these schemes may be difficult or impossible to recover by U.S. issuers or law enforcement.  The money is typically transferred and dissipated quickly through foreign accounts in the names of shell corporations or false identities created by the perpetrators.  Further, the perpetrators often transfer the funds to foreign jurisdictions that are unlikely to cooperate with U.S. law enforcement requests for evidence or asset recovery.

Observations and implications

The SEC noted that email scams like the ones investigated here have caused business losses of over $5 billion since 2013, which according to the Federal Bureau of Investigation (“FBI”) is greater than losses caused by any other type of cyber-related crime.[3]  The FBI has also found that the threat of email scam losses has grown over time.[4]  As such, the SEC strongly emphasized the importance of maintaining internal accounting controls that are sufficient to provide reasonable assurances that financial transactions are authorized by management.[5]  Although the SEC determined not to pursue enforcement action in these matters, the report of investigation makes it clear that the SEC expects issuers to calibrate their internal controls to address the risks of cyber-related frauds.  Because the scams commonly targeted “human vulnerabilities that rendered the control environment ineffective,”[6] the SEC also instructed companies to view employee training as a critical aspect of control implementation.  All companies are advised to re-assess the sufficiency of internal accounting controls, especially those relating to foreign transactions, as well as the completeness of employee education protocols.

Footnotes

[1] 15 U.S.C. §§ 78m(b)(2)(B)(i), (iii).

[2] See SEC, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements (Oct. 16, 2018) (“SEC Report”). See also SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, at 18 (Feb. 21, 2018) (“[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.”).

[3] See FBI, 2017 Internet Crime Report at 12, 21 (PDF: 2.44 MB) (May 7, 2018).  

[4] See FBI, Public Service Announcement: Business E-Mail Compromise: E-Mail Account Compromise: The 5 Billion Dollar Scam (May 4, 2017) (“The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses.”).

[5] The degree of assurance necessary is one “as would satisfy prudent officials in the conduct of their own affairs.” 15 U.S.C. § 78m(b)(7).

[6] SEC Report at 5.

Robert W. Downes, John Evangelakos, and Nader A. Mousavi are partners; Nicole Friedlander is special counsel, and Sarah M. Cravens is an associate at Sullivan & Cromwell LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.