In a new investigative report released this week, the Securities and Exchange Commission (“SEC”) again stressed the need for public companies to prioritize cybersecurity measures. The SEC’s Report signifies the agency’s ongoing emphasis of cybersecurity initiatives this year.
For those of you keeping track at home (as I know so many of you are), 2018 thus far has seen the SEC put out interpretive guidance for public companies on cybersecurity disclosure requirements (I wrote about it here) and initiate its first enforcement action against a registered investment-adviser over a violation of the Identity Theft Red Flags Rule. This proactive approach is indicative of the belief put forth by Chairman Jay Clayton earlier this year that “cybersecurity is critical to the operations of companies and our markets,” and as such, calls for the SEC to “continue to evaluate developments in this area and consider feedback about whether any further guidance or rules” is necessary. Per this Report and the mistakes being made by public companies, further guidance was indeed necessary.
What is a Section 21(a) Report?
A Section 21(a) investigative report (“Report”) is basically a policy statement by the SEC which puts companies on notice of areas or practices that could lead to future regulatory intervention.The SEC intermittently issues Section 21(a) reports (a list of which can be found here). This represents the first SEC Report that specifically addresses the risk of cyber fraud.
Report Findings: Companies’ Accounting Controls Should Include Cybersecurity Measures
The SEC Report discusses whether nine public companies poor cybersecurity practices violated federal securities laws. These poor cybersecurity practices arouse out of schemes involving spoofed or manipulated electronic communications (a fancier way of saying Business Email Compromise or often just “BEC”).
In total, these nine companies lost nearly $100 million to BEC schemes. Two of the nine companies each lost more than $30 million. One of the nine companies lost more than $45 million dollars over the course of several weeks as a result of more than 14 wire payments made to the bad actors. The SEC’s investigation found that the fraudulent schemes arose out of two common categories of BEC: spoofed emails from company executives and compromised emails from third-party vendors.
In the case of the spoofed executive emails, the perpetrators targeted companies’ finance departments. The perpetrators mimicked the email addresses of company executives in sending emails to employees in the finance department. These emails directed employees to initiate large wire transfers to foreign bank accounts controlled by the perpetrators. The SEC’s investigations concluded that these schemes “were not sophisticated frauds in general design or the use of technology.” In almost every instance, the emails: targeted midlevel employees, included grammatical and spelling errors, and discussed foreign transactions not necessarily within the normal scope of business transactions.
Meanwhile, the emails from fake vendors were more technologically sophisticated schemes. The perpetrators successfully hacked into the email accounts of real vendors who worked with the various companies. Once in the vendor’s email accounts, the perpetrators would use the accounts to send midlevel employees in finance departments fake invoices. The recipients of these emails then internally relayed this information to people in the accounting department, and those in accounting initiated wire transfers for the alleged outstanding invoices to foreign bank accounts controlled by the bad guys. Most of the companies only realized they were the victims of fraud after the real vendors inquired about the nonpayment of outstanding, legitimate invoices.
From these investigations, the SEC concluded that policies and procedures on cybersecurity risk management are a key to a company’s compliance with Section 13(b)(2)(B)(i) and (iii) of the Securities and Exchange Act of 1934. These provisions from Section 13(b)(2)(B) of the Exchange Act
Require companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.
The SEC found that companies’ internal accounting controls must feature cybersecurity components, and that the congruency between accounting and cybersecurity controls should work to combat the risk of cyber fraud. The absence of cybersecurity in a company’s internal accounting controls means the company is likely in violation of federal securities laws.
What Can Companies Do to Combat BEC?
The SEC Report steers clear of any discussion on what specific cybersecurity measures the affected companies should have had in place, remarking that “private firms are ultimately in the best position to figure out the most appropriate sector-and firm-specific cybersecurity practices. Nevertheless, what could the companies have done differently when confronted with BEC schemes?
For starters, the SEC’s assessment of BEC schemes was correct. Almost any successful Business Email Compromise scheme originates out of an operations breakdown more than it does a technological problem. Even if a company has operational processes in place for wire transfers — simple processes like “call before you wire” or the hover method — these prove largely ineffective without employee awareness and training. The SEC found that some of the investigated companies did in fact have authorization procedures in place, but these procedures proved meaningless because of unsuccessful employee education and implementation.
Companies should first work with their IT and legal departments to effectively draft processes that combat cyber risks like BEC. But as Edison said, “vision without execution is hallucination.” After drafting, the implementation of these cybersecurity processes happens through ongoing employee training — training that should occur at every level of the organization. Even if only four people have the authority to initiate a wire transfer, companies put themselves at great risk in the absence of employee training from the top-down. Do you think unsuspecting, lower-level employees are outside the scope of a malicious actor’s sights? A company’s cybersecurity posture is only as strong as its weakest link. Lastly, public companies likely have robust and sophisticated IT departments. From a technological standpoint, authentication tools like DMARC (Domain Message Authentication Reporting and Conformance) help reduce BEC threats.
The SEC’s Report on current cyber-risks should act as a warning. Companies would be wise to heed the astute advice of the Iron Chancellor, Otto von Bismarck. “Only a fool learns from his own mistakes. The wise man learns from the mistakes of others.” For the next time a publicly traded company falls victim to wire transfer fraud without the appropriate policies and procedures in place, the SEC might not be in such a lenient mood.
 https://www.sec.gov/n Securities and Exchange Commission, Securities and Exchange Act of 1934, Section 21(a), Release No. 84429 / Oct. 16, 2018.
 Business Email Compromise is a scam where malicious actors compromise and/or mimic legitimate email accounts in order to trick recipients into conducting unauthorized wire transfers.