SEC Issues Report of Investigation Relating to Certain Cyber-Related Frauds

On October 16th, the Securities and Exchange Commission (SEC) issued its “Report of Investigation…Regarding Certain Cyber-Related Frauds” regarding certain cyber-related frauds perpetrated against public companies. This latest publication comes on the heels of the SEC’s updated “Statement on Cybersecurity Disclosures,” released back in February, demonstrating the Commission’s continued focus on cyber threats as a risk to public companies and capital markets.

This latest report issued by the SEC describes the results of its investigation relating to multiple occurrences of cyber fraud committed against public companies. Specifically, the report focused on two common types of payment fraud that have compromised business email: 1) emails purporting to be from executives requesting mid-level employees to direct wire transfers to international bank accounts, and 2) emails from fake vendors redirecting payments for invoices to different bank accounts. The first fraud scenario is typically executed via an external email appearing to be from a C-level executive’s personal account, requesting the mid-level manager to direct payment to a legitimate-looking law firm as part of a confidential international transaction. The second scenario usually involves hacking a legitimate vendor’s email, then emailing customers to request that outstanding payment for previously invoiced goods or services be redirected to a new bank account.

The SEC points out that organizations failing to have proper internal accounting controls to prevent and detect such issues may be in violation of Sections 13(b)(2)(B)(i) and (iii) of the Exchange Act of 1934. These provisions require issuers to devise and maintain controls sufficient to provide reasonable assurance that transactions are executed with, or access to company assets is permitted, only with management’s authorization. The SEC then observes that it is a public company’s responsibility to evaluate the evolving threat landscape and adjust its system of controls accordingly.

The report concludes that, “Given the prevalence and continued expansion of these attacks, issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from these risks.”

This SEC document raises a few key points for public companies to consider:

The SEC is building the case that payment-related fraud perpetrated against public companies via cyber methods may be subject to enforcement action via the Exchange Act if it is found that internal controls were lacking.

According to the report, most victim organizations had controls in place relating to payment fraud risk; however, the fraud was still successful due to employees’ general lack of awareness of the cyber threat or employees who simply failed to follow payment procedures.

The SEC is more critical in this report than in the past of companies that were unable to detect the fraud themselves (typically notified via the bank or via a vendor who hasn’t received payment, depending on which fraud scheme was involved).

It is not clear specifically what the SEC recommends to address the issue (they clearly avoid this in the conclusion), nor is it clear yet how this may translate to the audit of public issuers.

More is still to come on these and other questions as the SEC (and possibly PCAOB) continue to release cyber-focused statements and publications. In the meantime, it is worth looking at your organization’s internal controls relating to payments (especially those used to detect potential fraud) and assessing the quality of cybersecurity awareness within your organization. Such evaluations should involve social engineering procedures to evaluate the effectiveness of the cybersecurity awareness program.

To learn more about our cybersecurity services, contact a Weaver professional today.