Shearman & Sterling LLP multinational law firm headquartered in New York City, United States.

Cybersecurity – Board Oversight

Oct 29, 2018

Can a Cyber Breach Be a Violation of Internal Controls? The SEC Says, ‘Maybe’

Subscribe

Jump to...

 

On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report outlining an investigation conducted by the SEC’s Division of Enforcement related to the internal accounting controls at nine public companies that were the victims of cyber fraud. The SEC elected to issue a report under Section 21(a) of the Securities Exchange Act of 1934 rather than proceeding with enforcement actions against any of the companies involved as a way to draw attention to the growing issue of cyber fraud, highlight what it believes are necessary and best practices in this area and, importantly, caution all public companies that failure to strengthen internal controls in the face of the growing risk of cyber fraud could result in an enforcement action in the future.[1]

The Report

The SEC’s investigation focused on a series of “business email compromises” in which personnel at each of the nine companies received spoofed or otherwise compromised electronic communications purporting to originate from a company executive or vendor, causing the personnel to transfer large sums or pay falsified invoices to accounts controlled by the perpetrators of the scheme. Cybercrime can manifest in many forms, but the SEC noted that the schemes that were detailed in the report were relatively unsophisticated. In the aggregate, the nine companies, spanning a range of industries, lost nearly $100 million as a result of the frauds. Each of the companies lost at least $1 million, one lost more than $45 million and most of the losses were unrecoverable. The frauds in some instances lasted months and often were detected only after intervention by law enforcement or other third parties. At the end of this article, we have described the types of business email compromises that were the subject of the investigation and offer suggestions on possible process changes.

Notably, the relevant issuers had implemented internal controls (such as certain levels of authorization for payment requests, management approval for outgoing wires, and verification of any changes to vendor data), but these proved inadequate or ineffective. The report points out that in several cases, procedures that could have identified or thwarted the scams were misunderstood or not followed, or personnel failed to ask appropriate questions. For example, the existing controls were interpreted by the company’s personnel to mean that the compromised electronic communications were, standing alone, sufficient to process significant wire transfers or changes to vendor banking data. Additionally, many of these issuers only learned of the fraud as a result of third-party notices, such as from law enforcement or foreign banks. In response to these incidents, companies implemented remedial measures such as enhancing their payment authorization procedures and verification requirements for vendor information changes, and some issuers also took steps to strengthen their account reconciliation procedures and outgoing payment notification processes to aid detection of payments resulting from fraud. All of the issuers enhanced personnel training with respect to relevant threats and internal procedures.

The SEC considered whether the nine companies that were victims of cyber-related frauds violated federal securities laws by failing to have sufficient internal accounting controls, pursuant to sections 13(b)(2)(B)(i) and (iii) of the Exchange Act, which require companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization. In light of the facts and circumstances of the examined incidents, and the actions taken by the companies when the schemes were discovered, the SEC did not bring charges against the companies or their personnel.

In the announcement of the release of the report, the SEC advised that public issuers subject to the internal accounting controls requirements of the Exchange Act “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” It also directly indicated its position that cybersecurity falls squarely within the internal control framework, stating “our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”[2]

Regulatory Framework

The report comes on the heels of SEC interpretive guidance issued earlier this year on public company disclosures regarding cybersecurity risks and incidents,[3] which we have discussed in a prior client note.[4] The disclosure guidance summarizes the SEC’s views regarding the importance of appropriate disclosure controls and procedures, insider trading policies and selective disclosure safeguards in the context of cybersecurity incidents. Although the interpretive guidance makes clear that the SEC views cybersecurity as a key disclosure matter, it does not provide public companies with specific guidance on SEC expectations for what is required to be disclosed and when. The interpretive guidance, however, does provide a useful review of the existing disclosure obligations related to cybersecurity matters and the disclosures that may be triggered upon the occurrence of cybersecurity incidents or events.

Beyond the SEC, cybersecurity has also drawn attention at other levels of governments. In our recently published insight on the role of board oversight in cybersecurity matters, we discuss recent cybersecurity initiatives at the executive, congressional and state levels.[5]

Taking Action

The report expressly includes the objective of making “issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws.” Moreover, the report concludes that the SEC “is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.”

What Should Companies Do?

  • Cybersecurity Considerations are a Fundamental Part of Internal Controls. The report is a reminder to all companies of the necessity of considering cybersecurity risks when establishing internal control processes and procedures.
  • One Size Does Not Fit All. The cybersecurity measures that companies implement as part of their internal control framework should be tailored to the unique nature of cybersecurity risks as compared to other control risks and such measures should be appropriate to their type of business and the type of cybersecurity risk for which they are vulnerable.
  • Train, Test and Train Again. As described in the report, even the most robust internal control processes cannot be effective if those required to follow them do not understand them or ignore them. On an ongoing basis, education, training and testing of the relevant personnel on internal control procedures is critical.
  • Keep Track of What Happens. Companies should document the types of cybersecurity schemes for which they become subject and how the existing internal control processes worked in the face of the scheme. This information should be regularly reported to management and used as part of each internal control review.
  • Do Not Set It and Forget It. Just as the type and sophistication of cybersecurity schemes expand, companies should assess and reassess the adequateness of internal control procedures as they learn about new threats and vulnerabilities. 

The Business Email Compromises

The business email compromises that were the focus of the investigation were unsophisticated frauds that, with additional control processes and training, could have been prevented.

Spoofing a Company Executive

In this fraud, perpetrators emailed company finance personnel, using spoofed email domains and email addresses of an executive (typically the CEO). The domain and email addresses were designed to appear legitimate. The spoofed email directed the companies’ finance personnel to work with a purported outside attorney identified in the email, who then directed the companies’ finance personnel to execute large wire transfers to foreign bank accounts controlled by the perpetrators. The perpetrators used real law firm and attorney names, and legal services-sounding email domains, but the contact details connected company personnel with impersonators and co-conspirators. In many cases, the emails included red flags, such as grammatical errors and emphasis on a need for secrecy. Additionally, the emails were generally sent to midlevel employees who often do not interact with the senior executives who purportedly made the requests.

Spoofing a Vendor

In this fraud, perpetrators hacked the existing vendors’ email accounts and inserted illegitimate requests for payments (and payment processing details) into electronic communications for otherwise legitimate transaction requests. The perpetrators of these scams also corresponded with issuer personnel responsible for procuring goods from the vendors to gain access to information about actual purchase orders and invoices. The perpetrators then requested that company personnel initiate changes to the vendors’ banking information, and attached modified invoices reflecting the new, fraudulent account information, which information was relayed from procurement personnel to accounting personnel, resulting in issuer payments on outstanding invoices to foreign accounts controlled by the impersonator rather than the accounts of the real vendors.

Steps You Can Take to Protect Your Company:

  • Cyber fraud training. All company personnel should be required to take cyber fraud training. A number of third-party providers offer interactive training programs to combat phishing and other cybercrime threats that can be customized to individual company needs. Training company personnel to identify spoofed email addresses and domain names and red flags in these types of frauds is no longer just a best practice. It is essential.
  • Ensure that all payments made to vendors or other third parties require dual authorization. Provide for additional heightened approvals for payments that exceed an identified threshold or involve payments made not in the ordinary course.
  • Ensure that the payment processing approval matrix is kept current to reflect personnel changes and departmental reorganization. Make the review of the approval matrix a part of your internal control review procedures. Finally, make sure those that need to, understand the approval process.
  • Empower employees to question payment requests that appear to be unusual or suspicious, even where company executives are purportedly involved. At the companies that were subject of the report, recipients of the fraudulent emails did not ask questions about the nature of the supposed transactions even where such transactions were clearly outside of the recipient employee’s authority.
  • Regularly test employee preparedness with mock phishing emails and payment requests. Use the results of the testing to design modifications to internal control procedures and share the results with affected employees.
              

For further guidance in designing and evaluating cybersecurity frameworks and advice on responding to actual breaches, please reach out to any Shearman & Sterling contacts that have contributed to this memo.

Footnotes

[1]   “Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements” available at: https://www.sec.gov/litigation/investreport/34-84429.pdf.

[2]  https://www.sec.gov/news/press-release/2018-236.

[3]  “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.

[4]  https://www.shearman.com/perspectives/2018/02/sec-adopts-interpretive-guidance-on-cybersecurity-disclosures.

[5]  https://www.shearman.com/perspectives/2018/corpgovsurvey/cybersecurity--board-oversight.

Authors and Contributors

Richard Alsop

Partner

Capital Markets

+1 212 848 7333

+1 212 848 7333

New York

David Beveridge

Partner

Capital Markets

+1 212 848 7711

+1 212 848 7711

New York

Alan Bickerstaff

Partner

Emerging Growth

+1 512 647 1903

+1 512 647 1903

Austin

J. Russel Denton

Partner

Emerging Growth

+1 512 647 1906

+1 512 647 1906

Austin

Jonathan (JD) DeSantis

Partner

Capital Markets

+1 212 848 5085

+1 212 848 5085

New York

Brian Dillavou

Partner

Emerging Growth

+1 512 647 1905

+1 512 647 1905

Austin

David Dixter

Partner

Capital Markets

+44 20 7655 5633

+44 20 7655 5633

London

Marwa Elborai

Partner

Capital Markets

+44 20 7655 5524

+44 20 7655 5524

London

David Flechner

Partner

Capital Markets

+55 11 3702 2230

+55 11 3702 2230

São Paulo

Stuart K. Fleischmann

Partner

Capital Markets

+1 212 848 7527

+1 212 848 7527

New York

Christopher Forrester

Partner

Capital Markets

+1 650 838 3772

+1 650 838 3772

Menlo Park

Ted Gilman

Partner

Emerging Growth

+1 512 647 1904

+1 512 647 1904

Austin

Stephen T. Giove

Partner

Capital Markets

+1 212 848 7325

+1 212 848 7325

New York

Carmelo Gordian

Partner

Emerging Growth

+1 512 647 1902

+1 512 647 1902

Austin

Harald Halbhuber

Partner

Capital Markets

+1 212 848 7150

+1 212 848 7150

New York

Lisa Jacobs

Partner

Capital Markets

+1 212 848 7678

+1 212 848 7678

New York

Merritt Johnson

Partner

Capital Markets

+1 212 848 7522

+1 212 848 7522

New York

Jonathan Kellner

Partner

Mergers & Acquisitions

+55 11 3702 2210

+55 11 3702 2210

São Paulo

Jason Lehner

Partner

Capital Markets

+1 416 360 2974

+1 416 360 2974

Toronto

Kyungwon (Won) Lee

Partner

Capital Markets

+1 212 848 8078

+1 212 848 8078

New York

J. Matthew Lyons

Partner

Emerging Growth

+1 512 647 1901

+1 512 647 1901

Austin

Grissel Mercado

Partner

Capital Markets

+1 212 848 8081

+1 212 848 8081

New York

Emma Maconick

Partner

Intellectual Property Transactions

+1 650 838 3704

+1 650 838 3704

Menlo Park

Ilir Mujalovic

Partner

Capital Markets

+1 212 848 5313

+1 212 848 5313

New York

Lona Nallengara

Partner

Capital Markets

+1 212 848 8414

+1 212 848 8414

New York

Manuel A. Orillac

Partner

Capital Markets

+1 713 354 4886

+1 713 354 4886

Houston

Antonia E. Stolper

Partner

Capital Markets

+1 212 848 5009

+1 212 848 5009

New York

Pawel J. Szaja

Partner

Capital Markets

+44 20 7655 5013

+44 20 7655 5013

London

Arielle L. Katzman

Associate

Capital Markets

+1 212 848 4451

+1 212 848 4451

New York

Marc Elzweig

Associate

Intellectual Property Transactions

+1 650 838 3815

+1 650 838 3815

Menlo Park