On October 16, 2018 the Securities and Exchange Commission (“SEC”) issued an investigative report following investigations of nine public issuers who were victims of cyber fraud.
The investigations focused on whether the issuers failed to comply with their obligations under Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, which require certain issuers to devise and maintain internal controls sufficient to provide reasonable assurances that transactions are executed, and access to assets is permitted, only with management’s general or specific authorization.
Nine issuers were the subject of this investigation, and their businesses spanned industries from technology and finance to machinery and consumer goods. All of the issuers were listed on a national securities exchange and generated substantial annual revenue.
The cyber fraud perpetrated against the issuers investigated by the SEC involved two separate business email compromise schemes concerning accounts supposedly belonging to corporate executives or outside vendors.
The first scheme used spoofed emails that purported to come from company executives, usually the CEO. These schemes, which instructed corporate finance employees to make large wire transfers, had several common elements. First, the emails described deals as time-sensitive and requiring a degree of confidentiality from other employees without going into much detail on the transactions themselves. Second, payment was to be sent to foreign banks. Third, communications went to midlevel personnel who were not typically responsible for that type of transaction and who did not regularly communicate with the executive purporting to send the email. This scheme was not particularly complex or technologically-sophisticated, merely requiring an email spoofed so as to appear to be from a high-level executive. Indeed, many of the communications reviewed by the SEC contained spelling and grammatical errors.
The second scheme was more complex, involving emails purporting to come from foreign vendors. Each of these frauds involved an initial intrusion into a foreign vendor’s email account, communication with an issuer employee who typically communicated with the vendor to gain information on actual purchase orders and invoices, and a request for payment with a doctored invoice directing payment to a new account for an otherwise legitimate transaction. The level of detail resulted in this scheme lasting for several months, often until the real vendor alerted the issuer of nonpayment on outstanding invoices.
Losses from these frauds were substantial. Each of the nine issuers lost more than $1 million. Two issuers lost more than $30 million. Most of the losses were not recovered. The SEC did not pursue enforcement actions against any of the nine issuers, but issued the investigative report to ensure issuers are aware of Section 13(b)(2)(B) obligations and to make recommendations on how issuers can ensure compliance with such obligations.
The SEC noted that these two schemes were not particularly sophisticated in the use of technology and instead relied on policy or procedure weaknesses along with human vulnerabilities. To combat such schemes, companies should ensure that their internal accounting policies and procedures are robust in compliance with the Section 13(b)(2)(B) requirements and that employees receive sufficient training in such areas.
The issuers investigated in connection with this report had policies requiring certain levels of authorization for payment requests, management approval of outgoing wires, and verification for changes to vendor data, yet still fell victim to these schemes. Following discovery of the fraud, all of the issuers enhanced payment authorization procedures and verification requirements for vendor information changes. Some issuers only learned of the fraud after an outside party, such as the actual vendor, alerted them. These issuers took steps to strengthen account reconciliation and outgoing payment notifications procedures.
Once a company has sufficiently strong policies and procedures in place, human vulnerabilities can be addressed by training personnel to ensure they understand the company’s policies and procedures. Several of the issuers investigated in connection with this report had employees who did not follow existing authorization requirements that may have uncovered the scheme before payment was made. While all of the issuers had some level of training regarding controls and information technology, each enhanced the existing training to cover potential threats and a review of all existing policies and procedures.
Cybersecurity is, and will almost certainly remain, one of the biggest challenges facing all types of companies. The business email compromises involved in this SEC report generated the highest out-of-pocket losses for any type of cyber-crime in the past five years, with over $5 billion in losses. It is essential that companies have robust policies and procedures in place, and that all employees receive regular, in-depth training, to ensure companies comply with their regulatory obligations and minimize the risk of severe financial loss.