Just in time for National Cybersecurity Awareness Month, the SEC is calling out public companies for their lack of preparedness in dealing with email-based cyber frauds. In a report released last week, the SEC detailed its investigation into successful frauds against nine different public companies, which caused collective losses of nearly $100 million. The agency chose not to pursue enforcement actions against any of the victimized issuers, but its report indicates that, going forward, the SEC may consider insufficient defenses against email scams a violation of public companies’ requirement to maintain internal accounting controls.
The SEC’s seven-page report describes (in surprisingly readable fashion) some basic details on the nine frauds, all of which were conducted via email. Known in cyber-parlance as “business email compromises,” they spanned industries from real estate to energy to machinery–and were no doubt chosen so that the SEC could emphasize that point. The issuers were each taken for at least $1 million, while two lost more than $30 million and one poor sucker paid out $45 million across 14 wire transfers before a foreign bank gently tapped them on the shoulder and suggested they were being taken for a ride.
The report calls attention to two broad types of email frauds. In the first, the scammers send emails to finance personnel from spoofed addresses, making them appear to come from the CEO or another senior executive inside the company. Typically, they ask the executive to make wire transfers to foreign bank accounts, emphasizing time sensitivity or a need for secrecy. They frequently include spelling and grammatical errors of the kind you may be familiar with if you’ve ever received an email about a Nigerian prince.
In the second, more sophisticated scheme, the villains actually hack into vendors’ email accounts. They use that access to send fake invoices (sometimes interspersing fake charges with legitimate ones) or change the vendors’ bank information on file with the issuer. The issuer and vendor may not notice for months, during which time the issuer has been paying bills into the scammer’s account.
Citing FBI data, the report indicates that scams of this kind have led to $5 billion in losses since 2013. Last year, they constituted the biggest cause of losses due to cybercrime. The SEC is shining a light on them, in part, to wake up public companies to their obligation to maintain internal accounting controls. The SEC specifically highlights two statutory subsections that require public companies to “‘devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,’ and that ‘(iii) access to assets is permitted only in accordance with management general or specific authorization.’”
The report states that email schemes preyed on “weaknesses in policies and procedures and human vulnerabilities,” and implies that the above standards were not met. It notes approvingly, however, that “each of the issuers sought to enhance their payment authorization procedures” after learning that they had been had. That may have factored into the SEC’s decision not to charge them.
From now on, it might be a different story. With this report, the SEC is foreclosing any argument that an issuer can claim ignorance of these risks in designing its accounting controls. If it doesn’t, scammers won’t be the only ones ready to punish them. The SEC may be waiting for them too.