The Securities and Exchange Commission has issued an investigative report urging public companies to consider cyber-threats when implementing internal accounting controls. The report is based on the SEC Enforcement Division’s investigations of nine public companies that fell victim to cyber fraud, losing millions of dollars in the process.
The SEC’s investigations focused on “business email compromises” (BECs) in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators. The frauds in some instances lasted months and often were detected only after intervention by law enforcement or other third parties. Each of the companies lost at least $1 million, two lost more than $30 million. In the most extreme case, one company made 14 wire payments to a hacker, resulting in more than $45 million in losses, the SEC said. In total, the nine companies wired nearly $100 million as a result of the frauds, most of which was unrecoverable. No charges were brought against the companies or their personnel.
The companies, which each had securities listed on a national stock exchange, covered a range of sectors including technology, machinery, real estate, energy, financial, and consumer goods. Public issuers subject to the internal accounting controls requirements of securities law must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly. The FBI estimates that fraud involving BECs has cost companies more than $5 billion since 2013.
“Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies,” said SEC Chairman Jay Clayton. “Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats.”
The SEC declined to identify the fraud victims and didn’t bring charges against them for poor controls. “In light of the facts and circumstances, we did not charge the nine companies we investigated,” said Stephanie Avakian, co-director of the SEC Enforcement Division. “But our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber-threats when fulfilling those obligations.”