Shearman & Sterling on Whether a Cyber Breach Can Be a Violation of Internal Controls

On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report outlining an investigation conducted by the SEC’s Division of Enforcement related to the internal accounting controls at nine public companies that were the victims of cyber fraud. The SEC elected to issue a report under Section 21(a) of the Securities Exchange Act of 1934 rather than proceeding with enforcement actions against any of the companies involved as a way to draw attention to the growing issue of cyber fraud, highlight what it believes are necessary and best practices in this area and, importantly, caution all public companies that failure to strengthen internal controls in the face of the growing risk of cyber fraud could result in an enforcement action in the future.[1]

The Report

The SEC’s investigation focused on a series of “business email compromises” in which personnel at each of the nine companies received spoofed or otherwise compromised electronic communications purporting to originate from a company executive or vendor, causing the personnel to transfer large sums or pay falsified invoices to accounts controlled by the perpetrators of the scheme. Cybercrime can manifest in many forms, but the SEC noted that the schemes that were detailed in the report were relatively unsophisticated. In the aggregate, the nine companies, spanning a range of industries, lost nearly $100 million as a result of the frauds. Each of the companies lost at least $1 million, one lost more than $45 million and most of the losses were unrecoverable. The frauds in some instances lasted months and often were detected only after intervention by law enforcement or other third parties. At the end of this article, we have described the types of business email compromises that were the subject of the investigation and offer suggestions on possible process changes.

Notably, the relevant issuers had implemented internal controls (such as certain levels of authorization for payment requests, management approval for outgoing wires, and verification of any changes to vendor data), but these proved inadequate or ineffective. The report points out that in several cases, procedures that could have identified or thwarted the scams were misunderstood or not followed, or personnel failed to ask appropriate questions. For example, the existing controls were interpreted by the company’s personnel to mean that the compromised electronic communications were, standing alone, sufficient to process significant wire transfers or changes to vendor banking data. Additionally, many of these issuers only learned of the fraud as a result of third-party notices, such as from law enforcement or foreign banks. In response to these incidents, companies implemented remedial measures such as enhancing their payment authorization procedures and verification requirements for vendor information changes, and some issuers also took steps to strengthen their account reconciliation procedures and outgoing payment notification processes to aid detection of payments resulting from fraud. All of the issuers enhanced personnel training with respect to relevant threats and internal procedures.

The SEC considered whether the nine companies that were victims of cyber-related frauds violated federal securities laws by failing to have sufficient internal accounting controls, pursuant to sections 13(b)(2)(B)(i) and (iii) of the Exchange Act, which require companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization. In light of the facts and circumstances of the examined incidents, and the actions taken by the companies when the schemes were discovered, the SEC did not bring charges against the companies or their personnel.

In the announcement of the release of the report, the SEC advised that public issuers subject to the internal accounting controls requirements of the Exchange Act “must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.” It also directly indicated its position that cybersecurity falls squarely within the internal control framework, stating “our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”[2]

Regulatory Framework

The report comes on the heels of SEC interpretive guidance issued earlier this year on public company disclosures regarding cybersecurity risks and incidents,[3] which we have discussed in a prior client note.[4] The disclosure guidance summarizes the SEC’s views regarding the importance of appropriate disclosure controls and procedures, insider trading policies and selective disclosure safeguards in the context of cybersecurity incidents. Although the interpretive guidance makes clear that the SEC views cybersecurity as a key disclosure matter, it does not provide public companies with specific guidance on SEC expectations for what is required to be disclosed and when. The interpretive guidance, however, does provide a useful review of the existing disclosure obligations related to cybersecurity matters and the disclosures that may be triggered upon the occurrence of cybersecurity incidents or events.

Beyond the SEC, cybersecurity has also drawn attention at other levels of governments. In our recently published insight on the role of board oversight in cybersecurity matters, we discuss recent cybersecurity initiatives at the executive, congressional and state levels.[5]

Taking Action

The report expressly includes the objective of making “issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws.” Moreover, the report concludes that the SEC “is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.”

What Should Companies Do?

  • Cybersecurity Considerations are a Fundamental Part of Internal Controls. The report is a reminder to all companies of the necessity of considering cybersecurity risks when establishing internal control processes and procedures.
  • One Size Does Not Fit All. The cybersecurity measures that companies implement as part of their internal control framework should be tailored to the unique nature of cybersecurity risks as compared to other control risks and such measures should be appropriate to their type of business and the type of cybersecurity risk for which they are vulnerable.
  • Train, Test and Train Again. As described in the report, even the most robust internal control processes cannot be effective if those required to follow them do not understand them or ignore them. On an ongoing basis, education, training and testing of the relevant personnel on internal control procedures is critical.
  • Keep Track of What Happens. Companies should document the types of cybersecurity schemes for which they become subject and how the existing internal control processes worked in the face of the scheme. This information should be regularly reported to management and used as part of each internal control review.
  • Do Not Set It and Forget It. Just as the type and sophistication of cybersecurity schemes expand, companies should assess and reassess the adequateness of internal control procedures as they learn about new threats and vulnerabilities.
The Business Email Compromises

The business email compromises that were the focus of the investigation were unsophisticated frauds that, with additional control processes and training, could have been prevented.

Spoofing a Company Executive

In this fraud, perpetrators emailed company finance personnel, using spoofed email domains and email addresses of an executive (typically the CEO). The domain and email addresses were designed to appear legitimate. The spoofed email directed the companies’ finance personnel to work with a purported outside attorney identified in the email, who then directed the companies’ finance personnel to execute large wire transfers to foreign bank accounts controlled by the perpetrators. The perpetrators used real law firm and attorney names, and legal services-sounding email domains, but the contact details connected company personnel with impersonators and co-conspirators. In many cases, the emails included red flags, such as grammatical errors and emphasis on a need for secrecy. Additionally, the emails were generally sent to midlevel employees who often do not interact with the senior executives who purportedly made the requests.

Spoofing a Vendor

In this fraud, perpetrators hacked the existing vendors’ email accounts and inserted illegitimate requests for payments (and payment processing details) into electronic communications for otherwise legitimate transaction requests. The perpetrators of these scams also corresponded with issuer personnel responsible for procuring goods from the vendors to gain access to information about actual purchase orders and invoices. The perpetrators then requested that company personnel initiate changes to the vendors’ banking information, and attached modified invoices reflecting the new, fraudulent account information, which information was relayed from procurement personnel to accounting personnel, resulting in issuer payments on outstanding invoices to foreign accounts controlled by the impersonator rather than the accounts of the real vendors.

Steps You Can Take to Protect Your Company:

  • Cyber fraud training. All company personnel should be required to take cyber fraud training. A number of third-party providers offer interactive training programs to combat phishing and other cybercrime threats that can be customized to individual company needs. Training company personnel to identify spoofed email addresses and domain names and red flags in these types of frauds is no longer just a best practice. It is essential.
  • Ensure that all payments made to vendors or other third parties require dual authorization. Provide for additional heightened approvals for payments that exceed an identified threshold or involve payments made not in the ordinary course.
  • Ensure that the payment processing approval matrix is kept current to reflect personnel changes and departmental reorganization. Make the review of the approval matrix a part of your internal control review procedures. Finally, make sure those that need to, understand the approval process.
  • Empower employees to question payment requests that appear to be unusual or suspicious, even where company executives are purportedly involved. At the companies that were subject of the report, recipients of the fraudulent emails did not ask questions about the nature of the supposed transactions even where such transactions were clearly outside of the recipient employee’s authority.
  • Regularly test employee preparedness with mock phishing emails and payment requests. Use the results of the testing to design modifications to internal control procedures and share the results with affected employees.

ENDNOTES

[1]   “Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements” available at: https://www.sec.gov/litigation/investreport/34-84429.pdf.

[2]  https://www.sec.gov/news/press-release/2018-236.

[3]  “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” available at https://www.sec.gov/rules/interp/2018/33-10459.pdf.

[4]  https://www.shearman.com/perspectives/2018/02/sec-adopts-interpretive-guidance-on-cybersecurity-disclosures.

[5]  https://www.shearman.com/perspectives/2018/corpgovsurvey/cybersecurity–board-oversight.

This post comes to us from Shearman & Sterling LLP. It is based on the firm’s memorandum “Can a Cyber Breach Be a Violation of Internal Controls? the SEC Says, ‘Maybe’,” dated October 29, 2018, and available here.