SEC Cyber Briefing: Investigation into Wire Fraud and a Look at 2019 Regulatory Initiatives
In our final installment of a three-part series, we look at the U.S. Securities and Exchange Commission’s Investigative Report into the epidemic of wire fraud or “business email compromise,” and then, based on its 2018 initiatives, consider the agency's likely priorities for the coming year.
Wire fraud committed by cybercriminals is not a new phenomenon. The FBI and other government agencies have regularly warned against wire fraud scams—called “business email compromises” or BECs—where criminals pose as vendors or company executives and use email to dupe company insiders into wiring money into bank accounts controlled by the perpetrators. And in some instances, the amounts involved are staggering.
In an investigative report, the SEC studied the internal accounting controls of nine public companies affected by wire fraud to determine if federal securities laws may have been violated by failing to have a sufficient system of internal accounting controls in place. The companies were in various sectors including technology, machinery, real estate, energy, finance, and consumer goods. In total, the nine companies investigated by the agency suffered losses totaling nearly $100 million as a result of the frauds. For the most part, the funds were not recoverable.
The SEC found that there were typically two different scenarios under which companies were scammed by cybercriminals. In the first scenario, a person posing as a senior company executive—most typically, a Chief Financial Officer or Chief Executive Officer—used a spoofed email domain and address to arrange for a wire transfer to a foreign bank account controlled by the criminals.
The second scenario involved a fake vendor or supplier to the company. The perpetrator would hack into the email account of a legitimate employee of the vendor, communicate with company personnel about an invoice that was due for payment, and then redirect the wire transfer to an account under the criminal’s control.
Of the nine companies investigated by the SEC, each lost a minimum of $1 million. Two companies lost more than $30 million and one company was taken for more than $45 million.
Although no charges were brought against the companies, the SEC emphasized that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” And in a clear warning, the SEC urged companies to reassess internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds,” and “calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”
The SEC advised companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investors assets from cyber-related frauds.” Under Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (15 U.S.C. § 78m(b)(2)(B)), internal controls must reasonably assure that:
- transactions are executed in accordance with management's general or specific authorization; and
- access to assets is permitted only in accordance with management's general or specific authorization.
The report emphasized that BCE scams are not particularly sophisticated and often successful not because companies don’t have policies and procedures in place but because “the responsible personnel did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability.”
Beyond the nine companies investigated by the SEC, the price tag for BCEs is soaring. In a report issued in July 2018, the FBI estimated that fraud involving BCEs has cost companies more than $5 billion since 2013. Between October 2013 and May 2018, the FBI has tracked more than 78,000 instances of global email fraud. The tab for these losses exceeded $12 billion.
Additionally, the FBI reports that Asian banks in China and Hong Kong remain the main destinations for fraudulent fund transfers but that financial institutions in the United Kingdom, Mexico and Turkey have been identified recently as “prominent destinations.”
The FBI has published a list of precautionary measures for businesses to mitigate the risk of BEC fraud including:
- frequently monitor your email exchange server for changes in configuration and custom rules for specific accounts;
- consider adding an email banner stating when an email comes from outside your organization so they are easily noticed;
- conduct end-user education and training on the BEC threat and how to identify a spear phishing email;
- ensure that company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information;
- contact requestors by phone before complying with email requests for payments or personnel records; and
- consider requiring two parties sign off on payment transfers.
No doubt, the SEC’s initiatives in 2018 foreshadow a continued focus on cybersecurity. While predictions are always uncertain, there are five areas the Commission has made clear are regulatory priorities:
- Cybersecurity Risk Disclosures. Since issuing its interpretative guidance earlier in 2018, the agency has been focused on the adequacy of public company cyber risk disclosure. While not scientific by any means, there appears to be an uptick in comment letters by the agency addressing specific cyber disclosure issues. This enhanced focus on cyber risk disclosure—albeit a balance between saying too much or too little about an organization’s cyber risk and defenses—should continue into 2019.
- Timely Disclosure of Cybersecurity Incidents. With the Yahoo enforcement action as a baseline, the SEC is sure to be scrutinizing the timeliness of public company disclosures when victimized by a cyber-attack or other material data security incident. While these disclosures in many instances come down to hard-fought judgment calls about materiality, the agency has made clear that public companies have a duty to promptly inform the markets of material cybersecurity incidents.
- Insider Trading Controls. The Commission’s 2018 interpretative guidance and its enforcement actions against two Equifax employees for allegedly trading on inside information make plain that insider trading will remain a priority. Public companies would be well advised to review their data security incident response plans and insider trading policies to ensure that they address trading halts between the time that a cybersecurity event is discovered and publicly disclosed. The SEC will undoubtedly be on the lookout for companies that don’t heed this advice.
- Effectiveness of Data Security Policies. A theme in several enforcement actions is the effectiveness of a company’s data security policies. In all likelihood, the SEC will come at this issue in two different ways. First, it will review policies to ensure that they are aligned with an organization’s risk profile and risk environment in which it operates. Second, how do these policies filter down in an organization to ensure that they are followed and enforced? In large part, this depends on employee training and the priority an organization puts on its cybersecurity hygiene.
- Internal Accounting Controls. The Commission’s investigatory report sent a clear message to public companies: revisit the effectiveness of internal accounting controls to guard against BCE and wire fraud. With the global cost of this crime running into the billions, the SEC is unlikely to let its detailed report gather dust. The report is the proverbial shot across the bow. Public companies are well advised to revisit, and if necessary, enhance their internal control process not just for wire transfers but any significant movement of funds.