The report is based on the SEC Enforcement Division’s investigations of nine public companies that were victims of cyber fraud, leading to the loss of millions of dollars, and focused on “business email compromises”. These situations often entail perpetrators posed as company executives or vendors using emails or other electronic communications to trick company personnel into sending large sums to bank accounts controlled by the perpetrators. In some cases, these incidents of fraud lasted for months before discovery by law enforcement or third parties. In total, the nine companies investigated lost nearly $100 million as a result of the frauds.

The companies covered a wide range of business sectors, including technology, machinery, real estate, and consumer goods. They each had securities listed on a national stock exchange, which makes them subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934. Though these companies were not charged as part of the investigation, this highlights the need for all companies to calibrate their internal accounting procedures to the current risk environment and adjust policies accordingly.

The SEC reminds public companies that they have an obligation to conduct and maintain internal accounting controls that limit the impact of and opportunities for cyber fraud, such as spoof or trick emails from perpetrators impersonating company personnel or vendors, which proved so damaging in these cases. The Commissions wants the public to be aware of these risks. Having internal accounting control systems that factor in cyber-related threats and related human vulnerabilities is vital to safeguarding company and investor interests.

The report, which coincides with National Cybersecurity Awareness Month, can be read here.

Sources:

SEC Investigative Report: Public Companies Should Consider Cyber Threats When Implementing Internal Accounting Controls (www.sec.gov)
Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements (www.sec.gov)