SEC recommends considering cyber threats to accounting controls
The Securities and Exchange Commission released a report Tuesday warning publicly traded companies that they should consider cyber-threats when they implement internal controls.
The report stems from an investigation by the SEC’s Enforcement Division of nine unnamed companies that fell prey to cyber-criminals who stole millions of dollars from them. The investigators focused on instances where the cyber-criminals posed as company executives or vendors and used emails to fool legitimate employees, prompting them to send large sums of money to bank accounts controlled by the fraudsters. The SEC calls these cases “business email compromises,” or BECs.
“Spoofed or manipulated electronic communications are an increasingly familiar and pervasive problem, exposing individuals and companies, including public companies, particularly those that engage in transactions with foreign customers or suppliers, to significant risks and financial losses,” said the report.
In some cases, the frauds went on for months at a time and were detected only after law enforcement authorities or outside parties intervened. Each company lost at least $1 million, and one of them was duped out of over $45 million. The nine companies transferred a total of close to $100 million, and most of it couldn’t be recovered.
The SEC didn’t file charges against any of their companies or their employees, but it is encouraging public companies to beef up their internal controls over financial reporting. The commission noted that public issuers are subject to the internal accounting controls requirements of the Securities Exchange Act of 1934 and are required to calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly. The Federal Bureau of Investigation has estimated that fraud involving business email compromises has cost companies over $5 billion since 2013, with another $675 million in adjusted losses in 2017, the highest amount of estimated out-of-pocket losses for any type of cybercrime in that period. The SEC issued the report in conjunction with National Cybersecurity Awareness Month.
“Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies,” said SEC Chairman Jay Clayton in a statement. “Investors rely on our public issuers to put in place, monitor and update internal accounting controls that appropriately address these threats.”