On October 16, 2018, the SEC issued a 21(a) report announcing that it had investigated whether certain public companies that were victims of oftentimes unsophisticated, cyber-related frauds had violated federal securities laws by failing to have a sufficient system of internal accounting controls in place to detect these events.
Focus of SEC Report
The report focused on two common cyber frauds involving spoofed or otherwise compromised electronic communications. The first involved emails that purported to be from senior executives within the company (typically, the CEO) but in fact were from spoofed email domains. The second involved emails from fake vendors. This form of scam was more technologically sophisticated than the fake executive emails as in certain instances it involved intrusions into the email accounts of the companies’ foreign vendors. Each of the nine companies referenced in the report lost at least $1 million as a result of these scams and two lost more than $30 million. In total, the companies lost nearly $100 million to the thieves, almost all of which was never recovered.
Though the SEC determined not to pursue enforcement actions against the companies that were the subject of the report, the SEC issued the report to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining an effective system of internal accounting controls as required by the federal securities laws.
Email Scams Highlighted in SEC Report
Regarding the fake emails from company executives, the SEC report noted certain common themes of which companies should be aware. Each of these schemes involved spoofed emails that described time sensitive transactions or “deals” that needed to be completed within days and emphasized the need for secrecy from other company employees, directing the targeted employee to work with a purported outside attorney identified in the email. In many cases the emails used names of real law firms and attorney names. The spoofed emails also stated that the funds were necessary for foreign transactions and acquisitions, and directed the wire transfers to foreign banks and beneficiaries. Finally, many of these emails were sent to midlevel personnel that weren’t involved in the purported transaction and who rarely communicated with the senior executive from whom the spoofed email originated.
The fake vendor emails were technologically more sophisticated in certain instances than the fake executive emails and had fewer indicia of illegitimacy or fraud according to the SEC. Nonetheless, the SEC criticized these issuers for not having sufficient internal controls in place to root out these fraudulent emails. The perpetrators in these scams sometimes hacked into actual vendor’s legitimate email accounts and used those accounts to send illegitimate transaction requests. In many instances these individuals initiated contact with unsuspecting personnel within the company and requested changes to the vendor’s banking information. Once this new information was relayed to accounting and finance personnel within the company, payments on legitimate invoices were made to foreign accounts controlled by the perpetrators.
Though the SEC didn’t cite the affected companies in these instances, it did reinforce the need for issuers to reassess the effectiveness of their internal accounting controls mandated by the federal securities laws in light of these new risks. The report stopped short of mandating new controls that must be put in place, leaving it to each individual company to best decide what controls it should establish or enhance in light of these risks.
Tips to Guard Against Cyber Attacks
Below are a few tips that we believe would help issuers to better identify and guard against these types of cyber attacks.
Fake executive emails. Though we understand that electronic communication is sometimes the most efficient way for employees to communicate with one another, particularly when traveling, verbal confirmation of instructions (particularly requests to send large wires) remains the single best way to ensure that these types of fraudulent emails aren’t successful. When verbal confirmation isn’t practical, a confirmatory text message to the executive sending the instructions could catch this type of fraud. For midlevel employees that may not regularly interact with senior executives, talking to your boss and asking for their opinion on the legitimacy of the request could help, or stopping and asking yourself is it unusual that you would receive an email from the CEO or other senior executive. On top of these methods, there are other ways to sniff out a fraudulent email. First, many companies have sophisticated detection services that will stop many such emails from getting to an individual’s inbox. If an email is able to get through the detection system, you as the recipient can be a strong second line of defense. Look for clues in the email itself. Hover your mouse over the display name to check the underlying sender’s address. Also, check the return path for the message and see if it matches the sender name in the original email. Within the message itself you can look for clues. Is the sender taking an unusual tone – more casual than might be normal or alternatively more formal, or does the email use the recipient’s correct name? For instance, is the email addressed to David when the sender would normally use Dave, or does it use someone’s first name that is commonly called by their middle name?
Fraudulent vendor emails. As noted in the SEC’s report, fraudulent vendor emails can be more difficult to identify, particularly those that are the result of the vendor’s systems being hacked. That being said, verbal confirmation either with the sender or someone else within your company remains the best way to identify these types of attacks. When that’s not possible, a recipient that doesn’t regularly communicate with the vendor should take steps to reach out within the organization to talk to those co-workers that manage the relationship to vet the legitimacy of the request. Many of the tips described above for ferreting out whether a fake executive email is legitimate can also be used for fraudulent vendor emails.
Training. While the above practical tips may help employees avoid being fooled by these types of emails, the best defense against these intrusions is a robust and frequent training program. Though many companies train their employees on cyber risks, the frequency of that training can sometimes be inadequate. An annual one hour training session, for example, may not be sufficient to drive home the message about these risky emails. Existing employees need repetitive notices, training, privacy tips, etc. to inculcate cybersecurity awareness and develop a healthy skepticism to cultivate a security mindset and environment.
For questions or additional information about the impact of the SEC’s report on your business, contact Scott Holley or another Bass, Berry & Sims corporate and securities attorney.