The SEC recently issued an investigation report warning public companies to be wary of a type of cyberfraud called "business email compromise" and to consider such frauds when devising and maintaining internal accounting controls.
The report, produced by the SEC's Division of Enforcement in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, detailed an investigation into nine public companies that cumulatively lost nearly $100 million as a result of cyber-related frauds in which company personnel wired money or paid fake invoices after receiving spoofed or otherwise compromised electronic communication.
The SEC did not name the companies but said each had significant annual revenue and securities listed on a national exchange. Each company lost at least $1 million, and two lost more than $30 million. Little of the money was recovered, according to the SEC report. Some of the schemes lasted for an extended period and were discovered by third parties.
The companies' sectors included technology, machinery, real estate, energy, financial, and consumer goods. This, the SEC said, demonstrates that every type of business is a potential target for cyber-related fraud schemes.
After investigating whether the companies complied with internal accounting control requirements laid out in Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934, the SEC decided not to pursue an enforcement action. The commission instead issued a Report of Investigation pursuant to Section 21(a) of the Exchange Act to make issuers of securities and other market participants aware of the threat of spoofed or manipulated electronic communications, the SEC said.
The schemes "relied on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective. Having internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets," the SEC report stated.