On October 16, 2018, the SEC released an Investigative Report detailing recent email spoofing schemes that caused nine public companies to lose a total of nearly $100 million. Building on its February 2018 guidance about the need for cybersecurity controls, the SEC wrote that the success of these cyber attacks underscores the need for issuers to “consider cyber-related threats when devising and maintaining their internal accounting control systems.” While the SEC chose not to bring enforcement actions in connection with these incidents, the Investigative Report further underscores the SEC’s focus on cybersecurity and is a strong reminder that the SEC will examine public companies’ controls, including disclosure controls, in the wake of a cyberincident to determine if the securities laws were violated.
February 2018 SEC Guidance on Cybersecurity
In February 2018, the SEC issued guidance about Public Company Cybersecurity Disclosures to assist public companies in preparing disclosures about cybersecurity risks and incidents. “Given the frequency, magnitude and cost of cybersecurity incidents,” the SEC stated “it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The guidance described the importance of implementing comprehensive policies and procedures related to cybersecurity controls, including disclosure controls, and stressed the need to have in place policies to guard against insiders trading on material nonpublic information about cybersecurity risks and incidents.
Since issuing its February guidance, the SEC has brought enforcement actions against companies related to cyberincidents. In April 2018, the SEC announced a $35 million settlement with Yahoo!, the first settlement with a public company related to misleading investors by failing to disclose a data breach. And, in September 2018, the SEC brought its first-ever charges relating to a violation of the Identify Theft Red Flags Rule, fining Voya Financial Advisors Inc. $1 million stemming from a cyber attack that compromised personal information of over 5,000 customers. See our previous discussion of the Voya action for more information.
Details of SEC Investigative Report on Email Spoofing
On October 16, 2018, the SEC released an Investigative Report summarizing the SEC’s investigations into nine public companies that “were victims of cyber-related frauds” and “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.”
In each instance, company personnel received spoofed or manipulated emails purportedly from company executives or vendors that duped the recipients into wiring money to accounts controlled by the attackers. The targeted employees included accounting personnel and executive-level employees. The financial losses were significant, with each company losing at least $1 million, and one company losing more than $45 million. In some cases, the spoofing schemes lasted months before detection, and some were uncovered only by third parties, not by the companies themselves.
Although the SEC declined to pursue enforcement actions against the companies based on the facts and circumstances of each case, it believed “these examples underscore the importance of devising and maintaining a system of internal accounting controls attuned to this kind of cyber-related fraud, as well as the critical role training plays in implementing controls that serve their purpose and protect assets in compliance with federal securities laws.”
The SEC reiterated its call that “public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”
Recommendations on How to Guard Against Cyber Attacks
Based on the climate of cyber risk and the SEC’s view that compliance with federal securities laws mandates appropriate controls to address cyber threats, public companies would be advised to consider the following:
- Understand the risks posed by cyber-related frauds. In its February 2018 guidance and recent Investigative Report, the SEC emphasized that “cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries.”
- Consider cyber threats when implementing internal accounting controls. Given the importance of cybersecurity, the SEC has advised public companies that “cybersecurity risk management policies are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws.”
- Implement training and re-training protocols regarding cybersecurity risks. The SEC noted in the Investigative Report that the email scams were not sophisticated, and succeeded in part because company personnel disregarded indications that the spoofed emails lacked reliability and otherwise failed to follow company policies regarding payment authorization.
- Continue to re-assess the adequacy of existing policies and procedures. The SEC observed “the prevalence and continued expansion” of cybersecurity threats, and advised companies to continue to assess whether their internal accounting control systems were sufficient to “provide reasonable assurances in safeguarding their assets from these risks.”
The SEC has sent a clear signal that compliance with the federal securities laws will require public companies to identify and address cybersecurity risks. The SEC’s Investigative Report is just one reminder of the myriad ways in which public companies potentially are vulnerable to cyber threats. It will take diligent and thoughtful effort for public companies not only to meet these technological challenges but to do so in a way that satisfies their obligations under the federal securities laws and the SEC’s developing guidance in this area.
For questions or additional information about the impact of the SEC’s report on your business, contact one of the authors.